As reported in our recent post, on February 28, 2018, the House of Commons Standing Committee on Access to Information, Privacy and Ethics tabled in the House of Commons a report entitled Towards Privacy by Design: Review of the Personal Information Protection and Electronic Documents Act. The recommendations in the Committee’s Report are also heavily influenced by the direction set in the European Union General Data Protection Regulation, (“GDPR”) which comes into force this year.
We have prepared a multi-part series of posts focusing in more depth on each section of the Report.
In this post, we summarize and comment on the Committee’s findings set out in Part 4 of the Report, which addresses the issue of whether the Office of the Privacy Commissioner of Canada (“OPC”) should be given enforcement powers, what those powers should be, and explores some of the challenges associated with enhancing the OPC’s powers.
The other posts in this series are:
Part 4 – Enforcement Powers of the Privacy Commissioner
Part 5 – Adequacy of PIPEDA under the GDPR
The Report made a number of recommendations and consideration of the OPC enforcement powers was a key component. The Report’s recommendations, if implemented, could significantly expand the ability of the OPC to impose penalties—both monetary and otherwise—on private Canadian businesses and federally regulated entities, as well as broadening the OPC’s powers to audit such entities.
Current Enforcement Powers
PIPEDA empowers the Privacy Commissioner of Canada to investigate complaints regarding violations of the Act, which can be initiated by individuals or by the OPC itself. Generally speaking, the Privacy Commissioner’s enforcement powers reflect an ombudsman model, whereby the OPC investigates and mediates complaints under PIPEDA as a neutral third party. The Privacy Commissioner has the power to summon witnesses, administer oaths and compel production of evidence, but not to issue final orders. With the Digital Privacy Act amendments in 2015, the Privacy Commissioner can enter into a compliance agreement with an organization, pursuant to which the organization agrees to steps it will take to bring itself in compliance with PIPEDA. The Privacy Commissioner can also apply to the Federal Court for a court order for matters that remain unresolved following the foregoing process, requesting either an order requiring an organization to comply with its compliance agreement or another court order provided for under the Act.
The OPC has long called for enforcement powers (most recently in its 2016-17 Annual Report to Parliament on the Personal Information Protection and Electronic Documents Act and the Privacy Act) but the power to enter into compliance agreements has been the only notable change in its powers to date.
In the opinion of numerous academic and industry commentators, the limited enforcement powers currently available to the Privacy Commissioner under PIPEDA hamper the effectiveness of the OPC as a regulator. Indeed, current and past Privacy Commissioners have also proposed to the government that granting stronger enforcement powers and incentives for compliance with PIPEDA would enhance the ability of the OPC to protect individuals’ privacy rights. Different enforcement options that have been recommended and considered include the ability for the Privacy Commissioner to impose statutory damages, administrative monetary penalties, and make orders. In addition, the OPC has recommended legislative changes to empower it to be take proactive steps in respect of matters such as online reputation.
In the course of its review, the Committee heard from 68 witnesses and received 12 written submissions. Many of these oral and written submissions expressed support for amending PIPEDA to grant the Privacy Commissioner broader enforcement powers, though the specifics of these recommended powers varies. The enforcement powers proposed by witnesses in their submissions to the Committee included, among others, the following:
- granting the Privacy Commissioner broad discretionary authority to impose administrative monetary penalties or the authority to impose fines;
- introducing a statutory right of action exercisable by individuals without a prior complaint to the OPC, supported by statutory damages;
- establishing a maximum deterrent fine based on a percentage of the offending business’ worldwide turnover for the previous year and a second threshold amount, the greater of which would be applied (an approach consistent with the European Union’s General Data Protection Regulation, or “GDPR”);
- authorizing the Privacy Commissioner to impose fines on organizations specifically in cases of substantial or systemic non-compliance with privacy obligations; and
- empowering the Privacy Commissioner to encourage, and in some cases require, the use of privacy protection tools such as codes of conduct, privacy seals, and privacy impact assessments.
Other suggested approaches included giving the OPC a more proactive role by enabling the Privacy Commissioner to issue advance compliance rulings regarding new technologies, thereby lessening the need for later investigation and enforcement.
Comparing Canada’s privacy legislation to that of other countries around the world, the Report noted that data protection authorities in the United Kingdom, Ireland, New Zealand, and Spain have order-making powers, with the United Kingdom and Spain also having the ability to impose fines. In the UK, fines of up to £25,000 are permitted, whereas in France, fines of up to €300,000 are allowed. Under the GDPR, as noted, fines are based on a percentage of an organization’s annual revenue.
The Committee concluded in the Report that there is a demonstrated need to grant the Privacy Commissioner enforcement powers related to PIPEDA and recommended modelling the Canadian approach after the system currently in place in the United Kingdom. Specifically, the Report recommended that PIPEDA be amended to give the Privacy Commissioner enforcement powers, including the power to make orders and impose fines for non-compliance.
In addition, the Report recommended that PIPEDA be amended to give the Privacy Commissioner broad audit powers, including the ability to choose which complaints to investigate, which follows a recommendation made by former Privacy Commissioner Jennifer Stoddart. Such powers would augment the existing powers of the Privacy Commissioner under PIPEDA to conduct audits of how organizations governed by the Act use personal information, make public any information that comes to the Privacy Commissioner’s knowledge in the performance or exercise of any of his or her duties if it is in the public interest, and coordinate with provincial counterparts in initiatives such as the development of model contracts.
The question of granting broader enforcement powers to the Privacy Commissioner goes to the heart of the OPC’s purpose and role. If the OPC is to have an open and collaborative relationship with businesses to encourage and facilitate design of products and services that respect Canadians’ privacy rights, some fear that a stronger enforcement mandate for the OPC could deter such cooperation and openness from the business community. On the other hand, creating a body of precedents for enforcement of PIPEDA could help build greater certainty and confidence among businesses by demonstrating consistency and predictability in application of the legislation.
In the course of submissions, some concern was expressed by business community representatives that broad enforcement powers for the OPC could discourage legitimate business use of information due to fears of non-compliance and the costs of associated compliance endeavours. Seen from another perspective, however, greater enforcement powers for the Privacy Commissioner could help level the playing field between organizations acting prudently and making investments in compliance and those disregarding privacy legislation.
Order making power and other enforcement powers are not a done deal. There are significant legal risks associated with the introduction of order making powers, include the outstanding constitutional problems (chiefly concerning the division of powers).
The introduction of order making powers, including the ability to impose monetary penalties, would create even more disparity between the Commissioner’s powers under the Privacy Act (the public sector privacy legislation which the OPC also administers) and those under PIPEDA.
Finally, the introduction of order making powers, including the ability to impose monetary penalties, would likely require a significant overhaul of the OPC’s current institutional structure as the current structure means that the OPC is not only charged with investigating alleged violations but would also be charged with making decisions. A 2011 Report titled Powers and Functions of the Ombudsman in the Personal Information Protection and Electronic Documents Act: An Effectiveness Study notes that “it would seem that replacing the Office with an agency in the decentralized organizations category, and more specifically, a social regulatory agency…endowed with administrative powers (e.g. power of investigation), decision-making powers (e.g. power to make orders and impose penalties) and regulatory powers, is an option that could be given serious attention”.