In 2019, both the federal government and the Office of the Privacy Commissioner of Canada (“OPC”) called for modernization of Canada’s federal privacy laws.[1]
On May 21, 2019, the Minister of Innovation, Science and Industry announced the launch of Canada’s Digital Charter and associated proposals to modernize PIPEDA (the “Proposals”). On December 10, 2019, the OPC tabled its 2018 – 2019 Annual Report in Parliament (the “Report”). Both the Proposals and the Report suggest reforms which aim to balance the economic opportunities enabled by the digital era with the associated risks to individuals’ privacy rights. Although aligned in many respects, the publications do reveal differences of opinion between the federal government and the OPC regarding modernization of Canadian privacy laws. The question, then, is not whether modernization of Canadian privacy laws will occur, but how and when it will occur.
This article summarizes the approaches to modernizing PIPEDA suggested in the Proposals and the Report and highlights the similarities and differences between those approaches. While it is impossible to predict which reforms will become law, any modernization of Canada’s federal privacy laws will force organizations doing business in Canada to take a proactive approach to privacy compliance and trigger comparable reforms to provincial privacy legislation.
The Proposals
Data-driven technology fuels today’s global economy. In many ways, technology has improved the lives of Canadians and continues to present unique social and economic opportunities. However, technology also raises concerns about how organizations collect, use and disclose personal information and the ability of Canada’s privacy laws to protect individuals’ privacy rights. To balance the opportunities and risks presented by the digital era, the Proposals suggest modernizing PIPEDA to achieve three overarching goals:
- Enhance individuals’ control over their personal information without creating onerous restrictions for businesses;
- Encourage responsible innovation on the part of organizations; and
- Ensure an enhanced, reasoned enforcement model.
1. Enhancing individuals’ control
The Proposals contend that individuals do not have meaningful control over their personal information and privacy in today’s digital era. PIPEDA requires organizations to inform individuals of the purpose for the collection, use or disclosure of personal information and to obtain their consent to such collection, use or disclosure. However, in practice, complex data flows involving numerous parties negate individuals’ ability to fully comprehend what they are consenting to. To address this concern, the federal government suggests several reforms to PIPEDA, including:
- Requiring organizations to provide individuals with specific, plain-language information on the intended uses of personal information and the third parties with which information will be shared;
- Providing additional exceptions to consent to facilitate common uses of personal information for standard business activities;
- Providing an explicit right of “data mobility” that allows individuals to direct that their personal information be moved from one organization to another; and
- Enhancing the ability of individuals to maintain their online reputation by, among other things, providing all individuals with the explicit right to request deletion of personal information.
2. Enabling responsible innovation
New business models and emerging technologies rely on complex uses of information by a variety of entities. Canada’s business community has requested enhanced access to personal information for the development of innovative products and services. However, enhanced access to personal information must be balanced by increased accountability and higher standards of care. To balance the goals of innovation and protection of privacy, the federal government suggests the following reforms to PIPEDA:
- Permitting the establishment of “data trusts”, in which third parties manage databanks containing sensitive personal information and permit organizations to access the information without consent for certain limited purposes (e.g. research);
- Establishing a regime for use of de-identified/pseudonimized data; and
- Incentivizing the development and use of accredited codes and standards as a means of demonstrating compliance with PIPEDA.
3. Enhancing enforcement and oversight
The Proposals contend that the OPC’s limited powers and outdated enforcement mechanisms do not incentivize compliance with PIPEDA, especially when compared to “next generation” privacy laws in other jurisdictions such as the European Union. The federal government suggests enhancing enforcement and oversight of privacy laws by:
- Providing the OPC with increased discretion on whether to investigate complaints;
- Granting the OPC circumscribed order-making power in the form of cessation and records preservation orders; and
- Extending and substantially increasing the range of fines for offences under PIPEDA.
4. Areas of ongoing assessment
Although praised for its principles based, technology-neutral drafting, PIPEDA has been criticized as difficult to interpret. As a result, it is difficult for organizations to understand obligations and for individuals to understand available protections. The Proposals suggest redrafting PIPEDA to clarify rights and obligations, but do not provide guidance on how the federal government intends to do so.
Currently, PIPEDA applies only to organizations engaged in commercial activities. In today’s digital era, a growing number of organizations are engaging in non-commercial data collection activities. The Proposals suggest an assessment of whether it may be appropriate to extend PIPEDA to these activities.
The Report
Like the Proposals, the Report suggests that modernizing Canadian privacy laws will balance the economic opportunities presented by the digital era with the associated risks to individuals’ privacy rights. However, unlike the Proposals, the Report argues that the starting point for achieving this aim is to ground new privacy laws in a rights based foundation.
1. Defining the right to privacy in its broadest sense and recognizing the quasi-constitutional nature of privacy laws
The Report argues that privacy laws should define the right to privacy in its broadest sense in accordance with Supreme Court of Canada (“SCC”) jurisprudence. The SCC has recognized privacy to include a notion of anonymity – that one may act in public without being personally identified or subject to extensive surveillance. Recently, the SCC concluded that privacy is not an “all-or-nothing” concept and that being in a public place does not negate all expectations of privacy with respect to being observed or recorded. The SCC has also held that privacy is vital to an individual’s dignity, autonomy and personal growth, and thus that protection of privacy is a prerequisite to a free and healthy democracy. An appropriately broad definition of privacy, reflective of SCC jurisprudence, would recognize an individual’s rights to live and develop independently, free from unjustified surveillance, while still participating in the activities of a modern digital society. Moreover, recognizing the quasi-constitutional nature of privacy laws would confirm the protected status of privacy as established through SCC decisions.
The Report rejects the notion that a rights-based approach to privacy law would impede economic growth. By contrast, a rights-based approach would promote trust in commercial activities and ensure that Canada remains competitive with jurisdictions with heightened privacy protections, such as the European Union. Moreover, a rights-based approach would ensure that privacy laws remain relevant despite the exponential pace of technological change.
2. Clarify privacy laws
Like the Proposals, the Report calls for clarification of Canadian privacy laws. As currently drafted, PIPEDA imposes a range of obligations but also notes several recommendations and best practices. The Report contends that privacy laws should clearly stipulate the rights of individuals and impose unambiguous obligations with respect to individuals’ privacy. The Report also suggests that a public authority (either the OPC or another office) should be empowered to issue binding subsidiary guidance. PIPEDA is a principles-based law drafted at a high level of generality. While this has advantages in a rapidly evolving technological landscape, it can be difficult to apply in practice. Binding subsidiary guidance would help clarify how general principles should be interpreted. Alternatively, the OPC could develop binding guidance through heightened enforcement powers, such as order making authority.
3. Ensure effective enforcement
The Report argues that federal privacy laws do not provide effective enforcement mechanisms. As such, organizations are left to self-regulate and individuals are left with insufficient recourse.
The Report contends that the OPC should be empowered to conduct proactive investigations and issue binding orders and penalties, subject to judicial review. This would incentivize broad and ongoing compliance by organizations and ensure that individuals obtain timely recourse. The Report also acknowledges that the OPC, with its finite resources and multitude of responsibilities, cannot investigate every complaint. As such, privacy legislation should grant individuals an independent right of action to pursue remedies in the courts.
The proposed scope of OPC powers is a point of contention between the federal government and the OPC. As noted above, the Proposals suggest granting the OPC “circumscribed” order making powers to halt collection, use or disclosure of personal information. The OPC would then refer privacy matters to the Attorney General to determine whether fines are appropriate. The Report contends that this approach would delay the enforcement of rights and incentivize companies to ignore privacy laws, as recently exemplified by Facebook’s response to the OPC investigation of its practices.
4. Maintain the concept of meaningful consent while acknowledging its limits
The Report affirms that meaningful consent is an important cornerstone of Canadian privacy law. However, like the Proposals, the Report acknowledges the limits of consent in today’s digital era, in which organizations motivated by profit use personal information for purposes other than those for which it was collected, and individuals are faced with vague and unintelligible consent requests as a result of rapid technological change. As such, the Report recommends permitting exceptions to consent where the societal benefits clearly outweigh the privacy incursions and several prior conditions are met, including that:
- use of the personal information is necessary;
- it is impracticable to obtain consent;
- pseudonymized data is used to the extent possible;
- a privacy impact assessment is conducted in advance;
- the OPC is notified in advance;
- the organization has issued a public notice describing its practices; and
- individuals retain the right to object.
5. Require demonstrable accountability
PIPEDA states that organizations are accountable for personal information under their custody or control. The Report contends that recent events including the Facebook/Cambridge Analytica scandal reveal that the accountability principle, framed as such, fails to protect Canadians. The Report suggests that organizations should be required to demonstrate accountability to the OPC or another independent third party. Towards this aim, the OPC should be empowered to proactively investigate organizations’ privacy practices before a complaint arises, and organizations should be required to produce evidence of accountability on demand. Organizations should consider privacy issues at the outset of their initiatives, design privacy assurance into products at the outset of development, and conduct preliminary privacy impact assessments. The Report acknowledges that demonstrable accountability could place an excessive burden on small and medium sized enterprises (“SMEs”). Accordingly, the recordkeeping obligations of SMEs under the accountability principle could be made lighter, unless they are engaged in activities that carry significant privacy risks for individuals.
Potential Impacts of Reforms
It is unclear which of the reforms noted in the Proposals and the Report will become law. Nonetheless, it is important to consider the potential impact of the proposed reforms on organizations doing business in Canada.
1. A proactive approach to privacy compliance
If implemented, the reforms would require organizations to adopt a proactive approach to compliance with privacy law. If the OPC had power to conduct proactive investigations and issue penalties, as is suggested in the Report, organizations would need to ensure ongoing and contemporaneous compliance with privacy laws or risk incurring financial liability. Organizations would need to conduct heightened due diligence on technological products which could impact the privacy interests of stakeholders. Such due diligence might require outsourcing to individuals with specialized knowledge. Moreover, the OPC has advocated that privacy impact assessments become mandatory law, which would require organizations to spend time, energy and money at the outset of initiatives. Even the reforms suggested in the Proposals (as opposed to the more onerous reforms suggested in the Report) would require organizations to adopt a more proactive approach to privacy compliance than is currently required by PIPEDA.
One can also reasonably anticipate reforms to PIPEDA’s consent requirements. In 2018, the OPC issued guidelines on obtaining meaningful consent, which are cited with approval in the Proposals and the Report. If these guidelines were incorporated into privacy laws, organizations would need to take proactive steps to obtain valid consent and ensure that consent remains valid. Among others, such steps would include:
- allowing individuals to quickly review key elements impacting their privacy decisions;
- allowing individuals to control the amount of information they get and when; and
- notifying and obtaining consent of individuals prior to changes to privacy practices.
Presumably, the exceptions to consent noted in the Proposals and the Report would be applied narrowly. Obtaining meaningful consent would be required in most circumstances.
2. Provincial reform
Any reform to Canada’s federal privacy laws would likely trigger comparable reform at the provincial level. The provinces of Alberta, British Columbia and Quebec have enacted private sector privacy legislation which the federal government has deemed “substantially similar” to PIPEDA. Generally speaking, the provincial legislation applies to organizations that collect, use and disclose personal information solely within one of Alberta, British Columbia or Quebec (i.e. the personal information does not flow across provincial or national borders). If reforms occurred at the federal level, provincial legislation would likely follow suit. A system in which federal and provincial privacy laws are not substantially similar is unworkable in the long term.
Conclusion
It is unclear which of the reforms noted in the Proposals or the Report will become law. What is clear, however, is that, if implemented, any modernization of Canada’s federal privacy laws will force organizations doing business in Canada to take a more proactive approach to privacy compliance and trigger comparable reforms to provincial privacy legislation.
EKB’s Information & Privacy team is experienced and knowledgeable in all areas of privacy law and is here to assist business owners navigating privacy issues.
[1] At a federal level, the Personal Information Protection and Electronic Documents Act (“PIPEDA”) regulates private organizations engaged in commercial activities and the Privacy Act regulates public institutions. This article focuses on suggested reforms to PIPEDA, although many of the reforms suggested by the OPC relate to both PIPEDA and the Privacy Act.