OPC Consultation on transborder dataflows
The federal Office of the Privacy Commissioner has suspended its Consultation on transborder dataflows, initiated last month following its investigation report into the 2017 Equifax data breach. As part of this Consultation, the OPC had proposed re-characterizing data transfers undertaken in the context of service provider relationships, including across borders, so that such transfers would be treated as a “disclosures” under PIPEDA, requiring consent by data subjects together with an explanation of the nature of any such relationship.
The OPC suspended its Consultation, which had led to significant controversy, in the context of the government’s new Digital Charter (see below). The Charter includes proposals for modernization of PIPEDA, including revisiting the treatment of data transfers between data collectors and their contract processors.
The OPC indicated that any proposal to re-characterize such transfers likely will await further guidance from the government respecting amendments to the current law. However the Privacy Commissioner, in announcing the decision, indicated that the OPC remains concerned about deficiencies in accountability for data transferred by organizations to processors and other service providers – including across borders – and will revisit a more rigorous application of PIPEDA’s Accountability Principle for such processors in the event that it receives further complaints in this regard.
Canada’s Digital Charter
On May 21 the Minister of Innovation, Science and Economic Development Canada (“ISED”) announced the government’s plan for fostering innovation through digital strategies and exploiting the value of data. Development of its plan – Canada’s Digital Charter – was informed by the National Digital and Data Consultations initiated by the government in June 2018. The Charter addresses three areas of focus: preparing workers’ skills and talents in the digital world; supporting growth of Canadian businesses through innovation; and privacy and trust. It articulates ten draft principles to help guide the government’s work in helping address the challenges of the digital and data environment including: equal access to digital technologies; safety and security; control and transparency of data; and accountability and strong enforcement.
Within the context of the Charter’s principles of data control, transparency and accountability, the government has published a white paper entitled “Strengthening Privacy for the Digital Age” addressing proposals to modernize PIPEDA.
PIPEDA White Paper
As noted, concurrent with putting forth its Digital Charter, ISED published proposals for amendment of PIPEDA, intending to respond not only to its National Digital and Data Consultations but also the 2017 study of PIPEDA undertaken by the parliamentary Standing Committee on Access to Information, Privacy and Ethics. These proposals – which could more accurately be characterized as an invitation to consider options for amendment – clearly wrestle with the government’s conundrum in marrying dynamic innovation with control of data and transparency for data subjects.
The PIPEDA proposals address potential amendments under three main headings: consent and transparency, enabling responsible innovation, and enhancing enforcement and oversight.
Under the first heading, the government’s white paper seeks to enhance meaningful control and increase transparency for individuals through greater emphasis on information disclosure related to consent including for automated decision-making technologies such as artificial intelligence. However the white paper raises the possibility of alternatives to consent to facilitate uses of personal information under circumstances such as standard business activities, as well as establishing a clear category of de-identified information which could be used without consent.
The white paper also proposes enhancing control over information by individuals’ rights to data mobility and protection of online reputation.
Under the heading of enabling responsible innovation, the white paper puts forward data trusts and de-identified data as potentially facilitating data use without consent for research purposes. Other possible options to encourage innovation include use of codes, standards and certification regimes to enhance international interoperability among substantially similar privacy regimes.
Under the heading of enhancing enforcement and oversight, the white paper focuses on strengthening the Privacy Commissioner’s powers in four broad areas: education and outreach; investigation and audit; noncompliance and offences; and proactive advisory activities.
Within the context of the Commissioner’s enforcement powers, the white paper proposes enhanced flexibility for the OPC to investigate complaints and for auditing organizations’ compliance, as well as a “circumscribed” order-making power, in the form of cessation and records preservation orders. Monetary penalties would be extended to all key provisions of the Act and substantially increased, and a power for courts to order statutory damages would be created.
Finally, the white paper highlights an additional area of focus addressing what it calls “clarity of obligations”, suggesting that the principles-based approach of PIPEDA, cast in ostensibly non-legal language, makes it difficult for stakeholders (both individuals and organizations) to understand compliance requirements. As part of an initiative to enhance digital literacy, the government is proposing redrafting PIPEDA to set out data protection rights and requirements in a manner that is easier to understand. The Alberta and B.C. Personal information Protection Acts are cited as examples of such an approach.
ISED invites stakeholders to discuss with it or make submissions regarding the development of options for PIPEDA reform. While such discussions may commence at an early stage, any concrete proposals for amendment must await the federal election in October. In light of any expected formal consultation timeframe, likely continuing well into a 2020, any amending legislation will be at least two years into the future.
 For example, cessation orders might be limited to situations where noncompliance has caused or is likely to cause a risk of harm or significant distress to an individual.