Study of the Personal Information and Electronic Documents Act (PIPEDA)

Letter to the Standing Committee on Access to Information, Privacy and Ethics about the study of PIPEDA

December 2, 2016

Mr. Blaine Calkins, M.P.
Chair, Standing Committee on Access to Information, Privacy and Ethics
Sixth Floor, 131 Queen Street
House of Commons
Ottawa, Ontario K1A 0A6

Dear Mr. Chair:

I would like to take this opportunity to propose some possible areas of focus that the Standing Committee on Access to Information, Privacy and Ethics (ETHI) may wish to consider as it prepares for its study of the Personal Information and Electronic Documents Act (PIPEDA).

Introduction

As you know, PIPEDA was conceived to be technology-neutral and principles-based, two qualities that should remain as these are strengths of the law. However, the constant and accelerating pace of technological change since the turn of the 21^st century when PIPEDA came into force has resulted in some significant pressure points that are having a profound impact on privacy protection.

During the 2012 ETHI study on social media, the Committee heard about the radical changes in how individuals and organizations view and protect personal information in the digital age. The Committee’s report recognized the pressure on Canadians’ privacy rights caused by the reach of digital companies using Internet and mobile technologies to collect and share personal information.

Two issues highlighted in the Committee’s report, obtaining meaningful consent and retention and deletion of personal information online, have also been the particular focus of my Office because of their fundamental importance to the privacy of Canadians.

A. Meaningful consent

During the Office’s 2015 privacy priority setting exercise^{Footnote 1}, we heard from individuals and organizations that PIPEDA is under challenge, especially when it comes to meaningful consent. Opaque privacy policies, complex information flows, and new business models involving a multitude of third-party intermediaries (such as search engines, sharing economy platforms, and data brokers) have put a strain on a consent model that was conceived when information was exchanged between two known parties to a binary commercial relationship at a fixed moment in time. In the age of big data, cloud computing and the Internet of Things, it is no longer entirely clear who is processing our data and for what purposes.

Is it fair then to saddle consumers with the responsibility of having to make sense of these complex data flows in order to make an informed choice about whether or not to provide consent? Technology and business models have changed so significantly since PIPEDA was drafted that many now describe the consent model, as originally conceived in the context of individual business transactions, to be no longer up to the task. 90% of Canadians are concerned that they no longer have control of their personal information.

Yet, effectively protecting personal information in this new context is vital to preserving Canadians’ trust in a digital economy.^{Footnote 2} In response to the concerns voiced, the Office committed to identifying and exploring possible enhancements to the consent model by issuing a discussion paper^{Footnote 3} and conducting stakeholder meetings across Canada.

We believe there continues to be a place for individual choice and control, in situations where consent can be meaningfully given. Our discussion paper therefore proposes a number of solutions to enhance consent, either through better and more timely information, technological solutions or privacy by design and privacy by default.

However, there may well be situations where consent is not practicable. To ensure privacy continues to be respected in these situations, our paper goes into potential alternatives to consent, including the notion in European law that data processing is authorized without consent if it is necessary for legitimate purposes and if it does not intrude on the rights of individuals. Our paper also describes solutions to enhance the accountability of organizations and improve governance, for instance through codes of practice or boards of ethics.

In response to our consultation paper, we received 51 submissions^{Footnote 4}. Roughly half came from industry, and the balance from academics, the legal community, regulators, civil society and individuals. We have also completed four of five planned stakeholder meetings. After reading through the submissions and listening to roundtable discussions, it seems clear that many agree that the increasingly complex digital environment poses challenges for the protection of privacy and the consent model. Where stakeholders differ significantly is with respect to how to address these challenges.

Business has largely emphasized the technology-neutral and flexible nature of PIPEDA, suggesting the current legislative framework is adequate and that there are ways to address consent-related challenges without resorting to legislative amendments.

One suggestion from businesses is to give organizations greater latitude to rely on implied consent and another was to give more room for de-identification or to broaden the concept of publicly available information. While these concepts all have their place in PIPEDA, further examination of how expanding their use would enhance privacy protection is warranted.

Respondents from the advocacy community, including some academics, however, were more inclined to challenge the status quo and recommend a broader range of solutions to address the perceived shortcomings of PIPEDA and the consent model, including stronger enforcement powers generally. Some argued privacy commissioners should be able to proactively audit privacy compliance as opposed to relying on a complaints-based system, or that my Office be authorized to provide preliminary opinions on a company’s proposed practice upon request.

A number of stakeholders expressed support for Privacy by Design and privacy by default, while one industry association suggested that these concepts do not need formal integration as they are already recognized as best practices. Several proposed technical solutions, such as machine-readable privacy policies and “data tagging” or “smart data” – managed through technology that communicates a user’s privacy preferences to websites.

We also heard calls by most stakeholders for more guidance from my Office. There was some discussion of whether this guidance should be legally binding.

Many recommended shortened or layered privacy policies. Some suggested shortened policies would allow organizations to highlight only those practices that deviate from the norm, while filtering out practices that would be obvious to users in light of the service provided. Others suggested that notices to consumers should focus on core issues such as the information collected, how it will be used and with whom it will be shared. One legal submission suggested my Office be given the power to impose a simplified consent form.

Few agreed on the overall value of privacy trustmarks, and most seemed to think that no-go zones are a no go – though not everyone. While there was some support for ethical assessments and frameworks, particularly in light of the growth of big data and the Internet of Things, what form it might take was less clear and businesses seemed generally opposed to making it mandatory or authorizing third parties, such as ethics boards, to carry out such activities.

The roundtable meetings on consent will be followed by focus group discussions with individuals across the country. Once the consultation process is complete and we have had an opportunity to consolidate our findings, which we expect to occur in the middle of 2017, we would be happy to share them with the Committee.

B. Reputation and Privacy

We have also been looking in depth at issues of reputation and privacy in response to the many concerns we heard from stakeholders as well as the larger global debate about the damaging effects the permanence of online information can have on people’s lives and livelihoods. At the start of this year, we issued a research paper^{Footnote 5} to advance the discussion on how best to provide individuals with recourse when their online reputation is negatively affected by personal information posted online. We solicited essays^{Footnote 6} on new and innovative ways to protect reputational privacy, including whether the right to be forgotten could find application in the Canadian context. Under PIPEDA, individuals have the right to challenge accuracy and withdraw consent, but the overall effectiveness of such recourse in the face of reputational harm may need to be enhanced. We are currently developing a policy position on this issue and would be pleased to inform the Committee of our views once our thinking solidifies.

C. Enforcement powers

The question of whether the ombudsman model continues to be appropriate for my office has been raised repeatedly since the rise of online business models. My predecessor, Jennifer Stoddart, asked^{Footnote 7} for stronger enforcement powers under PIPEDA, which could include statutory damages, order-making powers and/or the power to impose administrative monetary penalties (or some combination thereof), in order to ensure the Commissioner’s continued ability to protect individuals’ privacy rights in a globalized economy where threats to privacy proliferate. As you know from your study on Privacy Act Reform, I am now asking for order-making powers under that Act.

As part of my office’s consultation on consent, I have asked stakeholders to weigh in on Commissioner powers under PIPEDA. Civil society and academics largely support stronger enforcement powers for my Office as a way of compensating for the current challenges facing the consent model. Businesses tell me that stronger enforcement powers may change their relationship with the OPC and they could be less inclined to cooperate. As you may know, my counterparts in Europe and the US have the authority to make binding orders and to impose fines. Some of my provincial colleagues have order making powers as well. They tell me that having greater enforcement powers has not had the effect feared by Canadian businesses.

D. Adequacy

Businesses transferring personal information from the European Union (EU) to Canada have relied on PIPEDA’s adequacy status under the 1995 Data Protection Directive. However, with the coming into force of the European General Data Protection Regulation (GDPR) in 2018, the EU will need to assess the adequacy of PIPEDA’s protections vis-à-vis the GDPR. The GDPR contains some provisions that did not appear in the current Directive and also do not appear in PIPEDA, such as data portability, data erasure, and privacy by design and default. Given the differences in the two statutes, as well as the fall-out of the Schrems decision^{Footnote 8} for the United States businesses, the EU’s assessment of PIPEDA’s adequacy status is a pressing issue with possible far ranging implications for Canada’s trade relationship with the EU.

Conclusion

Finally, I have attached a list of individuals the Committee might want to consider as potential witnesses for its study of PIPEDA. The list includes stakeholders who participated in my office’s consultations on consent and reputation. I believe these experts are very well-versed on the issues and can provide the Committee with a wide range of perspectives on PIPEDA and on its ability to balance individuals’ right to privacy with organizations’ legitimate need to collect and use personal information. Also included are a number of data protection authorities, both in Canada and abroad, all of whom are seeking to align their respective laws with modern technologies. Canada’s modernization effort cannot proceed in isolation from others and therefore it is crucial to understand where our partners are moving in terms of ensuring privacy protection while also encouraging innovation, growth and trust in the digital economy.

I hope that my comments will be of assistance to the Committee. I look forward to speaking of these and other issues more fully in the coming months once I have had the opportunity to study the results of my office’s consultations and formulate my own policy position on whether and how PIPEDA needs to be modernized to address many emerging challenges that were never foreseen at the time of its adoption and first review.

Sincerely,

(Original signed by)

Daniel Therrien
Commissioner

Encl.

c.c.: Hugues La Rue, Clerk of the Committee

Potential Witnesses for PIPEDA study ETHI appearances

Academics:

Lisa Austin, University of Toronto
Colin Bennett, University of Victoria
Michael Geist, University of Ottawa
Samuel Trosow, University of Western Ontario

Public Interest and Consumer Groups:

Howard Deane, Consumers Council of Canada
Vincent Gogolek, BC Freedom of Information and Privacy Association
Michael Karanicolas, Centre for Law and Democracy
John Lawford, Public Interest Advocacy Centre
Alexandre Plourde, Option consommateurs

Consultants:

Martin Abrams, Information Accountability Foundation
Waël Hassan, KI Design
Terry McQuay, Nymity

Industry Associations

Canadian Chamber of Commerce
Canadian Bankers Association
Canadian Bar Association
Canadian Life and Health Insurance Association
Insurance Bureau of Canada
Canadian Marketing Association
Information Technology Association of Canada
Interactive Advertising Bureau of Canada

Members of the Bar:

Karl Delwaide, Fasken Martineau
David Fraser, McInnes Cooper
Eloïse Gratton, Borden, Ladner, Gervais
Adam Kardash, Osler, Hoskin & Harcourt
Kirsten Thompson, McCarthy Tetrault

Current and Former Privacy and Information Commissioners:

Chantal Bernier, former Acting Privacy Commissioner of Canada
Jean Chartier, Information and Privacy Commissioner, Quebec
Jill Clayton, Information and Privacy Commissioner, Alberta
Drew McArthur, Acting Information and Privacy Commissioner, British Columbia
Jennifer Stoddart, former Privacy Commissioner of Canada
Catherine Tully, Information and Privacy Commissioner, Nova Scotia

Government

Canadian Radio-Television and Telecommunications Commission
U.S. Federal Trade Commission
Commission nationale de l'informatique et des libertés, France
Office of the U.K. Information Commissioner
Office of the Australian Privacy Commissioner

Footnotes

Footnote 1

OPC Strategic privacy priorities

Return to footnote 1

Footnote 2

In its 2016 Ministerial Declaration on the Digital Economy, the Organization for Economic Co-operation and Development committed to promoting digital security risk management and the protection of privacy at the highest level of leadership, recognizing these issues are critical for economic and social prosperity.

Return to footnote 2

Footnote 3

Consent and privacy

Return to footnote 3

Footnote 4

Submissions received for the consultation on consent

Return to footnote 4

Footnote 5

Online Reputation: What are they saying about me?

Return to footnote 5

Footnote 6

Submissions received for the consultation on online reputation

Return to footnote 6

Footnote 7

The Case for Reforming the Personal Information Protection and Electronic Documents Act

Return to footnote 7

Footnote 8

In Schrems v. Data Protection Commissioner (Case C-362/14), the complainant alleged that the US did not have adequate protections against government surveillance of his personal data. The European Court of Justice found that U.S. law does not afford adequate protection to personal data, thus rendering the existing U.S. “Safe Harbor” regime invalid.

Return to footnote 8

Date modified:: 2016-12-22

Language selection

Search and menus

Search