In its response letter, the Minister of Innovation, Science and Economic Development, Navdeep Bains, generally stated that the Government of Canada shares the ETHI’s view that changes to the Canadian privacy regime are required.
The Government of Canada has responded to the February 2018 report by the Standing Committee on Access to Information, Privacy and Ethics (“ETHI” or “Committee”) on the review of the Personal Information Protection and Electronic Documents Act ("PIPEDA"). As we summarized in a previous bulletin, the ETHI’s report, entitled “Towards Privacy by Design,” discussed many topics and provided recommendations to ensure that PIPEDA be considered as being adequate to the European General Data Protection Regulation ("GDPR"), which came into force on May 25, 2018.
In its response letter, the Minister of Innovation, Science and Economic Development (“ISED”), Navdeep Bains, generally stated that the Government of Canada shares the ETHI’s view that changes to the Canadian privacy regime are required. The government announced that because issues concerning privacy are complex and there is a need to ensure that Canada can fuel innovation while also fostering trust by Canadians, it will engage Canadians in a national conversation on data and digital issues. Among other topics, this conversation will explore how safeguards such as privacy protection must be in place for Canadians to trust, adopt and be included in the data economy.
More specifically, the government’s letter addresses several recommendations of the ETHI’s report divided under the four following themes, which we discuss below: consent under PIPEDA, online reputation, enforcement powers of the Office of the Privacy Commissioner of Canada (“OPC”) and impact of the GDPR.
Consent Under PIPEDA
The government agreed with ETHI’s view that consent must stay at the core of PIPEDA’s privacy protection model, as it respects individuals’ autonomy in deciding what to do with their personal information. It also shared the ETHI’s opinion that the consent regime can be enhanced and clarified, and noted the OPC’s initiative on this front.
The government was not convinced by the ETHI’s recommendation to expand the scope of existing exceptions to consent for the disclosure of personal information related to the prevention of activities pertaining to financial crime, as it expressed reluctance at creating sector-specific exceptions. In light of recent public incidents involving unintended uses of personal information obtained from social media, the government also expressed the need to closely study the potential impacts of redefining “publicly available information” for the purpose of PIPEDA, as the ETHI had recommended, especially with respect to information of minors.
With respect to minors, however, the government highlighted the challenges of applying explicit protections for them under federal law as it inherently involves the definition of a “minor,” which falls within provincial jurisdiction.
In January 2018, the OPC published its “Draft Position on Online Reputation,” which we discussed in a previous bulletin. Essentially, it stated that PIPEDA already contains protection akin to the European right to be forgotten (or "right to erasure," as it is named in the GDPR). In its report, the ETHI covered this subject in great detail.
The government’s response acknowledged the OPC’s work with respect to online reputation and highlighted that its paper recognized that there are legitimate concerns about the impacts of this position on other rights, namely the right to the freedom of expression. It noted that given the potential far-reaching impacts of a right to erasure and a right to de-indexing in numerous areas, including freedom of speech and the public record, and given that PIPEDA only applies to commercial contexts, the government would need to assess whether PIPEDA would be the most appropriate statutory instrument for addressing these issues.
Enforcement Powers of the OPC
The Government of Canada expressed its agreement with the ETHI that the time has come to closely examine how PIPEDA’s enforcement model can be improved, stating that the government must look at other models of compliance and enforcement as options. Additionally, the government stated that it must consider the potential impacts of these models on the overall mandate of the OPC, the principles of fundamental justice, and the countervailing risks associated with increased enforcement powers, notably the impacts on open dialogue between businesses and the OPC. According to the government, whether the enforcement model must change may depend on other potential changes to PIPEDA, as changes to the enforcement model may impact on the need for changes in other areas, and vice versa.
The government indicated its intention to undertake further study on the full range of options for ensuring compliance with PIPEDA.
Impact of the GDPR
Under the GDPR, organizations in the European Union are prohibited from transferring personal data to any non-member state whose laws do not adequately protect this data. The EU will therefore have to assess the adequacy of PIPEDA under the GDPR. In its report, the ETHI had made the following recommendations in this context:
- That the government work with its European Union counterparts to determine what would constitute adequacy status for PIPEDA in the context of the new GDPR;
- That the government determine what changes to PIPEDA, if any, will be required in order to maintain its adequacy status under the GDPR;
- That if it is determined that the changes required to maintain adequacy status are not in the Canadian interest, the government create mechanisms to allow for the seamless transfer of data between Canada and the European Union; and
- That the government work with the provinces and territories to make sure that all relevant jurisdictions are aware of the requirements for adequacy status to be granted by the EU.
In its response, the Government of Canada expressed its support for these recommendations. It mentioned that the government is engaged with EU nations and institutions in the discussion of cross-border data transfers and interoperability of privacy regimes, and that government officials are working closely with the European Commission to understand the requirements for maintaining Canada’s adequacy standing under the GDPR. The government expects such review to occur by 2020.
The government noted in its response that a number of the ETHI’s recommendations pertain to aligning PIPEDA with specific provisions of the GDPR (more specifically, with respect to algorithmic transparency, privacy by design, depersonalized data and data portability). On this topic, the government mentioned that the EU has adopted the concept of “essential equivalence” to examine the adequacy of non-member regimes, such as Canada, rather than one-to-one mapping. It is therefore not clear that PIPEDA’s adequacy standing requires that it reflects each of the GDPR’s protections. That being said, the government agrees that these concepts incorporated in the GDPR could enhance privacy protections and it intends on consulting broadly on the potential benefits of incorporating them into PIPEDA.
Conclusion and Business Takeaways
While this response does not provide the Government of Canada’s comprehensive view on the ETHI’s recommendations, it nonetheless gives an idea that it may prioritize issues pertaining to online reputation, enforcement powers of the OPC and importation of privacy rights and protections included in the GDPR, such as algorithmic transparency, privacy by design, depersonalized data and data portability. Organizations doing business in Canada, especially those handling large amounts of personal information of Canadians, should consider participating in future government consultations on these topics, as well as OPC consultations related to the interpretation of PIPEDA.