Canada’s privacy watchdog is calling on the federal government to lift a “veil of secrecy” from 13-year-old privacy legislation, to force companies to publicly report when they release personal data.

Jennifer Stoddart said Thursday that organizations are not required to report the release of private information, whether it’s through a data breach or a request from police or government officials.

“The current situation is, to my mind, unacceptable,” she said. “Those that do not report (data breaches) may escape with no negative effects on their reputation or their bottom line, unless of course they are found out.”

Stoddart has released a report recommending several amendments to the Personal Information Protection and Electronic Documents Act (PIPEDA), the privacy legislation enacted in 2000 that governs Ontario and most of Canada.

Among other things, she demanded that companies be required by law to report security breaches. In 2011, only 64 data breaches were voluntarily reported to her office by private companies.

Stoddart said she believes many are going unreported and wants the power to impose hefty fines or sanctions. Currently, she has no enforcement powers beyond publicly naming guilty organizations.

New Democrat MP and privacy critic Charlie Angus revealed last month that the federal government had failed to report thousands of data breaches in the past decade. Only 13 per cent of 3,143 data breaches were reported to Stoddart.

Stoddart is also calling for companies to report when they release personal data to government or police officials without a warrant — a practice she called an “extraordinary and potentially very chilling exception to our privacy protection.”

Currently, officials can request data, including Internet Service Provider details, telephone numbers and email addresses, from nearly any Canadian company without a warrant if the person is under a criminal investigation.

Companies have the right to refuse, and some Canadian ISPs have entered agreements to hand over subscriber data only in child exploitation cases.

But because there is no requirement to report when they do disclose data, no one knows how often it is happening. Privacy lawyer Tamir Israel estimates hundreds of thousands of disclosures are made every year.

Ironically, it is the innocent who are least likely to learn they were ever the objects of surveillance, he said. “If nothing criminal is uncovered, there is no obligation to notify the person whose information was acquired.”

Loading... Loading... Loading... Loading... Loading... Loading...

Meanwhile Bill C-475, a NDP private members’ bill to create mandatory data breach reporting, was debated Thursday evening. It is merely the latest attempt to amend the privacy act, Bill C-12, which has languished since 2011.

“The ball is in the government’s court,” said Stoddart, whose mandate expires in December after a decade on the job. “Unfortunately, there isn’t much interest in these suggestions. PIPEDA is long overdue for reform.”