As reported in our recent post, on February 28, 2018, the House of Commons Standing Committee on Access to Information, Privacy and Ethics tabled in the House of Commons a report entitled Towards Privacy by Design: Review of the Personal Information Protection and Electronic Documents Act. The recommendations in the Committee’s Report are also heavily influenced by the direction set in the European Union General Data Protection Regulation, (“GDPR”) which comes into force this year.
We have prepared a multi-part series of posts focusing in more depth on each section of the Report.
In this post, we summarize and comment on the Committee’s findings set out in Part 1 of the Report, which addresses the historical context of PIPEDA, its development over the last two decades and situates it in today’s context.
The other posts in this series are:
Part 1 – Overview and Context of the Report
Part 2 – Consent
Part 3 – Online Reputation/ “Right to be Forgotten”
Part 4 – Enforcement Powers of the Privacy Commissioner
Part 5 – Adequacy of PIPEDA under the GDPR
Overview and Context
The Report focused on four primary areas: consent, online reputation/ “right to be forgotten”, the enforcement powers of the Office of the Privacy Commissioner of Canada ( “OPC”), and the maintenance of PIPEDA’s “adequacy” status under the pending European Union’s General Data Protection Regulation (“GDPR”).
A central theme in the Report is that consent should continue to underpin the Canadian privacy regime. In addition, the Report expresses the desire to encourage organizations to adopt “privacy by design”—that is, an approach that takes privacy considerations into account from the earliest stages of development of products and services.
Personal Information Protection and Electronic Documents Act
The Personal Information Protection and Electronic Documents Act (PIPEDA, or the “Act”), passed into law in 2000, was the product of data privacy protection principles produced by a committee of consumer, business, government, labour and professional representatives. The act regulates, among other things, the collection, use and disclosure of personal information by both federally regulated entities and private businesses in the course of commercial activities. It also governs the handling of personal information of employees and employment applicants for federally regulated entities.
As federal legislation, PIPEDA applies to federally regulated organizations, as well as to interprovincial and international transactions by all entities subject to the Act in the course of commercial activities. It also applies in provinces that have not adopted substantially similar legislation to PIPEDA.
The precursor to PIPEDA was the Model Code for the Protection of Personal Information (“Model Code”), approved as a national standard by the National Standards Council of Canada in 1996. At the same time, data protection developments internationally, particularly those in the European Union, served to further energize the passage of PIPEDA into law in 2000.
PIPEDA requires a parliamentary review every 5 years of Part I, the portion of the Act that deals with the protection of personal information. The first parliamentary review contained 25 recommendations and was tabled in the House of Commons in 2007; the government’s response to the recommendations followed that same year. Bill C-29, which would have amended PIPEDA, died on the Order Paper when Parliament was dissolved in 2011. Reintroduced as Bill C-12 in 2011, it again died on the Order Paper when Parliament was prorogued in 2013.
Multiple private member’s bills, and the OPC’s own paper on reform followed, but no significant statutory revisions were undertaken until Bill S-4, the Digital Privacy Act, was introduced by the Senate and received Royal Assent in 2015.
The Digital Privacy Act amendments fixed some longstanding problems with the legislation (for instance, permitting the disclosure of personal information without knowledge or consent in certain circumstances, and clarifying existing circumstances), added measures with respect to mandatory data breach reporting and record keeping (still not yet in force), and gave the OPC a new limited power (the power to enter into compliance agreements with organisations).
Though these amendments were largely welcome, they did not address the larger issues that were beginning to develop in respect of PIPEDA, chiefly that even though the legislation had been drafted to be technologically neutral, technology had in many regards outpaced the Act and rendered it problematic. For instance, when PIPEDA was first formulated, a binary limited consent model made sense; however, with the advent of social media platforms, the Internet of Things, and big data, the notion of meaningful consent was being increasingly rendered illusory.
Many of the recommendations in the Report are aimed at addressing the issues presented by new technologies, and the fact that data – particularly personal information – has been commoditized and a commercialized in ways not contemplated when PIPEDA was first introduced.
Another key impetus is the desire to maintain adequacy status under the pending GDPR. Under the GDPR, organizations in the European Union are prohibited from transferring personal data to any non-member state whose laws do not adequately protect this data. The EU will therefore have to assess the adequacy of PIPEDA under the GDPR. While not a one-to-one comparison, PIPEDA currently lacks a number of the rights and provisions in the GDPR, including rights to data portability and data erasure, the concept of privacy by design, and enforcement measures that include significant penalties.
Witnesses before the Standing Committee were divided on the issue of adequacy. Many advocated for the need for adequacy, arguing that such a finding was a significant competitive advantage in a global economy. Others were less sanguine, arguing that adequacy for adequacy’s sake was misguided and that PIPEDA should be amended if it needed to be modernized, not because of adequacy concerns.
With approximately four years until the next adequacy review, amendments to PIPEDA will likely need to occur some time in those next four years. What those amendments actually look like by the time they are drafted remains to be seen.