In February 2018, the Standing Committee on Access to Information, Privacy and Ethics released a report that summarized issues and recommendations concerning the Personal Information Protection and Electronic Documents Act (PIPEDA).
The report was authored by Bob Zimmer, the Chair of the Standing Committee, and presented to the House of Commons in the first session of the 42nd Parliament.
More specifically, the report was generated following the decision to undertake a review of PIPEDA. This review began February 14, 2017; it consisted of 16 public meetings, hearings with 68 witnesses, 12 written submissions, and considerations of several previous reports by the Office of the Privacy Commissioner of Canada.
The four main areas that were tackled in the review included: meaningful consent; reputation and respect for privacy; the Privacy Commissioner’s enforcement powers; and the adequacy of PIPEDA in light of the European Union’s General Data Protection Regulation (GDPR), which comes into effect in May 2018.
Pursuant to section 29 of PIPEDA, there must be a parliamentary review of the provisions and operation of Part 1 of PIPEDA every five years. These reviews took place in 2007 and 2012, and the most recent review commenced in 2017 led to the creation of this report. Additionally, the four members of the Standing Committee visited Washington DC to gain a better understanding of the American privacy legislation and framework from a comparative approach. Although it is outside the scope of this discussion, it is important to note that various topics were discussed including enforcement powers, the safeguarding of personal information, principle-based legislation, and the notion of consent and algorithmic transparency.
Following deliberations, the Standing Committee outlined the following recommendations for the consideration of the House of Commons and the Government of Canada:
1. Meaningful consent under PIPEDA
- Recommendation 1: That consent remain the core element of the privacy regime, but that it be enhanced and clarified by additional means, when possible or necessary
- Recommendation 2: That the Government of Canada propose amendments to PIPEDA to explicitly provide for opt-in consent as the default for any use of personal information for secondary purposes, and with a view to implementing a default opt-in system regardless of purpose
- Recommendation 3: That the Government of Canada consider implementing measures to improve algorithmic transparency
- Recommendation 4: That the Government of Canada study the issue of revocation of consent in order to clarify the form of revocation required and its legal and practical implications
- Recommendation 5: That the Government of Canada modernize the Regulations Specifying Publicly Available Information in order to take into account situations in which individuals post personal information on a public website and in order to make the Regulations technology-neutral
- Recommendation 6: That the Government of Canada consider amending the PIPEDA in order to clarify the terms under which personal information can be used to satisfy legitimate business interests
- Recommendation 7: That the Government of Canada examine the best ways of protecting depersonalized data
- Recommendation 8: That paragraph 7(3)(d.2) of PIPEDA be amended to replace the term “fraud” with “financial crime”. In addition, that the definition of “financial crime” in PIPEDA include: fraud; criminal activity and any predicate offence related to money laundering and terrorist financing; all criminal offences committed against financial service providers, their customers or their employees; the contravention of laws of foreign jurisdictions, including those relating to money laundering and terrorist financing
- Recommendation 9: That the Government of Canada consider implementing specific rules of consent for minors, as well as regulations governing the collection, use and disclosure of minors’ personal information
- Recommendation 10: That the Government of Canada amend PIPEDA to provide for a right to data portability
2. Online reputation and respect for privacy
- Recommendation 11: That the Government of Canada consider including in PIPEDA a framework for a right to erasure based on the model developed by the European Union that would, at a minimum, include a right for young people to have information posted online either by themselves or through an organization taken down
- Recommendation 12: That the Government of Canada consider including a framework for the right to de-indexing in PIPEDA and that this right be expressly recognized in the case of personal information posted online by individuals when they were minors
- Recommendation 13: That the Government of Canada consider amending PIPEDA to strengthen and clarify organizations’ obligations with respect to the destruction of personal information
- Recommendation 14: That PIPEDA be amended to make privacy by design a central principle and to include the seven foundational principles of this concept, where possible (the seven foundational principles include: (1) proactive not reactive and preventative not remedial; (2) privacy as the default setting; (3) privacy embedded into design; (4) full functionality – positive-sum not zero-sum; (5) end-to-end security – full lifecycle protection; (6) visibility and transparency – keep it open; and (7) respect for user privacy – keep it user-centric)
3. Enforcement powers of the Privacy Commissioner
- Recommendation 15: That PIPEDA be amended to give the Privacy Commissioner enforcement powers, including the power to make orders and impose fines for non-compliance
- Recommendation 16: That PIPEDA be amended to give the Privacy Commissioner broad audit powers, including the ability to choose which complaints to investigate
4. Adequacy of PIPEDA under the European Union GDPR
- Recommendation 17: That the Government of Canada work with its European Union counterparts to determine what would constitute adequacy status for the PIPEDA in the context of the upcoming GDPR (approved by the European Union Parliament on April 14, 2016 and effective May 25, 2018)
- Recommendation 18: That the Government of Canada determine what, if any, changes to PIPEDA will be required in order to maintain its adequacy status under the GDPR. Furthermore, that, if it is determined that the changes required to maintain adequacy status are not in the Canadian interest, the Government of Canada create mechanisms to allow for the seamless transfer of data between Canada and the European Union
- Recommendation 19: That the Government of Canada work with the provinces and territories to make sure that all relevant jurisdictions are aware of what would be required for adequacy status to be granted by the European Union
Response of the Privacy Commissioner of Canada
In a statement on March 1, 2018, the Privacy Commissioner of Canada, Daniel Therrien, thanked the Standing Committee, and stated that he was pleased with the review and consequent report, and noted that he was looking forward to working with the government to take steps to modernize the legislation.
What can employers take from this development?
Employers who are governed by PIPEDA are recommended to remain informed on these issues because some of the above-mentioned recommendations may become part of future legislative and policy initiatives. Moreover, employers are recommended to review their own privacy policies to ensure they are keeping up with what is currently required in applicable privacy legislation.