On February 28 the House of Commons Standing Committee on Access to Information, Privacy and Ethics published the Report of its review of the Personal Information Protection and Electronic Documents Act (PIPEDA).
The timing of the report is significant for two reasons. Firstly, dramatic changes in information technology and digital data point to a need to ensure that PIPEDA continues to be relevant and effective. Secondly, the impending coming into force of the European Union’s General Data Protection Regulation (GDPR) on May 25, 2018 dictates revisiting PIPEDA’s adequacy status (enabling unrestricted transfers of data between the EU and Canada). It is fair to say that the Committee’s report, which portends a significant revision to PIPEDA, was informed in a large way by these two circumstances.
Taking its cue from a recommendation from the federal Privacy Commissioner, the Committee broadly approached its review under four categories: consent, reputation, enforcement, and the GDPR. While addressing the GDPR’s adequacy requirement as a distinct focus, the impact of that new rule and potential changes to PIPEDA to respond to it are discussed throughout the report.
The consent model
In terms of potential impact on PIPEDA’s substantive rules, the Committee’s review of the role of consent is a key focus of the report. Its central recommendation is that consent remain the core element of the privacy regime but that it be enhanced and clarified by additional means when possible or necessary. This recommendation masks the wide diversity of views that the Committee heard regarding consent. However the thrust of its thinking is articulated in the following precis of a passage from the report:
The Committee believes that respect for personal autonomy requires that individuals be free to decide for themselves what to do with their personal information. Although it has become more difficult to obtain real and explicit consent, freedom of choice is a factor that promotes consumer confidence. Therefore instead of abandoning the consent model, the government should seek to enhance and clarify consent, as required.
This view, while not supported by all witnesses who appeared before the Committee, can be characterized as representing a fairly mainstream opinion. However the Committee likely strayed outside the mainstream in some of its specific recommendations under the consent heading, including recommending that opt-in consent be implemented as a default for secondary uses (and potentially in all cases), expanding the definition of publicly available information to include that which individuals post on public web sites, and recommending an amendment to eliminate the consent requirement for “legitimate business interests”. Each of these three potential thrusts are controversial and not likely to be adopted without qualification, if for no other reason, they could represent significant derogations to the consent rule. A related recommendation proposes that rules regarding algorithmic transparency be adopted – a potential response to big data processing of personal information.
The Committee recommends that specific rules regarding consent and the collection, use and disclosure of personal information of minors be adopted. However the government has been advised in the past that moving into these areas may be impinging on provincial constitutional jurisdiction.
The Committee’s report includes a number of recommendations under the heading of reputation, or more precisely “online reputation”, including adopting a “right to be forgotten” (encompassing the right to erasure, a right to data de-indexing – such as on search engines, and an enhanced obligation to delete or destroy personal information once no longer needed) and the adoption of Privacy By Design as an essential principle.
While there is some debate as to the extent that some or all of these rights or obligations may exist under the current law, their adoption as express new rules in an amended law is not likely to be controversial.
Enhancing the enforcement powers of the federal Privacy Commissioner is a second major focus of the report. The Committee’s recommendation in this regard is that PIPEDA be amended to give the Privacy Commissioner such powers (acknowledging that his current powers, largely characterized by his ombudsman role do not explicitly include enforcement), including the power to make orders and impose fines for noncompliance.
A diversity of views by witnesses before the Committee is reflected in the report, ranging from those concerned that such new enforcement powers would substantially alter the ombudsman character of the Commissioner’s Office, to those primarily focusing on the need to have significant order-making and financial penalty powers in order to enhance compliance. While not forming part of the Committee’s rationale for this recommendation, a number of witnesses cited the GDPR adequacy requirement as a reason for adopting such powers.
Notwithstanding the diversity of opinion on the enforcement powers issue, it is fair to say that the Committee’s recommendation is likely the clearest conclusion that one can draw from the report, and is a recommendation that in one form or other is likely to become law.
Adequacy status under the GDPR
This issue pervades several of the separate specific topics in the report. The Committee’s recommendations in regard to adequacy are not controversial – essentially to determine the status required, and to adopt amendments to PIPEDA needed to maintain that status, with the caveat that if for some reason achieving adequacy by this means is not in the Canadian interest, to establish other mechanisms for data transfer between the EU and Canada.
While there was no serious difference of opinion before the Committee regarding the need for adequacy status, different views were expressed as to whether any changes to PIPEDA should be done prospectively, or at a later time once there is a clearer understanding of what is required.
Note: The foregoing does not constitute legal advice. Readers are cautioned that for application to specific situations, legal advice should be obtained.
© David Young Law 2018
Read the Full PDF: ETHI Committee Report recommends major PIPEDA overhaul
David Young Law
Suite 3500, 2 Bloor Street East, Hudson’s Bay Centre,
Toronto ON M4W 1A8