In Parts I and II of this series on big data, we discussed issues relating to intellectual property and contracting. In Part III, we will discuss the privacy regulations applicable to big data.
Regulating Big Data
- Overview of PIPEDA
In Canada, data protection is the principle area of regulation when it comes to capturing and storing personal information. Data protection is governed by both federal and provincial legislation. The federal Personal Information Protection and Electronic Documents Act (“PIPEDA”) came into full force in 2004 and regulates how organizations and businesses collect, use, and disclose personal information in the course of commercial activities. PIPEDA’s stated purpose is to:
“establish, in an era in which technology increasingly facilitates the circulation and exchange of information, rules to govern the collection, use and disclosure of personal information in a manner that recognizes the right of privacy of individuals with respect to their personal information and the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances.”
Under PIPEDA, organizations must obtain an individual’s consent when they collect, use, or disclose an individual’s personal information. “Personal Information” is defined broadly and includes any information about an identifiable individual, other than basic information about employees of an organization. Personal information can only be used for the purpose it was collected, and individuals also have a right to access personal information held by an organization. Of particular note in terms of Big Data is that PIPEDA allows for implied consent depending on the sensitivity of the information being collected. As such, a key question is whether notices are clear enough such that Big Data processes can be reasonably anticipated by users based on that notice.
The federal government can also exempt certain organizations from PIPEDA if provinces in which they operate have adopted substantially similar privacy legislation – to date, this includes Quebec, British Columbia, and Alberta, and in matters relating to healthcare, Ontario, New Brunswick, and Newfoundland and Labrador. As a result, PIPEDA does not apply to certain entities in these provinces, but it will still apply to all interprovincial and international activities.
- Amendments to PIPEDA
There is no question the world has changed since PIPEDA was enacted. While PIPEDA has brought about a broad, national regulatory framework, it is questionable whether it is up to the task of handling the challenges of changing technology and Big Data. In the roughly 10 years since PIPEDA came into full force, huge technological developments have occurred. The explosion of social media, as well as the ability to track internet usage and collect personal information has created new data at a staggering rate. According to a 2013 report by IBM, 2.5 quintillion bytes of data are created daily and 90% of the world’s data that exists today was created in the last two years. Canadians have done their part – averaging approximately 40 hours a month online (twice the world average).
With the changes and growth of Big Data, some have questioned whether the compliance and enforcement provisions in PIPEDA are strong enough to ensure compliance as the value of tapping into personal information grows. The Officer of the Privacy Commissioner of Canada released a position paper calling for substantial changes to PIPEDA to address the challenges of Big Data and the growing number of internet companies looking to cash-in on the “treasure trove” of personal information they have amassed. Jennifer Stoddart, the Privacy Commissioner at the time of the report, stated in announcing the position paper that “the purpose of our privacy law…is no longer being met…(it) lacks mechanisms strong enough to ensure organizations invest appropriately in privacy.”
On June 18, 2015, Bill S-4, better known as the Digital Privacy Act (“DPA”), received Royal Assent and is now law, although several sections have yet to come into force. The DPA makes significant changes to PIPEDA, including requiring mandatory breach reporting to both the Privacy Commissioner and the affected individuals, and instituting additional fines up to $100,000.
Key amendments to PIPEDA that organizations should be aware of include:
- The definition of “consent” has changed
While PIPEDA specified that knowledge and consent were required, the DPA adds the additional requirement that it must be reasonable to expect that the individual understands what they are consenting to, i.e. that they understand the nature, purpose and consequences of the collection, use or disclosure. Clear, simple language should be used when requesting consent, particularly when dealing with vulnerable populations such as children.
- Breach reporting to the Commissioner will become mandatory: (not yet in force)
The DPA introduces, for the first time, mandatory reporting at the federal level in Canada. The Commissioner must be notified of any breach that creates a real risk of significant harm to an individual. The definition of significant harm is broad, and includes bodily harm, humiliation and damage to reputation as well as identity theft and financial loss, among others. The breach must be reported “as soon as feasible”, although how the Commissioner evaluates what constitutes an appropriate timeframe has yet to be determined. This requirement will come into force by Order in Council, on an unspecified day.
- Organizations will be reported to report breaches to the impacted individuals: (not yet in force)
All individuals who may reasonably face a real risk of significant harm from the breach must also be notified directly and “as soon as feasible” following the breach. This notification must allow the individual to understand how the breach may impact them and what steps they can take to reduce or mitigate the risk, as the case may be. This requirement will come into force by Order in Council, on an unspecified day.
- The Commissioner may report breaches to the public.
Prior to the DPA, the Commissioner had a narrow power to make any information relating to personal information management practices public if it was in the public interest. The DPA significantly broadens this power to include any information that comes to the Commissioner’s knowledge during the exercise of their powers or duties.
- Failure to report a breach or a lack of record-keeping may result in significant fines.
The DPA introduces fines of up to $100,000 for failing to report any breach to both the Commissioner and the impacted individual as soon as feasible after the breach. Organizations may also be fined up to $100,000 for failing to maintain records of any breach. It is not yet clear how these provisions will be interpreted – whether the $100,000 limit would apply per organization, per breach event, per individual affected, or in some other way. For example, if ten subscribers’ personal information was taken from an organization on two different days, and the breaches were not reported, the maximum fine might be $100,000, $200,000, $1,000,000 or possibly some other number.
- Cross-Border Transfer of Big Data
The transfer of personal information outside of Canada is often undertaken by sending physical files, sending digital copies, or storing information on remote servers. Increasingly, big data is transferred and stored on remote servers outside of Canada, or “in the cloud”. Organizations needs to be cautious of the implications that transferring big data (in particular, data containing personal information) outside of Canada creates. Most importantly, the legislative matrix that regulates the data will likely change and notification obligations may be imposed.
The federal Privacy Commissioner has noted that, where personal information is transferred to a foreign third party, that information is subject to the laws of the foreign country, and no contract or contractual provision can override those laws. Thus, the Commissioner has stated that, while consent is not required, at the very least, an organization in Canada that transfers personal information to a foreign third party should at least notify affected individuals, depending on the sensitivity of the personal information, that their information may be stored or accessed outside Canada and of the potential impact this may have on their privacy rights.
Unlike PIPEDA, it is a mandatory requirement for organizations to notify individuals before transferring personal information to a foreign service provider under Alberta’s Personal Information Protection Act. One issue that this could create in business transactions is that notifying individuals of the collection, use or disclosure of their personal information during a business transaction may breach non-disclosure or confidentiality agreements between the transacting parties. Weighing notification requirements under any applicable privacy legislation alongside confidentiality obligations requires a thorough risk analysis.
- The Future of Regulation
While PIPEDA will likely continue to be the chief source of regulation for Big Data in the near term, changes may be on the way through both domestic and international regulatory efforts. For example, the Officer of the Privacy Commissioner of Canada, along with a host of other global protection authorities, recently endorsed the Global Cross Border Enforcement Cooperation Arrangement which aims to foster data protection compliance by organisations processing personal data across borders. The Arrangement encourages cooperation between enforcement authorities by facilitating the sharing of information about enforcement-related activity and investigations, and where appropriate, the coordination of enforcement efforts. At the same conference, a resolution on Big Data was also endorsed which outlined the ramifications that Big Data can have on privacy and called upon all parties making use of Big Data to, among other things, obtain valid consent, support transparency, and provide individuals access to information collected about them.
Aside from these international efforts, on the domestic front, more provinces could enact PIPEDA-like legislation, and other legislation may have indirect impacts on the regulation of Big Data.