Study of the Personal Information and Electronic Documents Act (PIPEDA)
Letter to the Standing Committee on Access to Information, Privacy and Ethics about the study of PIPEDA
December 2, 2016
Mr. Blaine Calkins, M.P.
Chair, Standing Committee on Access to Information, Privacy and Ethics
Sixth Floor, 131 Queen Street
House of Commons
Ottawa, Ontario K1A 0A6
Dear Mr. Chair:
I would like to take this opportunity to propose some possible areas of focus that the Standing Committee on Access to Information, Privacy and Ethics (ETHI) may wish to consider as it prepares for its study of the Personal Information and Electronic Documents Act (PIPEDA).
Introduction
As you know, PIPEDA was conceived to be technology-neutral and principles-based, two qualities that should remain as these are strengths of the law. However, the constant and accelerating pace of technological change since the turn of the 21st century when PIPEDA came into force has resulted in some significant pressure points that are having a profound impact on privacy protection.
During the 2012 ETHI study on social media, the Committee heard about the radical changes in how individuals and organizations view and protect personal information in the digital age. The Committee’s report recognized the pressure on Canadians’ privacy rights caused by the reach of digital companies using Internet and mobile technologies to collect and share personal information.
Two issues highlighted in the Committee’s report, obtaining meaningful consent and retention and deletion of personal information online, have also been the particular focus of my Office because of their fundamental importance to the privacy of Canadians.
A. Meaningful consent
During the Office’s 2015 privacy priority setting exerciseFootnote 1, we heard from individuals and organizations that PIPEDA is under challenge, especially when it comes to meaningful consent. Opaque privacy policies, complex information flows, and new business models involving a multitude of third-party intermediaries (such as search engines, sharing economy platforms, and data brokers) have put a strain on a consent model that was conceived when information was exchanged between two known parties to a binary commercial relationship at a fixed moment in time. In the age of big data, cloud computing and the Internet of Things, it is no longer entirely clear who is processing our data and for what purposes.
Is it fair then to saddle consumers with the responsibility of having to make sense of these complex data flows in order to make an informed choice about whether or not to provide consent? Technology and business models have changed so significantly since PIPEDA was drafted that many now describe the consent model, as originally conceived in the context of individual business transactions, to be no longer up to the task. 90% of Canadians are concerned that they no longer have control of their personal information.
Yet, effectively protecting personal information in this new context is vital to preserving Canadians’ trust in a digital economy.Footnote 2 In response to the concerns voiced, the Office committed to identifying and exploring possible enhancements to the consent model by issuing a discussion paperFootnote 3 and conducting stakeholder meetings across Canada.
We believe there continues to be a place for individual choice and control, in situations where consent can be meaningfully given. Our discussion paper therefore proposes a number of solutions to enhance consent, either through better and more timely information, technological solutions or privacy by design and privacy by default.
However, there may well be situations where consent is not practicable. To ensure privacy continues to be respected in these situations, our paper goes into potential alternatives to consent, including the notion in European law that data processing is authorized without consent if it is necessary for legitimate purposes and if it does not intrude on the rights of individuals. Our paper also describes solutions to enhance the accountability of organizations and improve governance, for instance through codes of practice or boards of ethics.
In response to our consultation paper, we received 51 submissionsFootnote 4. Roughly half came from industry, and the balance from academics, the legal community, regulators, civil society and individuals. We have also completed four of five planned stakeholder meetings. After reading through the submissions and listening to roundtable discussions, it seems clear that many agree that the increasingly complex digital environment poses challenges for the protection of privacy and the consent model. Where stakeholders differ significantly is with respect to how to address these challenges.
Business has largely emphasized the technology-neutral and flexible nature of PIPEDA, suggesting the current legislative framework is adequate and that there are ways to address consent-related challenges without resorting to legislative amendments.
One suggestion from businesses is to give organizations greater latitude to rely on implied consent and another was to give more room for de-identification or to broaden the concept of publicly available information. While these concepts all have their place in PIPEDA, further examination of how expanding their use would enhance privacy protection is warranted.
Respondents from the advocacy community, including some academics, however, were more inclined to challenge the status quo and recommend a broader range of solutions to address the perceived shortcomings of PIPEDA and the consent model, including stronger enforcement powers generally. Some argued privacy commissioners should be able to proactively audit privacy compliance as opposed to relying on a complaints-based system, or that my Office be authorized to provide preliminary opinions on a company’s proposed practice upon request.
A number of stakeholders expressed support for Privacy by Design and privacy by default, while one industry association suggested that these concepts do not need formal integration as they are already recognized as best practices. Several proposed technical solutions, such as machine-readable privacy policies and “data tagging” or “smart data” – managed through technology that communicates a user’s privacy preferences to websites.
We also heard calls by most stakeholders for more guidance from my Office. There was some discussion of whether this guidance should be legally binding.
Many recommended shortened or layered privacy policies. Some suggested shortened policies would allow organizations to highlight only those practices that deviate from the norm, while filtering out practices that would be obvious to users in light of the service provided. Others suggested that notices to consumers should focus on core issues such as the information collected, how it will be used and with whom it will be shared. One legal submission suggested my Office be given the power to impose a simplified consent form.
Few agreed on the overall value of privacy trustmarks, and most seemed to think that no-go zones are a no go – though not everyone. While there was some support for ethical assessments and frameworks, particularly in light of the growth of big data and the Internet of Things, what form it might take was less clear and businesses seemed generally opposed to making it mandatory or authorizing third parties, such as ethics boards, to carry out such activities.
The roundtable meetings on consent will be followed by focus group discussions with individuals across the country. Once the consultation process is complete and we have had an opportunity to consolidate our findings, which we expect to occur in the middle of 2017, we would be happy to share them with the Committee.
B. Reputation and Privacy
We have also been looking in depth at issues of reputation and privacy in response to the many concerns we heard from stakeholders as well as the larger global debate about the damaging effects the permanence of online information can have on people’s lives and livelihoods. At the start of this year, we issued a research paperFootnote 5 to advance the discussion on how best to provide individuals with recourse when their online reputation is negatively affected by personal information posted online. We solicited essaysFootnote 6 on new and innovative ways to protect reputational privacy, including whether the right to be forgotten could find application in the Canadian context. Under PIPEDA, individuals have the right to challenge accuracy and withdraw consent, but the overall effectiveness of such recourse in the face of reputational harm may need to be enhanced. We are currently developing a policy position on this issue and would be pleased to inform the Committee of our views once our thinking solidifies.
C. Enforcement powers
The question of whether the ombudsman model continues to be appropriate for my office has been raised repeatedly since the rise of online business models. My predecessor, Jennifer Stoddart, askedFootnote 7 for stronger enforcement powers under PIPEDA, which could include statutory damages, order-making powers and/or the power to impose administrative monetary penalties (or some combination thereof), in order to ensure the Commissioner’s continued ability to protect individuals’ privacy rights in a globalized economy where threats to privacy proliferate. As you know from your study on Privacy Act Reform, I am now asking for order-making powers under that Act.
As part of my office’s consultation on consent, I have asked stakeholders to weigh in on Commissioner powers under PIPEDA. Civil society and academics largely support stronger enforcement powers for my Office as a way of compensating for the current challenges facing the consent model. Businesses tell me that stronger enforcement powers may change their relationship with the OPC and they could be less inclined to cooperate. As you may know, my counterparts in Europe and the US have the authority to make binding orders and to impose fines. Some of my provincial colleagues have order making powers as well. They tell me that having greater enforcement powers has not had the effect feared by Canadian businesses.
D. Adequacy
Businesses transferring personal information from the European Union (EU) to Canada have relied on PIPEDA’s adequacy status under the 1995 Data Protection Directive. However, with the coming into force of the European General Data Protection Regulation (GDPR) in 2018, the EU will need to assess the adequacy of PIPEDA’s protections vis-à-vis the GDPR. The GDPR contains some provisions that did not appear in the current Directive and also do not appear in PIPEDA, such as data portability, data erasure, and privacy by design and default. Given the differences in the two statutes, as well as the fall-out of the Schrems decisionFootnote 8 for the United States businesses, the EU’s assessment of PIPEDA’s adequacy status is a pressing issue with possible far ranging implications for Canada’s trade relationship with the EU.
Conclusion
Finally, I have attached a list of individuals the Committee might want to consider as potential witnesses for its study of PIPEDA. The list includes stakeholders who participated in my office’s consultations on consent and reputation. I believe these experts are very well-versed on the issues and can provide the Committee with a wide range of perspectives on PIPEDA and on its ability to balance individuals’ right to privacy with organizations’ legitimate need to collect and use personal information. Also included are a number of data protection authorities, both in Canada and abroad, all of whom are seeking to align their respective laws with modern technologies. Canada’s modernization effort cannot proceed in isolation from others and therefore it is crucial to understand where our partners are moving in terms of ensuring privacy protection while also encouraging innovation, growth and trust in the digital economy.
I hope that my comments will be of assistance to the Committee. I look forward to speaking of these and other issues more fully in the coming months once I have had the opportunity to study the results of my office’s consultations and formulate my own policy position on whether and how PIPEDA needs to be modernized to address many emerging challenges that were never foreseen at the time of its adoption and first review.
Sincerely,
(Original signed by)
Daniel Therrien
Commissioner
Encl.
c.c.: Hugues La Rue, Clerk of the Committee
Potential Witnesses for PIPEDA study ETHI appearances
Academics:
- Lisa Austin, University of Toronto
- Colin Bennett, University of Victoria
- Michael Geist, University of Ottawa
- Samuel Trosow, University of Western Ontario
Public Interest and Consumer Groups:
- Howard Deane, Consumers Council of Canada
- Vincent Gogolek, BC Freedom of Information and Privacy Association
- Michael Karanicolas, Centre for Law and Democracy
- John Lawford, Public Interest Advocacy Centre
- Alexandre Plourde, Option consommateurs
Consultants:
- Martin Abrams, Information Accountability Foundation
- Waël Hassan, KI Design
- Terry McQuay, Nymity
Industry Associations
- Canadian Chamber of Commerce
- Canadian Bankers Association
- Canadian Bar Association
- Canadian Life and Health Insurance Association
- Insurance Bureau of Canada
- Canadian Marketing Association
- Information Technology Association of Canada
- Interactive Advertising Bureau of Canada
Members of the Bar:
- Karl Delwaide, Fasken Martineau
- David Fraser, McInnes Cooper
- Eloïse Gratton, Borden, Ladner, Gervais
- Adam Kardash, Osler, Hoskin & Harcourt
- Kirsten Thompson, McCarthy Tetrault
Current and Former Privacy and Information Commissioners:
- Chantal Bernier, former Acting Privacy Commissioner of Canada
- Jean Chartier, Information and Privacy Commissioner, Quebec
- Jill Clayton, Information and Privacy Commissioner, Alberta
- Drew McArthur, Acting Information and Privacy Commissioner, British Columbia
- Jennifer Stoddart, former Privacy Commissioner of Canada
- Catherine Tully, Information and Privacy Commissioner, Nova Scotia
Government
- Canadian Radio-Television and Telecommunications Commission
- U.S. Federal Trade Commission
- Commission nationale de l'informatique et des libertés, France
- Office of the U.K. Information Commissioner
- Office of the Australian Privacy Commissioner
- Date modified: