The House of Commons Standing Committee on Access to Information, Privacy and Ethics (the “Committee”) has been reviewing the Personal Information Protection and Electronics Document Act (“PIPEDA”) since February 2017. Earlier this year, the Committee released its report titled “Towards Privacy by Design: Review of the Personal Information Protection and Electronic Documents Act” (the “Report”) which outlined its recommendations for revising the legislation. The Government of Canada recently responded to the Report.
Throughout the year of review, the Committee held numerous public meetings and heard from many interested stakeholders, including the Privacy Commissioner of Canada, Daniel Therrien, who made recommendations to the Committee in four broad sub-groups: consent, reputation, the enforcement powers of the Office of the Privacy Commissioner of Canada (the “OPC”) and the adequacy of PIPEDA.
The recommendations to update PIPEDA are heavily influenced by the European Union General Data Protection Regulation (“GDPR”) which came into force in May of this year. Among the 19 recommendations were the following:
- Protecting personal information, particularly when posted online, as it can become permanent and can have a devastating impact on reputation. To that end, the Committee recommended PIPEDA include a framework for a right to erasure that, at a minimum, would provide young people with the right to have information posted online taken down either by themselves or through the organization;
- Creation of a framework for the right to de-indexing (the process of ensuring that the information no longer appears in the results of search engines), especially in the case of personal information posted online by individuals when they were minors;
- Inclusion of a right to data portability so that individuals can transfer their personal information between service providers so it could be reused; and
- The importance of “privacy by design” (which encourages a focus on privacy protection right from the design stage of services) and the recommendation PIPEDA be amended to make privacy by design a central principle.
Further, there were several recommendations relating to adequacy status in the context of the GDPR, including for the Government of Canada to work with its EU counterparts and determine what changes, if any, would need to be made in order to ensure PIPEDA maintains its adequacy status under the GDPR.
There was a focus on the issue of consent, including recommendations that consent be enhanced and clarified whenever possible to ensure users are giving meaningful consent and that opt-in consent be the default for any use of personal information for secondary purposes. Recognizing that young people are heavy users of information technology and are a particularly vulnerable group, the Report also encouraged the Government of Canada to consider implementing specific rules of consent for minors, as well as regulations governing the collection, use and disclosure of minors’ personal information.
Finally, the Report recommended PIPEDA be amended to give the Privacy Commissioner enforcement powers, including the power to make orders and impose fines for non-compliance. At present, the OPC’s enforcement toolsinclude public interest disclosure, compliance agreements, and applying for a Federal Court hearing; however, the OPC cannot make orders or impose fines. Several witnesses supported this power, noting it could serve to increase compliance, particularly among small and medium-sized enterprises, and it could create a body of precedents which could benefit the industry as a whole. Similarly, the Committee recommended that the Privacy Commissioner be granted broad audit or self-initiated investigation powers. This would allow the OPC to focus on areas where there are new and serious threats in the changing context of new technology and therefore not investigate every complaint.
Government of Canada response
In a letter of response, Navedeep Bains, the Minister of Innovation, Science and Economic Development, acknowledged that the protection of privacy remains a fundamental value and concern for Canadians and noted that the Government of Canada shares the Committee’s view that changes to Canada’s privacy regime are required. The government plans to engage Canadians in a national conversation on data and digital issues with a view to exploring how Canada can lead and succeed in a data and digitally driven economy while ensuring continued respect for individual rights.
The Government of Canada addressed several recommendations, grouped in the same four themes: Consent, Online Reputation, Enforcement Powers of the Privacy Commissioner and Impact of the EU GDPR.
The government agreed with the Committee that consent should remain a core element of PIPEDA and the consent regime can be enhanced and clarified. The government is committed to maintaining PIPEDA’s principles-based approach and is reluctant to make sector specific changes (e.g., such as the Committee’s recommendation of expanding the scope of the existing exception to consent for the disclosure of personal information related to the prevention of activities related to financial crime).
The government stated that recent incidents involving unintended uses of personal information obtained from social media highlight the need to closely study the potential impact of redefining “publicly available” information. While the government recognized this issue is particularly critical as it relates to the personal information of minors, it also noted the challenges of applying explicit protections for minors under federal law as it inherently involves the definition of a minor, which falls within provincial jurisdiction.
Online Reputation and Respect for Privacy
The OPC published its Draft Position on Online Reputation earlier this year and took the position that PIPEDA already contains protection that is similar to the European right to be forgotten (or “right to erasure”). In its Report, the Committee recommended PIPEDA include a framework for a right to erasure.
The government’s response acknowledged the work being done by the OPC; however, given the potential far-reaching impacts of a right to erasure and a right to de-indexing in numerous areas, including freedom of speech and the public record, and given that PIPEDA only applies to commercial contexts involving personal information, the government is of the view that it would need to assess whether PIPEDA would be the most appropriate statutory instrument to address these issues.
Enforcement Powers of the Privacy Commissioner
The government agrees with the Committee that it is time to examine how PIPEDA’s enforcement model can be improved. To do so, the government must look at other models of compliance and enforcement and consider the potential impacts on the overall mandate of the OPC, the principles of fundamental justice and the countervailing risks associated with increased enforcement powers.
The government intends to undertake further study of the full range of options for ensuring compliance with PIPEDA.
Impact of the GDPR
The government supported the Committee’s recommendations relating to maintaining Canada’s adequacy status. Officials are working closely with the European Commission, with an adequacy review expected by 2020. The government noted that the EU has opted for the concept of “essential equivalence” in the GDPR to examine the adequacy of non-member regimes, rather than one-to-one mapping. As a result, it is not clear that PIPEDA must reflect each of the GDPR’s rights and protections to maintain its adequacy standing.
The government will be engaging Canadians in a conversation about how to make Canada a more data savvy society, with a focus on how companies can gather, use and share personal information to innovate and compete while at the same time protecting privacy. The response from the Government of Canada is an interesting discussion of the issues, but gives little insight in to the comprehensive views of the government. It seems the Government of Canada may be prioritizing issues related to online reputation, enforcement powers of the OPC and the need to maintain Canada’s adequacy status in light of the GDPR; however, it remains to be seen what modifications, if any, are made to PIPEDA.