As reported in our recent post, on February 28, 2018, the House of Commons Standing Committee on Access to Information, Privacy and Ethics tabled in the House of Commons a report entitled Towards Privacy by Design: Review of the Personal Information Protection and Electronic Documents Act. The recommendations in the Committee’s Report are also heavily influenced by the direction set in the European Union General Data Protection Regulation, (“GDPR”) which comes into force this year.
We have prepared a multi-part series of posts focusing in more depth on each section of the Report.
In this post, we summarize and comment on the Committee’s findings set out in Part 3 of the Report, which treats the issues of the “right to be forgotten”, the destruction of personal information and “privacy by design”.
The other posts in this series are:
Part 3 – Online Reputation/ “Right to be Forgotten”
Part 4 – Enforcement Powers of the Privacy Commissioner
Part 5 – Adequacy of PIPEDA under the GDPR
Right to be Forgotten
The issue of online reputation has long been a topic of interest for lawyers whose practice addresses issues of defamation. However, in 2014, the topic was given novel treatment when the Court of Justice of the European Union (“CJEU”) rendered its decision on the issue of de-indexing in Google Spain v. AEPD and Mario Costeja Gonzales (“Google Spain”).
In that matter (which involved an individual who wished to have Google remove links between his name and website content related to an old bankruptcy proceeding that he had been involved in), the CJEU found that search engines, such as Google, must consider requests made by individuals to remove certain websites from the results produced when their name is searched. The case became associated with a nascent so-called “right to be forgotten”, since enshrined in the GDPR.
With this as the backdrop, the Committee examined whether PIPEDA should be amended to include an analogous, express “right to be forgotten” and, if so, what form(s) such a right should take.
The Committee’s first finding in this regard was that when online reputational damage occurs in the context of personal relationships rather than commercial transactions, PIPEDA does not apply (since the latter only applies to the collection, use and disclosure of personal information in a commercial context). Moreover, the Committee noted that the Criminal Code treats a number of related offences, such as regards the publication of intimate images without consent. Accordingly, the Committee clarified that the scope of their analysis was limited to the protection of privacy and online reputation in the context of commercial transactions.
Second, the Committee noted that the “right to be forgotten” could be addressed through two distinct types of remedies: (a) the right to erasure; and (b) the right to de-indexing. The former involves the right of an individual to have his/her personal information deleted from a website; the latter involves the mere de-referencing or de-indexing of such website from search results that include the individual’s name (while leaving the source documents themselves in place).
Right to Erasure
As regards the right to erasure, the Committee noted that PIPEDA does not expressly contain such a right, although the principles of “consent”, “limited retention” and “accuracy” may be applied in some instances to give effect to a limited right of erasure in certain circumstances.
For example, according to Principle 4.3.8 of Schedule 1 to PIPEDA, an individual has the right to withdraw consent to the collection, use and disclosure of his/her personal information. If this is then combined with the limited retention principle, pursuant to which an organization may only retain personal information for so long as it is necessary for the fulfilment of the purposes for which it was collected, then (in some circumstances) an individual may successfully argue that, upon withdrawal of their consent, the organisation that holds their information should destroy it.
Moreover, pursuant to the “accuracy” principle, organisations should provide opportunities for individuals to update and correct any inaccuracies in the information that is held about them, particularly where such information may be used to make a decision about the individual. Finally, the Committee noted the recent Federal Court decision (A.T. v. Global24h.com) in which the court ordered the removal of personal information from a website because it determined that the information had not been collected for appropriate purposes, in violation of Section 5(3) of PIPEDA.
In this context, several of the Committee witnesses argued that PIPEDA should be amended to create a more comprehensive right of erasure (to address situations of cyberbullying or revenge porn, for example) that would be similar in scope to the right of erasure found in the GDPR. Others, however, raised substantive concerns about the potential negative impact on freedom of expression, as protected by the Charter. A representative of the Association of Canadian Archivists argued that a right of erasure must not unduly interfere with preserving the integrity of public documents.
Ultimately, the Committee expressed the view that individuals should have the right to have their personal information removed when they end a business relationship with a service provider or when the information was collected, used or disclosed contrary to PIPEDA. The Committee recommended that legislators look to the GDPR as a model as a means of clarifying the scope of such a right. Finally, the Committee concluded that, at a minimum, young people should have the right to have information that is posted about them (by themselves or by others) taken down.
Right to De-indexing
As regards the right to data de-indexing, the Committee not only noted the above-cited Google Spain decision, but also the more recent Supreme Court of Canada decision of Google Inc. v. Equustek Solutions Inc. (discussed in our previous post, here).
Although the latter case involved a de-indexing order in the context of litigation related to the unlawful publication of confidential information and trade secrets, some Committee witnesses argued that a similar logic could be applied to justify de-indexing of personal information. In this regard, as discussed in our previous post, the Office of the Privacy Commissioner of Canada (“OPC”) argued that this form of right to be forgotten already exists in PIPEDA and that it considered it appropriate to have search engines provide the first level of review of a de-indexing request. Since this approach raised concerns regarding the proper role of the private sector in administering administrative remedies, Committee witnesses argued for the importance of a transparent decision-making process and the OPC proposed a series of criteria that should be applied in relation to any de-indexing request.
Ultimately, the Committee recommended that the legislator consider including a de-indexing framework in PIPEDA and that the right be expressly recognized in cases related to personal information posted online by individuals when they were minors.
Destruction of Personal Information
Reinforcing the Committee’s discussion of the right to erasure (discussed above), certain witnesses argued that the erasure of data should be compulsory – not simply recommended – once it is no longer necessary for the purpose for which it was collected. Some argued that PIPEDA should be amended to include a clear definition of what is meant by the “destruction” of data, especially in contexts where complete destruction may be impractical (such as where traces of data may be stored in back-up storage). The Committee expressed support for such recommendations.
Privacy by Design
Finally, the Committee explored the idea of expressly introducing “privacy by design” principles into an amended PIPEDA. “Privacy by design” is meant to ensure that privacy considerations are taken into account at all stages of product development, including in relation to the design, marketing and retirement of the product.
The approach is based on the following seven foundational principles:
- Proactive not reaction; preventative not remedial
- Privacy as a default setting
- Privacy embedded into design
- Full functionality – Positive sum, not zero sum
- End to end security
- Visibility and transparency
- Respect for user privacy.
Many Canadian businesses have followed the implementation of GDPR (coming into force in May 2018) only vaguely, on the assumption that the new EU data protection regulation will not apply. However, it is clearly time for all Canadian businesses to start paying much closer attention to privacy developments occurring “across the pond”. This is because the GDPR not only has extra-territorial application, it is also providing to be a major source of “inspiration” as Canadian legislators turn their minds to updating Canadian data protection law. Indeed, as Canada assesses what changes to PIPEDA (and analogous provincial legislation) may ultimately be required to maintain a favourable EU “adequacy status”, the GDPR principles may well find their way directly into Canadian legislation.