On February 28, 2018, the House of Commons Standing Committee on Access to Information, Privacy and Ethics tabled in the House of Commons a report entitled “Towards Privacy by Design: Review of the Personal Information Protection and Electronic Documents Act“.
The statutory review of Canada’s federal privacy legislation has been underway for a year, and the Report addresses many of the challenging issues raised by the development of new technologies for the use and dissemination of information. The recommendations in the Committee’s Report are also heavily influenced by the direction set in the European Union General Data Protection Regulation, (“GDPR”) which comes into force this year.
The Committee’s Report makes 19 recommendations to update the Personal Information Protection and Electronic Documents Act (“PIPEDA”) and to take other measures in respect of individuals’ privacy in their relation with private sector organizations.
An overriding theme and key recommendation is to make privacy by design a central tenet of PIPEDA. “Privacy by design” is meant to ensure that privacy considerations are taken into account at all stages of development, including the design, marketing and retirement of a product. The Report recommends the inclusion of the seven foundational privacy by design principles in PIPEDA.
The Committee also recommends amending PIPEDA to provide the Privacy Commissioner of Canada with enforcement powers as well as broad audit powers, including the ability to choose which complaints to investigate.
The other recommendations of the Committee include:
- ensure that consent remains the core element of the privacy regime, while enhancing and clarifying consent by additional means, when possible or necessary;
- explicitly provide for opt-in consent as the default for any use of personal information for secondary purposes, with a view to also implementing a default opt-in system regardless of purpose;
- consider implementing measures to improve algorithmic transparency;
- study the issue of revocation of consent in order to clarify the form of revocation of consent required and its legal and practical implications;
- modernize the Regulations Specifying Publicly Available Information in order to take into account situations in which individuals post personal information on a public website and in order to make the Regulations technology-neutral;
- consider amending PIPEDA in order to clarify the terms under which personal information can be used to satisfy legitimate business interests;
- examine the best ways of protecting depersonalized data;
- consider implementing specific rules of consent for minors, as well as regulations governing the collection, use and disclosure of minors’ personal information;
- amend PIPEDA to provide for a right to data portability;
- consider including in PIPEDA a framework for a right to erasure based on the model developed by the European Union (EU) that would, at a minimum, include a right for young people to have information posted online, either by themselves or through an organization, taken down;
- consider including a framework for the right to de-indexing in PIPEDA and that this right be expressly recognized in the case of personal information posted online by individuals when they were minors;
- consider amending PIPEDA to strengthen and clarify organizations’ obligations with respect to the destruction of personal information; and
- amend PIPEDA to replace the term “fraud” with “financial crime” (and propose a definition for that term).
There are additional recommendations focused on Canada working with its EU counterparts to determine what would constitute adequacy status for PIPEDA in the context of the GDPR, and making appropriate changes to PIPEDA to permit the transfer of personal information between the EU and Canada.