The past year was not dull in the privacy world. On the contrary, it included some high drama as well as potentially ground-breaking developments. The following is a review.
Equifax data breach
In April, the Office of the Privacy Commissioner released its Report of Findings regarding the 2017 Equifax data breach. Hackers had gained access to the systems of Equifax through a software vulnerability, accessing credit files for more than 143 million individuals worldwide, including approximately 19,000 Canadians. While Equifax had become aware of the breach in July 2017, not until September did it make any public announcement and only in October did it send letters notifying the affected Canadians.
The OPC determined that Equifax had failed to provide adequate safeguards, in contravention of the Personal Information Protection and Electronic Documents Act (PIPEDA), and had failed to obtain the consent of individuals to the transfer of their data from Equifax Canada data to Equifax US, which it determined was a disclosure by Equifax Canada, not a use by a processor as previously thought.
OPC Consultation on cross-border data transfers
Coming out of the Equifax case, the OPC’s new view was that all transfers of personal information to a processor constituted disclosures requiring individual user consent, including across borders. This was a dramatic departure from the OPC’s previous interpretation of the law and if confirmed would have entailed significant changes in privacy practices and organizations’ relationships with service providers.
The OPC undertook a consultation to assess stakeholder opinion.
It received 87 submissions in response to its consultation – possibly a record, predominantly all taking issue with the proposed new treatment. At the end of September, the OPC announced no change – that a transfer for processing will continue to be considered a use, not a disclosure, and will not require consent, pending possible future legislative change.
In May the federal government announced Canada’s Digital Charter, its digital strategy for fostering innovation. Within the umbrella of Charter, Innovation, Science and Economic Development Canada published a white paper outlining proposals for modernizing PIPEDA, under three main headings: consent and transparency, responsible innovation, and enforcement and oversight.
Discussions with stakeholders responding to the proposals, including in-person meetings, commenced in August and, with a brief interlude for the election, continue. The result likely will be a more formal consultation paper setting out concrete proposals and time frames, potentially early in the new year.
Privacy for political parties
In the context of the federal election, some changes in the laws governing the protection of privacy by political parties came into effect on July 1. Specifically, amendments to the Canada Elections Act under Bill C-76, the Elections Modernization Act, required parties to have privacy policies that address key information collection and use practices.
Notwithstanding the July 1 effective date, the parties’ privacy policies were not updated.
The Bill C-76 amendments were almost universally criticized as an inadequate response to electoral integrity in the digital universe. By contrast, the parliamentary Standing Committee on Access to Information, Privacy and Ethics had recommended comprehensive privacy protection legislation for political parties.
B.C. privacy ruling impacts federal political parties
In response to a complaint that a local federal NDP riding association had obtained personal email addresses without consent, the B.C. Information and Privacy Commissioner undertook an investigation. On August 28, preliminary to conducting the investigation, he issued a ruling that the province’s private-sector privacy law, the Personal Information Protection Act (PIPA), applies to riding associations of federal political parties. The Commissioner based his reasoning in part because Ottawa’s rules respecting parties are so limited that there is no conflict with B.C. applying its own comprehensive privacy rules.
The ruling will have implications beyond the province’s borders. It means that B.C.’s PIPA, which is equivalent to PIPEDA, may extend to federal political parties, with implications for voters across the country.
On November 26, the B.C. and federal Commissioners released their joint Investigation Report into the activities of AggregateIQ , a Victoria-based data research firm that assisted Cambridge Analytica in targeting potential voters in the UK Brexit referendum and the US 2016 presidential election. The Commissioner determined that in receiving individuals’ profile information used for targeting purposes, AggregateIQ failed to ensure proper consent.
One of the unexpected messages from this decision is the imposition of responsibility on B.C. service providers to confirm the adequacy of consent, particularly with respect to information collected in foreign jurisdictions. This point arises from the wording of the PIPA provision respecting processors, which differs from other Canadian privacy laws. The B.C. Commissioner has read this wording to mean that the processor must ensure that consent obtained on initial collection of the information complies with PIPA’s rules, even if the information is collected in a foreign jurisdiction.
As we know, Sidewalk Labs, the Google subsidiary, has proposed a digital information neighborhood on Toronto’s waterfront reflecting dynamic activities and interactions within the area, with the goal of addressing energy and economic efficiencies, quality of life, and sustainability. Essential to proposal is the collection of personal data, both public and private.
Serious concerns have been raised regarding this pervasive data collection and the future use of that data. Sidewalk Labs’ proposal was for the data collection to be conducted by it, with a “Civic Data Trust” regime to provide rules guidance and to manage the data.
In October, Waterfront Toronto, the responsible public sector agency, and Sidewalk Labs agreed to re-align certain “threshold issues”, including the data collection. As a result, Waterfront Toronto will lead all privacy and digital governance matters and Sidewalk Labs will not pursue the civic data trust concept.
While touted as resolving the privacy concerns with the project, this agreement again failed to provide clarity as to ultimate ownership and control over the data. The issues agreement states that it will be resolved using prevailing public/private partnership models, whatever that means.
In November, Sidewalk Labs issued a “Digital Innovation Appendix” that provides further information. The document identifies which activities are projected to be under public sector oversight, such as mobility management and efficient streetscapes, and those to be overseen by the private sector, such as building climate controls. Possibly, this still cryptic outline can be read to indicate that data oversight responsibility (public vs. private) will determine control – in other words ownership – of the data.
OPC’s Annual Report
To wrap up the year, on December 10, the federal Privacy Commissioner released his 2018-2019 Annual Report. In it, the Commissioner sets out, in much greater detail than we have seen before, his view as to what Canada’s privacy laws – PIPEDA as well as the Privacy Act (the public sector law) – should look like. In essence, they should mirror the approach of the EU’s General Data Protection Regulation, and establish a rights-based regime. The “self-regulatory approach” of PIPEDA (the Commissioner’s words), based on Fair Information Practices, should be replaced by a privacy rights regime enforced through a more pro-active OPC role, including order-making power and the authority to impose fines.
The OPC’s Report also contains the results of its year-long investigation into Statistics Canada’s collection of customer information from financial institutions. The OPC concluded that this collection is permitted but recommended greater transparency and additional rules to guide the necessity of such collections.
Finally, the Commissioner noted that in the past year PIPEDA’s new data breach reporting rules resulted in a five-fold increase in reports to the OPC. However 33% it deemed unnecessary as not meeting the threshold of “real risk of significant harm.”
© David Young Law 2018
Read the Full PDF: It’s a Wrap! Privacy 2019 – an eventful year
For more information please contact:
David Young Law
Suite 3500, 2 Bloor Street East, Hudson’s Bay Centre,
Toronto ON M4W 1A8
Note: The foregoing does not constitute legal advice. Readers are cautioned that for application to specific situations, legal advice should be obtained. © David Young Law 2019
 A version of this article was originally published by The Lawyer’s Daily (www.thelawyersdaily.ca), part of LexisNexis Canada Inc.
 The OPC suggests that PIPEDA should be read this way as well, which would be a departure from the currently understood obligations of service providers under PIPEDA’s Accountability Principle.