It is increasingly common for businesses to receive requests from customers asking for the deletion of all of the information that the business holds about them. Such requests raise the issue of whether there is a right to the deletion or erasure of personal information under Canadian data protection laws.
The concept of the right to erasure comes from the General Data Protection Regulation (GDPR), which is frequently referred to as the benchmark legislation for data protection around the world. Effective as of 2018, the GDPR grants several rights to data subjects, including in Article 17, a right to obtain the erasure, as soon as possible, of personal data that a business holds about them, where one of the following grounds applies:
- personal data is no longer necessary in relation to the purposes for which it was collected;
- the data subject withdraws consent upon which the processing is based and there is no other legal ground for the processing;
- the data subject objects to the processing of personal data concerning him or her and where there are no overriding legitimate grounds for processing;
- personal data has been unlawfully processed;
- personal data has to be erased for compliance with a legal obligation; or
- personal data was collected when the data subject was a child and was not fully aware of the risks involved with the processing.
It is worth pointing out that the GDPR does not provide a general right to erasure but rather a limited right to specific circumstances. Canadian businesses subject to the extraterritorial scope of the GDPR, must ensure that they have procedures to assess and handle requests for erasure made under the legislation. Namely, should these businesses offer goods or services to individuals located in the European Union or monitor the behaviour of those individuals, to the extent that the behaviour in question takes place within the Union.
Do Canadian data protection laws provide individuals with a similar right? This article seeks to answer this question in order to provide guidance to businesses dealing with requests for says deletion of personal information.
What the law is saying
In Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) applies to personal information held by businesses in all provinces that have not adopted legislation that has been deemed as substantially similar to PIPEDA. Québec, Alberta and British Columbia are the three provinces with private sector data protection laws. Thus, businesses operating entirely in Québec, Alberta or British Columbia are subject to the provincial legislation. However, even in those provinces, PIPEDA applies to businesses whose activities involve the transfer of personal information across provincial or Canadian borders, as well as to federally regulated organizations such as banks and telecommunications companies.
A. Federal
PIPEDA requires that an organization destroy, erase or make anonymous personal information that is no longer required to fulfil the pre-identified purposes (Principle 4.5.3). PIPEDA also provides that an individual must be given access to his or her personal information (Principle 4.9.1) the opportunity to request correction of that information if it is inaccurate or incomplete (Principle 4.9.5). Yet, PIPEDA does not provide individuals with a right to request the deletion of their personal information when it is still required for the purposes for which it was collected. Therefore, it is only when the information is no longer necessary for the organization that an individual would be able to request that the organization delete the information as part of a challenge concerning compliance (Principle 4.10).
B. Québec
In Québec, the purpose of the Act respecting the protection of personal information in the private sector (QC Private Sector Act) is to establish specific rules for the exercise of the rights provided in articles 35 to 40 of the Civil Code of Québec (C.c.Q.) concerning personal information collected in the course of business operations carried within the scope of article 1525 C.c.Q. Thus, article 40 (1) C.c.Q. provides that an individual may request that “obsolete information or information not justified by the purpose of the file” be deleted. Section 28 QC Private Sector Act further adds to this section by stipulating that an individual may request the deletion of personal information about him or her if the collection is unauthorized under law. Consequently, Québec legislation recognizes three situations in which an individual may ask a business to delete personal information that it holds about him or her:
- when the information is obsolete1;
- when the retention of the information is no longer justified for the purpose for which it was collected; or
- where the information was not collected in a lawful manner2.
Once again, it must be noted that, like PIPEDA and the RGPD, QC Private Sector Act and the Civil Code do not grant individuals a general right to obtain the deletion of their personal information held by a business. Deletion can therefore only be requested on specific grounds. This statement appears to be consistent with the overarching purpose of the QC Private Sector Act, which seeks to balance the privacy rights of individuals with the needs of businesses to process personal information3. Indeed, companies may have several legitimate purposes for keeping their customers’ personal data: to provide a product or service, to send warranty or safety information to the customer, to comply with legal retention requirements, to conduct internal performance analyses, to conduct research and development projects, etc. A general right to the erasure of personal information would undermine many of these goals. It would place a significant logistical and operational burden on businesses without necessarily ensuring greater protection of privacy rights.
C. British Columbia and Alberta
In both British Columbia and in Alberta, the Personal Information Protection Act (PIPA) does not grant individuals with a right to request the erasure of their personal information held by businesses. The rights under both the British Columbia’s and Alberta’s PIPAs are limited to the right to correct an error or omission in personal information. The PIPAs also includes a requirement for businesses to destroy or anonymize personal information when it is no longer needed for legal or business purposes or to comply with the law.
What the recent Bills are saying
Two major reforms of privacy legislation were introduced in 2020.
Two major reforms of privacy laws were introduced in 2020 in Canada. On the one hand, Bill 64, An Act to modernize legislative provisions as regards the protection of personal information, introduces several modifications to QC Private Sector Act. On the other, the federal level, Bill C-11, the Digital Charter Implementation Act, 2020, proposes to replace Part 1 of PIPEDA with the new Consumer Privacy Protection Act (CPPA).In Québec, Bill 64, which is currently under clause-by-clause consideration, proposes a slight rewording of section 28 of QC Private Sector Act, which would read as follows4:
“In addition to the rights provided under the first paragraph of article 40 of the Civil Code, any person may, if personal information concerning him is inaccurate, incomplete or equivocal, or if collecting, communicating or keeping it are not authorized by law, require that the information be rectified.”
As a result, the fact that Bill 64 does not mention the “deletion” of personal information in section 28 means that deletion requests will be limited to the two circumstances set out in article 40 C.c.Q., i.e., when the information is obsolete or when it is no longer necessary to fulfill a specific purpose. Two grounds that are practically the same if we consider that information that is no longer necessary is “obsolete”.
Bill C-11 directly deals with the issue of deletion of personal information by introducing a “right to disposal” of personal information, at the request of the individual, in section 55 of the CPPA. The term “disposal” is defined as the “permanent and irreversible deletion of personal information”. However, this new right would only cover information that the organization has collected “from the individual”. i.e. excluding information derived or inferred by the organization about the individual (e.g., credit score, online consumer behaviour, etc.) or information obtained from third parties. The Bill further states that a company may refuse a request to opt out only if:
- the request would result in the disposal of personal information about another individual and that the information is not severable; or
- a legal requirement or the reasonable terms of a contract prevent it from carrying out the disposal request.
The scope of the expression “reasonable terms of a contract” remains unclear. Notably, this exception does not appear to be limited to contracts with the individual. In other words, an organization could rely on some restrictions in a contract with a third party to restrict the exercise of the individual’s right to disposal to the extent that such a limitation is “reasonable”5. On the other hand, this exception may be difficult to apply in situations where the organization holding the personal information does not interact directly with the individual, for instance, in cases where information is collected under an exception consent or under implied consent.
Conclusion: is a right to deletion really necessary?
The main conclusion of our analysis is that Canadian private sector data protection laws do not provide individuals with a general right to request the deletion of their personal information held by a business.
Thus, under Canadian law, a business should destroy personal information it keeps not because the individual to whom the information relates requests it, but rather because retaining such information is no longer necessary to achieve a specific purpose. Indeed, in its investigation of the Desjardins data breach, the Office of the Privacy Commissioner of Canada emphasized that retaining personal information that is no longer needed increasingly exposed businesses to security breach risks.
That being said, given that Bill C-11 proposes to introduce a general right to request the “disposal” of their personal information, it seems appropriate to question the relevance of such a right. Insofar, privacy legislation already obliges organizations to collect and retain only the personal information necessary to fulfil a predetermined purpose. The added benefit of a right to deletion, in terms of increased protection of privacy rights, seems to be questionable. Instead, a right to deletion may create unrealistic expectations for consumers and increase the logistical burden of organizations.
1 However, it should be noted that there is some ambiguity in QC Private Sector Act as to whether individuals can ask a business to delete personal information that they consider obsolete, given that the CAI ruled that it did not have jurisdiction to determine whether personal information is obsolete and therefore is prevented from ordering the deletion of obsolete information held by a business, see S.B. c. Trans Union du Canada inc., 2015 QCCAI 78, par. 30.
2 See E.R. c. Sirco-Enquête et protection, 2012 QCCAI 407, par. 29-30 ; N.L. c. Fédération des caisses Desjardins du Québec, 2014 QCCAI 168, par. 64-66 ; et X c. Anapharm inc., no. 06 08 16, 30 novembre 2006, H. Grenier, par. 71.
3 See Garderie Cœur d’Enfant Inc., 2014 QCCAI 080272, par. 24 ; Banque Nationale du Canada, 2016 QCCAI 110676, par. 42 ; X. et Pharmaprix, 2014 QCCAI 1003352, par. 10
4 However, Bill 64 proposes to introduce the right of an individual to require that organization to cease disseminating personal information about him or her or to de-index any hyperlink associated with his or her name that provides access to such information, provided some specific criteria are met (see section 113 of the Bill).
5 For instance, an organization could be required by contract with “financial institutions that process credit card transactions to retain transaction data” for “charge backs, audits, and other unspecified purposes”, see Office of the Privacy Commissioner of Canada, PIPEDA Report of Findings #2007-389, at paras. 62–63, Investigations into business.
