Canada’s private sector privacy legislation, which was enacted in the year 2000 and was fully in force by 2004, is known as the Personal Information Protection and Electronic Documents Act (“PIPEDA“).
Under PIPEDA, the portion of the statute that addresses privacy and personal information (i.e. Part 1) requires a parliamentary review every five years.
In May 2007, the Canadian House of Commons’ Standing Committee on Access to Information, Privacy and Ethics (the “Committee“) tabled in the House of Commons the first parliamentary review of PIPEDA.
Despite the statutory requirement that a review take place every five years, there has not been a parliamentary review of Part 1 of PIPEDA since 2007.
In November 2016, the Committee adopted a motion to undertake a review of PIPEDA. Between February 2017 and February 2018, the Committee held 16 public meetings as part of its PIPEDA review. The Committee heard from 68 witnesses and received 12 written submission. In addition, the Committee considered recent studies and reports from the Office of the Privacy Commissioner of Canada (“OPC”), and the Privacy Commissioner of Canada (the “Privacy Commissioner“), Daniel Therrien, met with the Committee in February 2017, and, again, in February 2018.
On February 28, 2018, following the completion of its review of PIPEDA, the Committee released a report titled “Towards Privacy By Design: Review of the Personal Information Protection and Electronic Documents Act” (the “Report”), and, in the Report, set out 19 recommendations for the House of Commons and the Government of Canada to consider.
Recommendations No. 1 to No. 10 pertain to meaningful consent under the PIPEDA regime.
Recommendations No. 11 to No. 14 pertain to online reputation and respect for privacy.
Recommendations No. 15 to No. 16 pertain to the enforcement powers of the Privacy Commissioner.
Recommendations No. 17 to No. 19 pertain to the adequacy of PIPEDA under the Europe Union (“EU”)’s General Data Protection Regulation (“GDPR”).
Meaningful Consent under the PIPEDA Regime
In the Committee’s opinion, while consent should remain the core element of Canada’s privacy regime, when possible or necessary, consent should be enhanced and clarified by additional means (Recommendation No. 1). As part of its review, the Committee considered the OPC’s recent study on consent. The OPC’s findings and recommendations are set out in its 2016-2017 annual report, which was released in September 2017.
The Committee has recommended that opt-in consent be set as a default under Canadian privacy law for any use of personal information for secondary purposes, and that the Government of Canada consider implementing a default opt-in system regardless of purpose so opt-in consent would be required for primary purposes as well (Recommendation No. 2).
With the increase in the use of algorithms to analyse personal information and make decisions that may have prejudicial or discriminatory effects, the Committee has recommended that the Government of Canada consider implementing measures to improve algorithmic transparency so Canadians know how decisions that personally effect them are being made (Recommendation No. 3).
While the ability of individuals to revoke consent plays an important role in a consent-based privacy model, the Committee acknowledged that implementing revocations can be challenging for some organizations, depending on how personal information is being collected, used or disclosed. The Committee has recommended that the issue of revocation of consent be studied by the Government of Canada so it can clarify the form(s) of revocation required under Canadian law as well as the legal and practical implications (Recommendation No. 4).
Under Canada’s Regulations Specifying Publicly Available Information (the “Regulations“), which came into force in 2001, certain types of information and formats are exempt from the requirement for consent. In the Committee’s opinion, the Regulations need to be modernized, and the Committee has recommended that, in addition to making the Regulations technology-neural, the Government of Canada take into consideration situations where individuals post personal information on public websites (Recommendation No. 5).
The Committee examined existing concerns regarding the acceptable use of personal information to satisfy legitimate business interests, and the Committee has recommended that the Government of Canada consider amending PIPEDA so it is clear under what terms personal information can be used to satisfy legitimate business interests (Recommendation No. 6).
In regards to depersonalized data, the Committee has called on the Government of Canada to examine the best ways of protecting it (Recommendation No. 7). The Committee is of the view that it is premature to recommend a particular approach without further study into depersonalization and the associated risks.
Under PIPEDA, organizations can disclose personal information without consent to other organizations in certain circumstances, including situations involving investigations or fraud. Given that “fraud” is not the only kind of financial crime in Canada, the Committee has recommended that the term “fraud” under PIPEDA be replaced by a new defined term of “financial crime” and that the term include (i) fraud; (ii) criminal activity and any predicate offence related to money laundering and terrorist financing; (iii) all criminal offences committed against financial service providers, their customers or their employees; and (iv) the contravention of laws of foreign jurisdictions, including those relating to money laundering and terrorist financing (Recommendation No. 8).
Unlike jurisdictions like the United States of America, Canada does not presently have legislation similar to the United States’ Children’s Online Privacy Protection Act (COPPA). The Committee has recommended that the Government of Canada consider implementing specific rules of consent for minors as well as regulations to govern the collection, use and disclosure of minors’ personal information (Recommendation No. 9).
In the EU’s GDPR, a right to “data portability” is recognized. This right does not presently exist in Canadian law, and the Committee has recommended that PIPEDA be amended to include a data portability right (Recommendation No. 10).
Online Reputation and Respect for Privacy
The Committee examined, in detail, a “right to be forgotten” and the two concepts that are typically included in that right: (a) the “right to erasure”; and (b) the “right to de-indexing”.
Where a “right to erasure” typically means a right to have information removed from a website, a “right to de-indexing” typically refers to a right to have a website containing personal information removed from the results generated by Internet search engines.
The Committee has called on the Government of Canada to consider incorporating into PIPEDA a framework for a “right to erasure” based on the EU’s model, that would, as a minimum, enable young people to request that information posted online (either by themselves or someone else) be taken down (Recommendation No. 11).
Similarly, the Committee has recommended that the Government of Canada consider amending PIPEDA to include a framework for a “right to de-indexing”, and that a “right to de-indexing” be expressly recognized in situations where personal information posted online pertains to an individual when he or she was a minor (Recommendation No. 12).
During its hearings, the Committee heard that “too often little attention is paid to the end of a document’s life cycle”. In the Committee’s opinion, the Government of Canada should consider amending PIPEDA so it is clearer what organizations’ obligations are with respect to the destruction of personal information (Recommendation No. 13).
The concept of “privacy by design”, which was developed in the 1990s by the then Information and Privacy Commissioner of Ontario (a Canadian province), has been embraced, conceptually, throughout Canada and in other parts of the world. In the Committee’s opinion, it is now time to amend PIPEDA so “privacy by design” becomes a central principle under the statue, and, where possible, “privacy by design”‘s seven foundational principles be included (Recommendation No. 14).
Enforcement Powers of the Privacy Commissioner
Under PIPEDA, the OPC and the Privacy Commissioner serve an ombudsman role, and the compliance tools available to them are limited.
As a result of the evidence presented before it, the Committee has concluded that “there is a demonstrated need to grant the Privacy Commissioner enforcement powers related to PIPEDA”, and the Committee has recommended “using the system currently in place in the United Kingdom as a model”. As part of its recommendations, the Committee has stated that the new enforcement powers should include the power to make orders and to impose fines for non-compliance (Recommendation No. 15).
Adequacy of PIPEDA under the EU’s GDPR
PIPEDA’s similarity to the EU’s Directive 95/46/EC (of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data) (the “Directive”) enabled PIPEDA to be declared adequate in relation to the Directive, which gave Canadians certain rights that other jurisdictions (such as the United States) did not enjoy because their privacy legislation was not consider adequate to European privacy standards and expectations.
There has been concern in Canada that PIPEDA may not achieve “adequacy” status under the new EU’s GDPR. As a result, the Committee has recommended that the Government of Canada work with its EU counterparts and determine what, in the context of the GDPR, would constitute “adequate” status for PIPEDA (Recommendation No. 17).
The Committee recognizes that amendments to PIPEDA may be required so it maintains its “adequacy” status in relation to the GDPR, and the Committee has recommended that: (a) the Government of Canada determine what changes to PIPEDA, if any, are needed so the statute maintains its “adequacy” status; and (b) if changes to PIPEDA would be required so PIPEDA maintains its “adequacy” status, but such changes are not in the interests of Canada, the Government of Canada allow for the seamless transfer of data between the EU and Canada through the creation of appropriate mechanism (Recommendation No. 18).
PIPEDA is not applicable in all Canadian provinces, as some provinces have enacted “substantially similar” provincial legislation that applies in those provinces. In addition, some provinces have enacted personal health information specific legislation. The Committee has recommended that the Government of Canada work with Canada’s provinces and territories to ensure that they are aware of what would be required for the EU to grant “adequacy” status for their applicable legislation (Recommendation No. 19).
Next Steps
The next step is for the Canadian House of Commons and/or the Government of Canada to review the Report and decided what course(s) of action, if any, they will take to implement the 19 recommendations of the Committee.
Given the pending coming into force of the EU’s GDPR (May 2018), it is anticipated that the House of Commons and/or the Government of Canada will act promptly on some of the recommendations and they may delay, or decline, the implementation of some of the other recommendations.
With a federal election looming in 2019, the Government of Canada will need to act sooner than later to ensure that desired amendments to PIPEDA are enacted before the House of Commons is dissolved and any pending legislative changes subsequently die on the order paper.
Contributors – Dean Dolan and J. Andrew Sprague
