Language selection

OPC Logo Office of the Privacy Commissioner of Canada

Search

Main Estimates 2023-24 Issue Sheets

Table of contents

A) Corporate

B) Compliance

C) Promotion

D) In the Courts

E) Bills and Legislative Amendments

A) Corporate

Budget and Expenditures

OPC Budget Resources

Key Messages
  • As an Agent of Parliament, the OPC is funded to work independently of government to protect and promote the privacy rights of Canadians by advocating for privacy rights and acting as an independent voice on privacy issues, a key value of democratic societies.
  • The OPC works to protect and promote privacy rights by: investigating complaints, taking action in court, advising government on privacy risks, and promoting public awareness.
  • The total proposed 2023-24 Main Estimates for the OPC is $29.5 million, versus $29.2 million in 2022-23 Main Estimates, which represents a net increase of $240 thousand.
    • This net increase is mainly attributable to additional funding from the renewal of collective bargaining agreements and the adjustment to the employee benefits plan.
  • The amount of $29.5 million in fiscal year 2023-24 includes $500 thousand for its Contribution Program to fund independent research and education on privacy issues.
Background

The OPC’s Main Estimates for 2023-24 of $29.5M are:

  • Personnel expenditures including EBP = $24.3M (or 83%)
  • Operating expenditures = $4.7M (or 16%)
  • Contributions program = $0.5M (or 2%)

Core funding:

  • The OPC received $29.5M in fiscal year 2023-24 including $500K for its Contribution Program.
  • Of this amount, $26.3M requires approval by Parliament.
  • The remaining $3.2M represents statutory forecasts for employee benefits that do not require additional approval and are provided for information purposes.

Prepared by: Corporate

Resource Allocation

Key Messages
  • The OPC’s resource allocation reflects our efforts in recent years to become more forward-looking, by shifting the balance of our activities towards greater proactive efforts.
  • Our objective is to have a broader and more positive impact on the privacy rights of a greater number of Canadians, which is not always possible when focusing a large part of our attention on the investigation of individual complaints.
  • Funds are almost equally allocated between the promotion and compliance programs to balance the need to be proactive with the need to enforce compliance.
Background

Main Estimates: The table below shows planned spending and planned full-time equivalents for each core responsibility in the OPC’s departmental results framework and to Internal Services:

Program $M FTE
Promotion Program 11.2 79
Compliance Program 10.5 74
Internal Services 7.8 54
TOTAL REFERENCE LEVELS/ME 29.5 207

Core funding:

  • The OPC received $29.5M in fiscal year 2023-24 including $500K for its Contribution Program.
  • Of this amount, $26.3M requires approval by Parliament.
  • The remaining $3.2M represents statutory forecasts for employee benefits that do not require additional approval and are provided for information purposes.

Prepared by: Corporate

Funding Models

Key Messages
  • We have advocated for a long-term stable funding mechanism that reflects the independent role played by Agents of Parliament, and also ensures their offices are properly funded.
  • Currently there is an inherent conflict of interest where the OPC scrutinizes Government compliance with privacy laws and relies on that same government for funding.
  • A funding mechanism that ensures stable and adequate funding to address emerging issues rapidly would be preferable to the current process.
Background
  • A letter to PCO dated January 31, 2019 was sent by the Agents of Parliament seeking an alternative to the existing Funding Mechanism process.
  • Not all Agents of Parliament have the same funding mechanism. The Parliamentary Budget Officer, for example, has the ability to request funds directly from the Speaker of the House and Senate.
  • In 2005, an Advisory Panel pilot project was launched to test a proposed new funding and oversight model for Agents of Parliament.
    • This panel had been convened in response to concerns that independence from government may be compromised by the fact that Treasury Board determines the amount of funding available to the Agents of Parliament.
  • The 2008 Corbett report concluded that the pilot project was a success and should be made permanent, given it achieved the key objective of reducing the perception of conflict of interest that was inherent in the pre-existing process.

Prepared by: Corporate

Resource Implications of C-27

Key Messages
  • C-27 expands existing responsibilities for the OPC and introduces new ones while also granting some discretion in how they are exercised.
  • Funding was assigned to the OPC in the 2020 Fall Economic Statement for the implementation of the former Bill C-11, and more recently, as part of Budget 2023 for the ramping up phase of Bill C-27.
  • These funds will help us to prepare for the coming-into-force of the legislation and deliver on our new responsibilities.
  • However, these funds are not sufficient to permanently address new activities as well as chronic underfunding of existing activities, preventing our Office from appropriately dealing with the full volume/complexity of issues emerging which significantly impact the privacy rights of Canadians.
Background
  • The 2020 Fall Economic Update allocated the following total funding for the OPC to “support the implementation and enforcement of private sector legislation”:
     
    2020-21 2021-22 2022-23 2023-24 2024-25 2025-26
    [Redacted] [Redacted] [Redacted] [Redacted] [Redacted] [Redacted]
  • Budget 2023 set aside additional temporary funding meant to support our Office in implementing new mandate obligations in the first few years of the new law.
    2023-24 2024-25 2025-26 2026-27 2027-28
    2M 4M 4M 3M 2M
  • Our current estimate for the total implementation cost of Bill C-27, including addressing existing underfunding, is approximately $25 Million (excluding the Employee Benefit Plan) in additional funding – more than twice what has been allotted in permanent funding in the Fiscal Framework.

Prepared by: Corporate

Funding for Privacy Act Extension Order

Key Messages
  • In July 2022, applicability of the Privacy Act was extended to allow foreign nationals to make requests and complaints to my Office. Previously, only Canadian citizens and those present in Canada had such rights.
  • So far, my Office has received a modest number of complaints as a result of the Extension Order – approximately 50 in total.
  • One-year temporary contingency funding has been earmarked for the OPC in 2022-23 should a significant increase in complaints stemming from the Extension Order materialize.
Background
  • The Privacy Act Extension Order was published on July 14, 2021, with a coming into force date of July 2022. At the time, it was expected that there would be a significant increase in personal information requests (hundreds of thousands) across government departments, particularly at IRCC.
  • We also anticipated a significant rise in complaints against IRCC (thousands). This has not yet materialized. We continue to monitor the situation and would anticipate increasing volumes as unsatisfied requests made under the Order evolve into complaints.
  • Working with IRCC, temporary (one year) contingency funding was set aside for the OPC, which can be accessed if we see a marked increase in complaints.
  • The OPC will engage with the department of Finance to determine how best to address the increase in requests which may eventually become unmanageable within the OPC’s limited resources.
  • For Commissioner Info Only: [Redacted]

Prepared by: Compliance / Corporate

Budget 2023

Key Messages
  • The OPC received temporary funding over five years specifically to help our Office prepare for the coming-into-force of Bill C-27 and deliver on our new responsibilities.
  • Our Office also received temporary funding over two years to deal with a growing number of reported privacy breaches and to tackle the complaints backlog as the OPC experienced an increase of complaints during the pandemic.
  • We welcome the additional funding, and we are confident we will put it to good use once again, to better serve Canadians.
  • However, these funds are not a permanent solution. In order to appropriately deal with the full volume and complexity of privacy issues we have experienced over the last few years, we would require the breaches and backlog funding to be made permanent.
Background
  • Budget 2023 set aside temporary funding meant to support our Office in implementing new mandate obligations in the first few years of the new law.
    2023-24 2024-25 2025-26 2026-27 2027-28
    2M 4M 4M 3M 2M
  • Budget 2023 also included a $6M allocation to the OPC (over the next two fiscal years) expressly to deal with a growing number of reported privacy breaches, and the complaints backlog.
  • Budget 2019 provided $1.1M for two years to enable the OPC to tackle its backlog of complaints older than 12 months.
    • By March 2021, the Office had reduced its overall backlog by 91%, exceeding its target of 90% reduction.
    • Since the end of the temporary funding, the backlog of complaints has started to grow again.

Prepared by: Corporate

Staffing and HR

People Management

Key Messages
  • A key priority for the OPC is to foster a respectful, safe, healthy, collaborative, and flexible work environment to empower our people to achieve ambitious goals in the delivery of our services to Canadians.
  • We continue our efforts to achieve substantive equality of both French and English in the workplace and full respect for linguistic rights of the public and employees.
  • We continue working towards strengthened employment equity, diversity, accessibility, and inclusion to leverage the full talents of our people and produce better results for Canadians.
Background
  • Human Resources Strategic Plan: The OPC will develop a new integrated human resources plan in the coming year. This plan will continue to outline how the OPC will deliver an inclusive, diverse, and supportive work environment and opportunities that attract, develop, and retain talent to meet evolving organizational needs.
  • Official Languages: The OPC is implementing the last year of its 2021-2024 Official Languages Strategic Plan, which focuses on achieving substantive equality of both French and English in the workplace and full respect for linguistic rights of the public and employees. Mandatory commitments in the Performance Agreements of employees have been added, such as promoting and fostering substantive equality of official languages within the OPC.
  • Employment Equity, Diversity and Inclusion: The OPC is implementing the last year of its 2021-2024 Employment Equity, Diversity and Inclusion Strategic Plan, which focuses on fostering a welcoming, inclusive, diverse, and respectful workplace for all. Mandatory commitments and measures in the Performance Agreements of employees have been added, such as to establish, promote and foster diversity, equity and inclusion within OPC.
  • Hybrid Work Model: The OPC has implemented a hybrid work model to support a modern, high-performing, agile and collaborative post-pandemic work environment, and contribute to governmental sustainability goals.

Prepared by: Corporate Management

OPC Response to COVID

Key Messages
  • Our Office responded quickly and effectively to the challenges brought on by the pandemic by shifting almost all staff to remote work as they maintained operations.
  • We ensured that our IT systems ran securely and smoothly, allowing us to continue to offer our services to Canadians without interruption.
  • We saw a considerable increase in our interactions with public and private sector institutions as they sought our advice on the privacy implications of initiatives related to the pandemic.
  • The OPC has now shifted toward a hybrid work environment that values in-person interactions and is based on a people-centric approach that supports efficiency, flexibility and work-life balance through workplace and work arrangement optimizations.
Background
  • Effective communications: Sustained, open and frequent communications and feedback with employees in both official languages simultaneously, as well as constructive and meaningful discussions with management and key internal partners/agents of change have fostered greater trust and engagement as we continue our journey to the Future of Work.
  • Workplace protocol: In response to the COVID-19 pandemic, we have continuously updated our workplace protocols and guidance based on PHAC and central agencies advice to ensure the continued health and safety of staff and visitors.
  • Return to the Office: The OPC has implemented a hybrid workplace model, where employees work in-person a minimum of 40% of their monthly schedule. Employees remain connected virtually and in-person to meet the OPC’s organizational objectives.

Prepared by: Corporate

Finding Efficiencies

Key Messages
  • In recent years, the OPC has undertaken several initiatives to ensure our limited resources and activities are optimized to deliver results for Canadians.
  • These included undergoing a restructuring, introducing the Departmental Results Framework in 2018-19, and using our powers more strategically.
  • We continually look for ways to leverage technology to deliver services to Canadians and increase the efficiency of our operations.
Background
  • Results focus: We introduced our Office’s new Departmental Results Framework in 2018-19, redefining our desired outcomes and how we measure results achieved. We shifted our approach to privacy protection, putting greater emphasis on citizen empowerment and proactively and constructively engaging with public and private sector organizations.
  • Use of powers: We made strategic use of our formal powers, including to conduct Commissioner-initiated investigations, which allows us to achieve better protection of Canadians’ privacy rights within the current legislative framework.
  • Restructuring: We undertook a full review of our organizational structure to ensure our activities and limited resources are optimally aligned to deliver results for Canadians. Our work now falls into one of two program areas: Compliance (activities related to addressing existing compliance issues, including proactive enforcement) and Promotion (activities aimed at bringing departments and organizations towards compliance with the law). This ensures greater clarity of roles and alignment of responsibilities. Further, we developed a business intelligence capacity to continue to improve how we allocate our resources.
  • Digital transformation: We continued the implementation of our digital strategy, including leveraging cloud services where it makes sense to so, and enabling a hybrid work model.

Prepared by: Corporate Management

Departmental Results Framework (DRF) Results

Key Messages
  • We have deliberately set the bar high. Our objectives are ambitious as we feel we must be bold in our aspirations given the interests at stake for Canadians.
  • In 2021-22 we reoriented our work and prioritized resources towards preparing our Office for the anticipated changes to our mandate, while also working towards the achievement of our Departmental Results Framework targets.
  • Our efforts and the infusion of resources have allowed us to make progress as we continue our work to meet all targets.
Background

The most recent results publicly available are for 2021-22 (Full Departmental Results Report in Annex):

  • 4 targets met:
    • Percentage of formal OPC recommendations implemented by departments and organizations 86% (target at least 85%);
    • Percentage of Canadians who read OPC information and find it useful 73% (target at least 70%);
    • Percentage of private sector organizations that have good or excellent knowledge of their privacy obligations 86% (target at least 85%); and,
    • Percentage of federal and private sector organizations that find OPC’s advice and guidance to be useful in reaching compliance 76% (target at least 70%).
  • 1 target missed: Percentage of complaints responded to within service standards 47% (target at least 75%).
  • 2 indicators had no target: The 2 indicators that measure our guidance to businesses and information to Canadians on key privacy issues had no target, considering the possibility of a transformed legal framework and the fact that our guidance is grounded in legislation and could quickly become outdated following such reform.
  • At the program level, the OPC met 3 of its 8 targets. Program-level results are published and available on GCInfobase. (See Annex).

Prepared by: Corporate

Hybrid Work

Key Messages
  • The pandemic has given us an opportunity to modernize our work environment with a greater focus on in person collaboration in a hybrid work model to deliver a high level of service to Canadians.
  • The TBS direction on the prescribed presence in the workplace has been fully implemented since March 31, 2023. The OPC is now formalizing its hybrid work guidelines in accordance with the direction and the OPC employees’ valuable comments received through engagement activities.
  • As a result of a service agreement, the OPC will have access at the beginning of May 2023 to the TBS digital application, myWorkArrangements, which will allow better management of work arrangements.
Background
  • Future of Work: The OPC is implementing a hybrid work model in line with the Direction on prescribed presence in the workplace to support a modern, high-performing, agile and collaborative post-pandemic work environment, and contribute to governmental sustainability goals.
  • Work arrangement guidelines: OPC is formalizing its work arrangement guidelines and related tools to support the Future of Work.
  • Physical environment: In terms of the modernization of the physical environment, efforts continue to transform 30 Victoria Street into a hybrid workspace with approximately 90% of unassigned seating.
  • Technology environment: The OPC continues to adapt its IT environment to support the hybrid model by optimizing bandwidth consumption (videoconferencing quality throttling, VPN split tunnelling, etc.), enhancing cybersecurity (i.e.: Additional monitoring and prevention mechanisms) and integrating existing videoconferencing technologies with MS Teams.
  • Office Entry App: The OPC introduced a tool for workstation reservations.
  • Occupancy: The current average daily attendance varies between 15-20%.

Prepared by: Corporate

PSAC Strike

Key Messages
  • The OPC was significantly impacted by the PSAC strike with 118 employees in the PA group who were in a legal strike position. This represents 66% of OPC employees.
  • A contingency plan was developed and put in place ensuring the continuity of our operation, albeit at reduced capacity.
  • Impact on business included delays in fulfilling our mandate, mostly conducting investigations, and reviewing breaches under the Privacy Act and PIPEDA, providing advice to public sector institutions and businesses, and providing information and responding to requests for information from Canadians.
Background
  • Strike contingency plans were in place for both offices (Gatineau and Toronto).
  • Internal strike management committees had regular and ongoing meetings, monitored strike activities, and reported to TBS daily.
  • A strike security plan was developed and focused on ensuring that employees were safe, that information and assets were properly secured, and access to 30 Victoria for employees required to work onsite was maintained throughout job and strike actions.
  • Employees were reminded of their responsibility to abide to the Values and Ethics Code for the Public Service.

Prepared by: Corporate

B) Compliance

Investigations

Privacy Act Ongoing Investigations and Engagements

Key Messages
  • The OPC has ongoing investigations regarding:
    • the RCMP’s Project Wide Awake, involving social media monitoring and other surveillance techniques;
    • Cyber-attacks of CRA online accounts and the Government GCKey system that occurred in 2020; and,
    • A cyber incident which affected the National Security and Intelligence Review Agency’s external-facing network that housed both unclassified and protected information.
  • The OPC has an ongoing engagement with FINTRAC, RCMP and CSIS with respect to how the institutions handled personal information within the context of the Emergencies Act.
Background
  • Section 63 of the Privacy Act prevents me from sharing the details of ongoing investigations.
  • I can say that in April 2021, NSIRA posted on its website that it experienced a cyber security breach linked to the exploitation of Microsoft Exchange vulnerabilities. It also noted that the incident did not affect NSIRA’s classified systems and stated that it would work with the OPC and TBS on any privacy issues. In response to a media inquiry, the OPC confirmed that it was investigating.
  • Regarding our engagement on the Emergencies Act, we submitted and published a brief to the Special Joint Committee on the Declaration of Emergency on January 23, 2023. We are currently finalizing our report and plan to publish our findings and observations in the Spring of 2023.

Prepared by: Compliance

PIPEDA Ongoing Investigations

Key Messages
  • TikTok: In February, we commenced a joint investigation, with privacy authorities in Quebec, Alberta and BC, to examine whether TikTok obtains valid consent, in particular for its many younger users.
  • ChatGPT: We recently commenced an investigation into OpenAI’s compliance with PIPEDA, in relation to its information handling practices via ChatGPT, its AI-driven text generation service.
  • MindGeek: We are nearing completion of our investigation into the collection, use and disclosure of intimate images by MindGeek via its numerous websites, including PornHub.
  • Give-Send-Go: We are currently investigating the February 2022 breach, via the Give-Send-Go crowd funding website, of so-called “Freedom Convoy” donors’ personal information.
  • Where investigations are ongoing, due to confidentiality obligations, I cannot provide further details.
Background
  • We are aiming to complete the TikTok investigation by February 2024.
  • The Commissioner commenced an investigation into OpenAI’s ChatGPT pursuant to ss. 11(2) of PIPEDA, to expand the scope of our prior investigation (being conducted in response to an individual complaint in relation to consent) to cover the additional issues of: appropriate purposes; transparency; access and accuracy; and accountability.
  • The Give-Send-Go investigation, submitted by Conservative MP James Bezan, was commenced in April 2022 and is ongoing.
  • We are nearing completion of an investigation into a tenant rating agency, a matter which was followed up on by an NDP MP on behalf of the complainant, a constituent. We note as well that we are seeing a trend of complaints in relation to tenant rating agencies and are considering further investigations.

Prepared by: Compliance

COVID Special Report to Parliament / Pandemic-related Investigations

Key Messages
  • The OPC is in the process of finalizing reports of finding on investigations of complaints received in late 2021 and 2022 regarding:
    • COVID-19 vaccination requirements introduced by the federal government for domestic travel by plane and train, entry into Canada and for federal public service employees;
    • The Public Health Agency of Canada’s use of deidentified cell phone mobility data in the context of the pandemic; and,
    • An error in the ArriveCan app in June-July 2022 that caused erroneous quarantine notifications to be sent to certain travellers.
Background
  • The investigations examine whether the collection, use, disclosure and, in the case of the ArriveCan error, accuracy of personal information under these programs were compliant with the obligations of the Privacy Act.
  • Further to Section 63 (PA) and section 20 (PIPEDA), the OPC must conduct investigations in confidence which precludes us from sharing further details at this time.
  • We plan to publish the reports of findings in the coming weeks and will share with this Committee once available if interested.

Prepared by: Compliance

ChatGPT

Key Messages
  • In April of this year, my Office commenced an investigation into the practices of OpenAI, in relation to its ChatGPT service.
  • The complainant alleged that the company collected (“scraped”), used, and disclosed their personal information for the purpose of its commercial text generation service, without his consent.
  • As this is an ongoing investigation, I am limited as to what I can share at this time.
  • That said, AI technology, and this investigation, are priorities for my Office, as we seek to ensure that AI is developed and deployed in a responsible, privacy-preserving manner.
Background
  • ChatGPT is a natural language processing tool, or chatbot, driven by AI technology. The language model can answer questions and assist users with tasks such as composing emails and essays.
  • Data protection authorities around the world, including various European authorities, have commenced, or are considering investigations into ChatGPT.
    • The Italian Garante had issued a temporary ban on ChatGPT, which was lifted when OpenAI met certain conditions (to address various data protection issues, such as algorithmic transparency, lawful basis for processing and accuracy). Spain has also launched an investigation.
    • The European Data Protection Board launched a dedicated task force on ChatGPT, to "exchange information on possible enforcement actions".
  • Following the announcement of our investigation at the IAPP Global Summit on April 4, 2023, several authorities have expressed interested in discussing the matter with our Office, within legal limits.
  • As a member of the Global Privacy Assembly’s AI Working Group, we are exchanging information and learning from the experiences of our counterparts.
  • As a co-chair of the Global Privacy Assembly’s International Enforcement Cooperation Working Group, we organized a “closed enforcement session” for member authorities to discuss enforcement in relation to ChatGPT.

Prepared by: Compliance

Compliance Backlog

Key Messages
  • The temporary funding provided in Budget 2019 that enabled us to reduce our backlog of complaints older than 12 months by 90% expired at the end of FY 21/22.
  • Since then, our backlog has been increasing, resting at 15% (101) at the end of FY 21/22 and at 24% (239) at the end of FY 22/23. The current backlog relates in part to delays in complaint processing.
  • To address this, we have conducted a diagnostic examination and will be implementing further efficiency and process improvements. However, without adequate on-going funding and legislative changes that would provide the OPC with investigatory discretion, we can expect backlogs to continue.
  • A high backlog rate represents increased risks and negatively affect Canadians and the protection of their privacy rights.
Background
  • Additional backlog reduction measures included: conduct of more summary investigations, Advisory Letters, risk adjustments and streamlined investigations.
    Backlog of Investigations over 12 months
    FY PA Backlogged cases PIPEDA Backlogged cases Total Backlogged cases
    2018/19 260 64 324
    2019/20 115 52 167
    2020/21 14 15 29
    2021/22 73 28 101
    2022/23 215 24 239
  • The new backlog is the accumulation of complaints at Intake. At its peak, 808 files were at Intake awaiting action, dropping to 183 at the end of FY (77% reduction). The number of unassigned complaints at intake in FY 22/23 dropped from a peak of 522 to 0 at the end of fiscal year (100% reduction).

Prepared by: Compliance

Breaches

Compliance Breach Statistics and Trends

Key Messages
  • S. 10.1(1) of PIPEDA and TBS privacy policies require institutions to report breaches to my office where there are real risks of significant harm to an individual. These reports are an important tool for tracking privacy risks to Canadians.
  • Together, the federal public and private sectors submitted just under 1,000 breach reports affecting close to 12 million Canadians (some being impacted by multiple breaches).
  • 40.8% of PIPEDA breach reports cited cyber attacks resulting from malware, compromised credentials, hacking or phishing schemes. Of these, Canada’s financial sector and businesses offering professional services were the hardest hit.
  • The number of breach reports citing cyber attacks against critical infrastructure companies has been increasing over past 3 years with 44 reports received this year.
  • On the public sector side, we remain concerned about under-reporting as we continue to receive the majority of breach reports from the same federal institutions (e.g., ESDC, CRA, CSC). Yet many other personal information rich institutions have reported few or no privacy breaches. This trend may continue absent a legislated requirement.
Background
  • C-26 will require federally regulated industries providing vital services (e.g. telcos, banks, transportation) to report cyber incidents to the Communications Security Establishment.
    BREACHES REPORTED to the OPC
    FY PIPEDA PA Total Critical infrastructure breaches
    2022-23 681 298 979 44
    2021-22 645 463 1,107 25
    2020-21 782 280 1,062 11

Prepared by: Compliance

C) Promotion

Communications

Communications Statistics and Trends

Key Messages
  • The Communications Directorate supports the Office’s efforts to promote public awareness and understanding of privacy issues.
  • In 2022-23, we
    • received 4,325 information requests;
    • gave 57 speeches / presentations;
    • published 59 news releases and announcements;
    • distributed almost 20,000 publications; and
    • answered 226 media requests.
  • Over the year, we saw our LinkedIn followers grow significantly from 18,537 to 27,545.
  • There were more than 3 million website visits, and some 4,300 blog visits.
Background
  • Our work involves raising awareness of privacy rights and providing information to individuals.
  • It also includes work to raise awareness of privacy obligations among federal public servants and private businesses.
  • Some of our activities include media relations, public opinion polling, publishing content on our website, and using social media to reach key audiences.
  • Types of requests:
    • Most requests are from individuals on issues such as whether organizations are over-collecting information or using it without consent.
    • 7% of requests are from private-sector organizations on topics such as safeguarding personal information, breach notification requirements, and compliance with the Canada’s anti-spam legislation.

Prepared by: Communications

Technology Analysis

Technical Advisory Statistics and Trends

Key Messages
  • TAD is committed to supporting the OPC's efforts in evaluating the privacy impacts of technology. Our IT analysts possess advanced technological skills that are essential in ensuring the safe and secure use of digital technologies for Canadians.
  • TAD utilizes its laboratory to enhance its technological capabilities in the analysis of malware, hardware components, mobile applications, IoT devices, and digital forensics.
  • TAD provides ongoing support for research and cases related to emerging technologies such as artificial intelligence, biometrics, digital ID, and privacy-enhancing technologies like de-identification, in addition to cybersecurity.
  • From April 2022 to March 2023, TAD received 115 new technological requests for support:
    • 49% for Policy and Promotion
    • 37% for Compliance
Background
  • TAD provides support to both Policy & Promotion and Compliance (including CASL activities). It conducts analysis of emerging technologies using its lab and engages in cross-departmental collaboration within the Government of Canada.
  • TAD continues to provide support for various investigations and breaches and government initiatives related to technology, privacy, and cyber threats.
  • Through the publication of various blog posts, the Directorate also aims to raise awareness among Canadians about the privacy implications of technology. For example, the Directorate has published blog posts focusing on privacy-enhancing technologies, including on the use of synthetic data, as well as algorithmic fairness.

Prepared by: TA

Business Advisory

Business Advisory Key Activities

Key Messages
  • BA provides specific advice to companies subject to PIPEDA, to help them proactively address privacy risks when adopting new technologies and business models, and to ensure their personal information management policies and practices comply with law.
    • Engaging with businesses early mitigates privacy risks, and also provides regulatory predictability for responsible innovation.
  • 54% of business advisory engagements involved small and mid-sized enterprises (SMEs); a consistent year-over-year proportion.
    • Our work with SMEs is critical, given their resource constraints, and pivotal role in economic growth and national prosperity.
  • Most organizations, irrespective of sector, using our advisory services had data and technology-intensive initiatives/practices.
Background

Program: conducted 15 advisory engagements and 72 promotional activities (exhibits, presentations, stakeholder meetings, targeted compliance promotion sessions etc.)

  • Privacy Clinics for SMEs: undertook wide-ranging work in relation to Privacy Clinics, in collaboration with innovation hubs in Ontario, across Atlantic Canada and in the North, to provide privacy advice to start-up and scale-up businesses.
  • To develop relationships and leverage Privacy Clinic hosting opportunities, had engagements with innovation-acceleration hubs and business networks supporting innovating SMEs and entrepreneurs in remote areas and BIPOC communities.

Key Trends:

  • Public-Private: BA saw a growing number of advisory consultation requests and conversations on initiatives involving private and public/non-commercial parties, in areas as: sex trafficking, fraud detection, identity verification, suicide prevention.
  • Acceleration: technological acceleration and rapid adoption of new technologies was reflected in BA advisory and promotional work. Areas included: neurotech, healthtech, fintech, retail, marketing, transportation, public safety etc., led mostly by uptake and deployment of surveillance tech, cloud computing and algorithms.

Prepared by: BA

Government Advisory

Government Advisory Key Activities

Key Messages
  • GA provides advice and recommendations to federal bodies through advisory consultations and the review of PIAs for a wide variety of initiatives ranging in risk and complexity from social benefit provision to law enforcement, national security and border control programs.
  • GA also reviews Information Sharing Agreements, notifications of public interest disclosures and other institutional documents.
  • GA is the main point of contact for consultations with TBS and provides input from relevant areas within the office during the development of central policies, directives, and standards.
  • We also engage proactively with institutions through our popular outreach sessions on various privacy-related topics.
Background
  • COVID-19: Throughout the pandemic, GA consulted closely with federal government institutions on COVID-19 related programs and activities including broadening the use of technologies and processes – originally developed to respond to the initial crisis period of the pandemic – for ongoing border and immigration processes not related to COVID.
  • Biometrics and Facial Recognition: We continued to consult on initiatives involving use of biometrics and facial recognition. We are seeing expanded and new uses being trialed related to facilitating ease of travel and immigration.
  • Surveillance Technologies: We appeared before this Committee in August 2022 on your study of the RCMP’s use of On-Device Investigative Tools, and continue to engage with the RCMP on this issue. We expect a PIA this summer.
  • TBS: We have engaged heavily with TBS over the past year, including coordinating and providing recommendations and comments on numerous significant files such as the Data Strategy, Hybrid Work/Return to Office, the Directive on Automated Decision-Making, and the Privacy Practices Manual. We hosted 4 Outreach Sessions this year, including a PIA 101 session.

Prepared by: GA

Government Advisory Statistics and Trends

Key Messages
  • In 2022-23, GA received over 100 PIAs, undertook 73 consultations, and offered 4 outreach sessions, reaching more than 1,000 federal staff.
  • The high volume of PIAs received demonstrates how many initiatives across government impact privacy. The high demand for early consultation for our help indicates our advice is valued, and may also point to a lack of internal privacy expertise in government institutions.
  • Our goal is to mitigate privacy risks before the launch of programs and to increase transparency with respect to government uses of personal information.
Background
  • Advisory Consultations: GA opened 73 new consultation files in 2022-23 for a wide range of activities including surrounding CBSA’s Traveller Modernization Initiative and the RCMP’s use of Body Worn Video.
  • PIAs: We received 110 PIAs, all of which were triaged and reviewed according to risk.
  • Letters of Advice: We issued 53 letters of advice following consultations and 21 recommendations following PIA review. There is a continued high level of engagement from departments with a corresponding enhanced ability from them to address privacy issues earlier in the process, which is evident in an overall higher quality of PIAs being received by the Office.
  • Notifications: GA received 761 notifications of disclosures of personal information in the public interest, or in circumstances that benefited the individual in 2022-23, up from 749 in 2021-22, and 491 in FY 2020-21.
    • This continues the trend we’ve seen of large numbers of public interest disclosures over the past few years. Given that departments have the discretion to make these releases under the law, OPC’s role is limited to helping to ensure each circumstance is evaluated on its merits.

Prepared by: GA

International Collaboration

International (General)

Key Messages
  • Stronger global privacy rights, and partnerships with international privacy enforcement authorities helps to ensure Canadians’ personal information remains protected when it is sent outside of Canada’s borders for processing.
  • OPC cooperates with our international counterparts to leverage resources, develop common policy positions, share best practices, and more effectively enforce privacy laws globally.
  • We achieve this by taking part in international fora, adopting joint resolutions, issuing joint statements and through enforcement collaboration with our counterparts.
Background
  • Global Privacy Assembly (GPA):
    • Chair of Data Protection and Other Rights and Freedoms WG (DPORF)
    • Co-chair of the Digital Citizens and Consumers Working Group (DCCWG) and International Enforcement Cooperation Working Group (IEWG)
    • Member of GPA working groups: Ethics and Data Protection in AI; Digital Education; Global Frameworks and Standards; Metrics; and FRT Sub-Group.
    • Sponsor of the 2022 Resolution on Principles and Expectations for the Appropriate Use of Personal Information in Facial Recognition Technology and Co-sponsor of 2022 Resolution on Capacity Building for Improving Cybersecurity Regulation and Understanding Cyber Incident Harms.
  • Other regulator networks: 1) G7 Roundtable of Data Protection and Privacy Authorities; 2) Global Privacy Enforcement Network (GPEN) – on Executive Committee; 3) Asia Pacific Privacy Authorities (APPA) Forum; 4) Association francophone des autorités de protection des données personnelles (AFAPDP); 5) Common Thread Network (CTN); 6) Berlin Working Group.
  • Participation in International Government fora: 1) APEC Data Privacy Subgroup (DPS); 2) Global Cross Border Privacy Rules (CBPR) Forum; 3) OECD Working Party on Data Governance and Privacy in the Digital Economy (DGP)

Prepared by: PRPA

Enforcement Collaboration

Key Messages
  • In the digital economy, protecting privacy against global risks is a common goal amongst Data Protection Authorities.
  • Collaborating with our international partners on enforcement activities allows regulators to expand their capacity to take action and amplify the impacts of those actions.
  • Our office is a leader in enforcement collaboration, playing a key role in fora such as the Global Privacy Assembly, the Global Privacy Enforcement Network, and the Asia Pacific Privacy Authorities network.
  • Key collaborative enforcement actions last year included the release of joint findings in Tim Hortons and commencing a joint investigation into TikTok.
Background
  • GPA: We chair:
    • the International Enforcement WG, which aims to foster greater enforcement collaboration;
    • the Digital Citizen and Consumer WG, which advocates for greater Cros-regulatory cooperation between the privacy, consumer protection, and competition regulatory spheres; and
    • the Data Protection and other Rights and Freedoms WG.
  • GPEN: We sit on the Executive Committee, host the website and introduced the annual Global Privacy Sweep.
  • APPA: Active membership; we develop partnerships, discuss best practices, and share information on emerging technologies and changes to privacy regulation.
  • DECF: We chair the Domestic Enforcement Collaboration Forum, which facilitates information sharing and collaborative enforcement amongst our office and those in AB, BC and QC (who recently joined our MOU with AB and BC).
  • Recent non-formal enforcement examples: The IEWG has undertaken several joint activities towards enhancing global privacy compliance such as Credential Stuffing guidance; development of FRT principles; and ongoing work regarding Adtech and data scraping.

Prepared by: Compliance

Public Outreach and Guidance

Contributions Program

Key Messages
  • With an annual budget of $500,000, the Contributions Program funds independent research and public education initiatives to develop expertise and understanding on a range of privacy issues related to PIPEDA.
  • These projects generate new information and understanding to help organizations better safeguard personal information and assist Canadians in protecting their privacy in the commercial sector.
  • The Program was created in 2004 and since then it has allocated approximately $8 million to over 180 projects.
  • Last year, the call’s theme was “Who is impacted and how: assessing and mitigating privacy risks, barriers and inequalities.” 11 projects out of 44 proposals were selected for funding.
  • This year’s theme is “The future is now! Assessing and managing the privacy impacts of immersive and embeddable technologies.” Recipients will be announced shortly.
Background
  • Program Focus: Funded projects help advance the Office’s privacy priorities, which focus mainly on responding to Canadians’ concerns about privacy. All projects must be PIPEDA focussed, as the Program exists under that Act.
  • Funding: All projects are evaluated on the basis of merit by OPC subject matter experts and occasionally, when required to validate our assessments, by external peer reviewers. Most years up to $50K is allocated per project and a maximum of $100K per recipient organization.
  • Program terms: The Terms and Conditions of the Program were renewed by the Minister of Justice in 2020-21 for five years. The full list of projects that have received funding can be seen on the OPC website, as well as summaries of all completed projects from prior years.

Prepared by: PRPA

Guidance Development

Key Messages
  • The guidance we issue is fundamental to our role in effectively promoting compliance with the law and helping individuals in exercising their privacy rights.
  • We see increasing demand from organizations for advice and guidance on their privacy obligations, and with the prospect of law reform, we anticipate an even greater need from organizations for consistent guidance on how they can comply with privacy law.
  • My Office is currently modernizing our processes for developing guidance with this in mind.
  • We were pleased to see that the Department of Justice is envisioning a similar role for us in relation to the public sector in a reformed Privacy Act.
Background
  • The Office has conducted international benchmarking to analyze how other DPAs develop guidance. This research has informed our plans for guidance development processes that are evidence-based, forward-looking, and will result in guidance that will provide practical, concrete, user-friendly and accessible advice to the end user.
  • In addition to preparing for law reform, we are also finalizing draft guidance on the use of biometrics for authentication and identification for the public and private sectors, which will be ready for public consultation later this fiscal year.
  • In its paper on modernization of the Privacy Act Justice Canada proposes that the OPC have the authority to engage in public education and to issue guidance on the interpretation and enforcement of the Act, while ensuring consultation with the Government in its development.
  • S. 110(1) of C-27 would require that the Commissioner consult with stakeholders, including any relevant federal government institutions, when developing guidance materials and tools for organizations in relation to their compliance of the Act.

Prepared by: PRPA

D) In the Courts

In the Courts: Facebook

Key Messages

  • In February 2020, we initiated an application pursuant to s. 15 of PIPEDA in Federal Court in which we sought a binding order from the Court to require Facebook to correct its privacy practices to comply with PIPEDA.
  • The Application followed our investigation which found that Facebook had failed to obtain meaningful consent and failed to implement adequate safeguards to protect user information.
  • Facebook responded by filing a judicial review, challenging the investigation and the OPC’s resulting Report of Findings.
  • On April 13, 2023, the Court issued decisions in both matters:
    • It dismissed Facebook’s application for judicial review finding that the OPC had not breached its procedural fairness obligations.
    • The Court also dismissed the OPC’s application, finding that there was insufficient evidence to conclude that Facebook had failed to obtain meaningful consent from users, and that Facebook’s safeguarding obligations end once information is disclosed to third-party applications.
  • The OPC initiated the Application under section 15 to protect Canadians’ privacy and with this in mind, we will be reviewing the Court’s decision to determine the best way forward.

Background

  • Investigation: The investigation concerned Facebook’s compliance with PIPEDA, in relation to the “This is Your Digital Life” App and Cambridge Analytica, a UK political consulting firm.
    • The OPC’s April 2019 Report of Findings found that Facebook contravened the fair information principles relating to consent, safeguards, and accountability, and with respect to Users’ downloads of the App after June 18, 2015, Facebook failed to obtain meaningful consent per s. 6.1 of PIPEDA.
  • Next Steps: The deadline to appeal the Court decisions is May 15, 2023.

Prepared by: Legal

In the Courts: Google

Key Messages

  • In 2018, the OPC filed a reference with the Federal Court seeking clarity on whether Google’s search engine is subject to federal privacy law when it indexes and displays search results in response to a search for a person’s name.
  • The Federal Court issued its decision in 2021. The Court found that PIPEDA applies to Google’s search engine service because it collects, uses and discloses personal information in the course of commercial activities, and it is not exempt from PIPEDA by virtue of the journalistic purposes exemption.
  • Google appealed the decision. The appeal was heard by the Federal Court of Appeal in October 2022 and the Court’s decision remains pending.
  • The reference questions arose in the context of a complaint in which an individual alleged that Google contravened PIPEDA by prominently displaying links to news articles about him when his name is searched, alleging the news articles are outdated, inaccurate and disclose sensitive information.

Background

  • Draft Position Paper: In 2018, the OPC published a Draft Position Paper on Online Reputation as part of an ongoing consultation on how privacy law could address harms to individuals resulting from the increased exposure of personal information online. In it, we stated that we believe that PIPEDA applies to search engines and could allow for delisting of search results in certain circumstances.
  • The Draft Position Paper remains a draft and will not be finalized until the conclusion of the reference proceeding and the related complaint investigation.
  • The reference proceeding concerns two questions of statutory interpretation regarding whether PIPEDA applies to Google’s search engine. The Federal Courts decisions will not determine how PIPEDA applies to Google, including whether it requires delisting of the articles in question or more generally. That issue remains to be determined in the underlying investigation.

Prepared by: Legal

E) Bills and Legislative Amendments

Bill C-27

Key Messages

  • I welcome and am encouraged by the introduction of Bill C-27.
  • Bill C-27 addresses many of the concerns that were previously raised by my Office and other privacy experts, such as requiring that information used to obtain consent be understandable, and an expanded list of contraventions to which administrative monetary penalties may apply in cases of violations.
  • I look forward to providing my views to Parliament soon on how Bill C-27 can and must be further improved in a few key areas.
  • Our recommendations will aim to ensure that Canadians have privacy laws that recognize their fundamental right to privacy, while allowing them to participate fully in the digital economy, support innovation, and position Canada as a leader in this important and evolving area.

Background

Examples of positive developments:

  • Addition of a preamble to offer guidance on the law’s broader objectives.
  • Provisions to help protect the privacy of minors.
  • Expansion of personal information that individuals can request be disposed of.
  • Requirement that information to obtain valid consent be in understandable language.
  • Increased discretion to the OPC.

Selection of key OPC recommendations:

  • Recognize privacy as a fundamental right.
  • Protect children’s privacy and the best interests of the child.
  • Limit organizations’ collection, use and disclosure of personal information to specific and explicit purposes that take into account the relevant context.
  • Expand the list of violations qualifying for financial penalties to include, at a minimum, appropriate purposes violations.
  • Provide a right to disposal of personal information even when a retention policy is in place.

Prepared by: PRPA

Privacy Act Reform

Key Messages

  • While it is encouraging that private sector law reform is progressing, public sector law reform needs to follow suit.
  • To the extent appropriate given the different contexts, our federal privacy laws should be consistent with each other, as well as with other leading data-protection regimes globally.
  • Coherence between laws can provide predictability, enhance interoperability and ensure consistency of requirements in the event of public-private partnerships or cross-border data flows.

Background

  • Modernization effort: In March 2022, Justice Canada published a consultation report proposing a range of reforms for the Privacy Act that would see the law adopt modern data protection norms. Specific proposals that we favoured included:
    • A purpose clause for the Privacy Act recognizing the broad scope of the right to privacy as a human right,
    • Meaningful oversight, alongside quick, effective remedies, such as order-making power and expanded rights of recourse, and,
    • an expanded definition of "personal information".
  • OPC recommendations: Our recommendations in response focussed on:
    • Artificial Intelligence: We recommended inclusion of a definition of automated decision-making, a right to meaningful explanation and human intervention, standards for the level of explanation required, and legal obligations for traceability.
    • Collection Threshold: We believe the “reasonably required” standard is workable and adds clarity while also aligning with principles of necessity and proportionality. On these aspects, we propose to strengthen specified purposes and proportionality.
    • “Publicly Available” Personal Information: We support the proposed definition which explicitly states that publicly available personal information does not include information where an individual has a reasonable expectation of privacy.
  • Status of initiative: there has been no public update on Justice Canada’s consultation page or modernization page since March 2022.

Prepared by: PRPA

Political Parties

Key Messages

  • Our Office has repeatedly called for political parties to be subject to privacy legislation, based on internationally recognized privacy principles, including an independent third party with authority to verify and enforce compliance.
  • We recently appeared before the Senate on amendments to the Canada Elections Act in Bill C-47 where we stressed that the proposal fails to impose specific privacy related requirements on political parties or to provide for independent oversight.
  • We reaffirmed our position that political parties should be subject to privacy obligations and that our Office should play a role to ensure the protection of privacy rights in this context.

Background

  • Bill C-47, Budget Implementation Act: includes amendments to authorize collection, use, disclosure, and retention of personal information by political parties and their affiliates in accordance with their own privacy policies. There are no provisions for adhering to specific privacy principles, nor for independent review, access, or complaints. We appeared on these provisions before the Senate Legal and Constitutional Affairs Committee on May 3, 2023.
  • 2019 Complaint: In August 2019, we received a PIPEDA complaint against the three major federal political parties. We concluded that PIPEDA did not apply to the activities of the political parties at issue in the complaint, (e.g., targeted advertising to voters) as these were not “commercial” in character.
  • Other jurisdictions: Privacy laws in other jurisdictions such as British Columbia, the UK and EU apply to political parties, and others like Quebec are moving to do so (with coming into force of relevant provisions of Bill 64 in Sept. 2023).
  • Bill C-76: In 2018, Bill C-76 amended the Canada Elections Act to require limited privacy obligations (i.e., developing, registering, and publishing privacy policies). That obligation, however, imposed no new substantive protections for voter information or operational limitations on party use of personal information.

Prepared by: PRPA

S-12 (Sex Offender Registry)

Key Messages

  • Our office is currently engaged in a legislative review of S-12 to identify any privacy concerns.
  • Based on our initial review, S-12 does not appear to allow for the sharing of information regarding sex offenders with US authorities.
  • S-12 proposes several changes to the Sex Offender Information Registration Act, including how offender information is retained, and processes by which victims receive information.
  • I look forward to providing my views to Parliament should I be called when the Bill is being studied at committee.

Background

  • In the fall of 2022, The Globe and Mail reported on plans to introduce legislation that would allow the federal government to routinely notify US authorities when Canadian sex offenders travelled to the US.
  • Based on our initial review, S-12 does not appear to provide new legal authority for the sharing of information regarding sex offenders with US authorities.
  • However based on comments by Senator Beverly Busson, we understand that travel notification provisions in S-12 will provide additional time for Canadian law enforcement to notify appropriate law enforcement partners as necessary to fulfil their existing obligations.
  • For Commissioner Info Only: [Redacted]
  • For Commissioner Info Only: [Redacted]

Prepared by: Legal

C-42 (Beneficial Ownership Registry)

Key Messages

  • I note that Bill C-42, which was tabled in the House in March, would amend the Canada Business Corporations Act to require the publication of information about “individuals with significant control over a corporation”.
  • My Office is currently engaged in a legislative review of C-42 to identify any privacy concerns.
  • We are aware of the recent decision of the Court of Justice of the European Union which found that the EU public beneficial ownership registry was not strictly necessary or proportionate and that access to the general public interfered with Article 7 and 8 EU Charter rights.

Background

  • Bill C-42 would establish a public facing registry that incudes information about individuals with “significant control over a corporation.” The Bill builds on amendments introduced in the Budget Implementation Act, 2022 No.1, aimed at greater transparency.
  • The UK has had a public beneficial ownership directory since 2016. Quebec’s Act Respecting the Legal Publicity of Enterprises allows the public to consult an online corporate registry.
  • The EU and its Member States have publicly available corporate registries, however in November 2022 the Court of Justice of the European Union invalidated the public registry on the basis that it was not necessary or proportionate and interfered with Charter rights.
  • During House Debate on April 28th, opposition parties noted their support for Bill-42, but called for amendments to protect privacy rights in the registry. They did not suggest specific amendments. Parliamentary Speaker to the Leader of the Government in the House Kevin Lamoureux noted that the Government “…appreciates the privacy issues” raised and is aware of the CJEU decision.
  • ISED consulted our Office on the creation of a beneficial ownership registry in June 2022, and GA provided preliminary advice for their consideration.

Prepared by: PRPA and Legal

Date modified: