The House of Commons Standing Committee on Access to Information, Privacy and Ethics has released its report on updating the Personal Information Protection and Electronic Documents Act (PIPEDA). The report contains several recommendations that may signal amendments to PIPEDA to align Canada's federal privacy law with the European General Data Protection Regulation (GDPR). However, the report only recommends further consideration of many of the further reaching policies, which suggests that there will be no significant amendments in the near term.
What You Need To Know
The report makes the following recommendations to the Canadian government.
- Adopt a default opt-in framework for consent as it applies to secondary uses of personal information such as marketing, and consider updating rules of consent for young people.
- Expand the powers of the Privacy Commissioner to include the ability to make orders and issue fines against non-compliant organizations.
- Modernize PIPEDA to account for new technology and new uses of personal information.
- Consider including a framework for the rights to erasure and de-indexing (commonly known as the right to be forgotten).
- Collaborate with the European Union to maintain Canada's adequacy status under the forthcoming GDPR.
Further Information on the Report's Recommendations
In total, the Committee released 19 recommendations with respect to PIPEDA. It remains to be seen whether these recommendations will be implemented, particularly given many are framed as issues to "consider" or "study." Although there is no established timeline for next steps, it is unlikely that the Government will review the report, identify its priorities for reform, and introduce amending legislation in 2018. At most, we would expect the Government to release a discussion paper in the fall of 2018 on how some of the Committee's recommendations might be implemented.
Update to Consent Framework
The first recommendation the report makes is for consent to remain the core element of privacy protection in PIPEDA. To enhance the consent model, the report further recommended amendments be proposed that would explicitly make opt-in consent the default framework for any secondary uses of personal information, such as marketing or data analytics.
The report also recommends that the Government consider implementing specific rules for the consent of minors. It further adds that consideration should be given to regulations governing the collection, use and disclosure of minors' personal information. The report did not recommend specific means of doing so.
Enhanced Powers of the Privacy Commissioner
The report's two recommendations enhancing the powers of the Privacy Commissioner are among the relatively few not qualified by a verb such as "consider" or "study." The first of these recommends the Privacy Commissioner be given the power to issue orders and fines against organizations that fail to comply with PIPEDA. The report recommends adopting an approach similar to the United Kingdom, which currently allows for orders against organizations and fines of up to £25,000.
The second recommendation is to give the Commissioner broad audit or self-initiated investigation powers, including the ability to choose which complaints to investigate. The Committee does not specify what other powers may be included under the umbrella of audit powers or how these may differ from the existing audit provisions of PIPEDA.
Modernization of PIPEDA
The Committee recommended that the Government introduce an explicit right to data portability between service providers, and to consider implementing measures to improve transparency regarding how organizations apply algorithms to personal information. These recommendations are similar to the rights in the forthcoming EU GDPR and account for new means of processing personal information with modern technology.
Withdrawal of Consent and Right to be Forgotten
The report recognizes that the viability of a consent-based privacy model depends on the ability for an individual to withdraw their consent, but that this is not always possible. The report recommends only that this issue be further studied in order to clarify the legal and practical implications of withdrawal.
A related issue, the right to be forgotten, is also addressed by the report. However, the report recommended that the Government only consider implementing a right to erasure based on the EU's GDPR model. The GDPR gives individuals the right to erasure of their personal data including when it is no longer necessary, consent is withdrawn and there is no legal basis for preventing its removal, or when the data has been unlawfully processed. The report concludes that the right to erasure should include at a minimum a right for young people to have information about them posted online taken down.
The report further recommends that the Government considers including a framework that provides a right to the de-indexing of harmful personal information from search engine results. The report adds that this right should only be available under specific circumstances, but that it should be explicitly recognized in cases of personal information posted online by individuals when they were minors.
Compatibility with the GDPR
The Committee recommends that the Government work with the EU to determine what will be required, after the GDPR comes into force, to maintain the adequacy status that Canada's privacy law currently holds, which allows personal information to be easily transferred from the EU to Canada. If the Government determines adequacy could only be retained through legislative changes that are not in Canada's interest, the Committee recommends the Government "create mechanisms to allow for the seamless transfer of data between Canada and the European Union."
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.