The federal Privacy Commissioner would have the power to make orders and impose fines for companies not complying with the Personal Infomation Privacy and Electronic Documents Act (PIPEDA), if the government approves suggested changes to the law recommended by a Parliamentary committee.
The change is one of a number unanimously proposed Friday by the Standing Committee on Access to Information, Privacy and Ethics. Some of the proposed changes could mean big changes in corporate privacy and marketing policies.
The recommendation doesn’t say what order powers or how high the fines the Privacy Commissioner should be given.
In his annual report to Parliament Commissioner Daniel Therrien has asked for more enforcement power. Meanwhile he will launch investigations into questionable privacy practices or chronic problems on his own when necessary rather than wait for complaints.
Some of the recommendations, if approved, could also bring PIPEDA closer to complying with Europe’s new privacy law, the General Data Protection Regulation (GDPR), which comes into effect May 25.
For some months privacy experts have worried that Canada’s private sector privacy law doesn’t meet the requirements of GDPR and warn Canada may lose its valued adequacy status automatically on that date. That leaves open the probability that privacy policies of Canadian organizations holding personal data on European customers will be rejected. On the other hand the government says adequacy can only change if the European Commission makes a finding.
But the parliamentary committee has recommended the Personal Infomation Privacy and Electronic Documents Act (PIPEDA) be updated in a number of ways that could meet GDPR requirements. In addition, the committee recommends the government work with the EU to determine what would constitute adequacy status for PIPEDA in the context of the new General Data Protection Regulation(GDPR).
The suggested changes include giving the federal Privacy Commissioner enforcement powers, such as the power to make orders and impose fines for non-compliance, as well as broad audit powers, including the ability to choose which complaints to investigate.
“This Committee has listened to a variety of witnesses from a large cross-section of Canadians with regards to protecting their privacy,” committee chair Bob Zimmer (L-Prince George-Peace River- Northern Rockies) said in a statement. “We are deeply concerned with the rights and protections of all Canadians and I believe that the report tabled today highlights the concerns that we have for the future and the necessary updates to the Personal Information Protection and Electronic Documents Act.”
John Lawford, executive director of the Public Interest Advocacy Centre (PIAC), said many of the recommendations are good, especially one suggesting the government consider changing PIPEDA so companies can’t capture personal information of minors. He also agrees the Privacy Commissioner should get more powers. “Overall the tenor of the report was good. We’ll see what gets taken up.”
The committee made other recommendations to Parliament that if passed will affect corporate privacy and marketing strategies. They include:
- ensuring that consent remains the core element of the privacy regime, while enhancing and clarifying it by additional means, when possible or necessary;
- amending PIPEDA to explicitly provide for opt-in consent as the default for any use of personal information for secondary purposes, with a view to also implementing a default opt-in system regardless of purpose;
- amending PIPEDA to replace the term “fraud” with “financial crime” (and propose a definition for that term);
- amending PIPEDA to provide for a right to data portability, which would give a person the right to transfer their personal data from one company to another. This right is one of the essential elements of the GDPR;
- considering implementing measures to improve the transparency of algorithms, such as used in machine learning and artificial intelligence applications;
- study the issue of the ability of people to revoke the consent they’ve given to a company for use of personal data in order to clarify the form of revocation required and its legal and practical implications;
- modernizing the Regulations Specifying Publicly Available Information in order to take into account situations where individuals post personal information on a public website and in order to make the Regulations technology-neutral;
- considering amending PIPEDA in order to clarify the terms under which personal information can be used to satisfy legitimate business interests;
- examining the best ways of protecting depersonalized data;
- considering implementing specific rules of consent for minors, as well as regulations governing the collection, use and disclosure of minors’ personal information. This is also linked to the issue of the right to ask sites like search engines to de-index links to certain pages (see below). One issue, Lawford said, is that young people’s ability to make an informed decision on consenting to allow their personal information to be used by a company is limited. The Canadian Marketing Association already has a rule that sites shouldn’t market to people under 16, he pointed out;
- considering including in PIPEDA a framework for a right to erasure based on the model developed by the European Union that would, at a minimum, include a right for young people to have information posted online, either by themselves or through an organization, taken down;
- considering including a framework for the right to de-indexing web links to Internet stories in PIPEDA, and that this right be expressly recognized in the case of personal information posted online by individuals when they were minors. The issue of de-indexing links for searches on request has been raised by people who have been involved in criminal convictions or divorces years ago and want these events placed lowered in searches for their names;
- consider amending PIPEDA to strengthen and clarify organizations’ obligations with respect to the destruction of personal information;
- determine what, if any, changes to PIPEDA will be required in order to maintain its adequacy status under the GDPR; and, if it is determined that the changes required to maintain adequacy status are not in the Canadian interest, create mechanisms to allow for the seamless transfer of data between Canada and the EU;
- work with the provinces and territories to make sure that all relevant jurisdictions are aware of what would be required for adequacy status to be granted by the EU.
Under the EU’s current privacy regime, PIPEDA — which companies here have to follow unless provincial legislation applies — has adequacy status. Privacy experts have worried that after May 25, when the GDPR comes into effect, PIPEDA would automatically not be seen as adequate with GDPR.
However, last year a spokesperson for the department of Innovation, Science and Economic Development told ITWorldCanda.com that PIPEDA’s adequacy status won’t change automatically.
“The EU is not required to render opinions on adequacy rulings prior to its new privacy regime taking effect in May 2018,” the official said. The Privacy Commissioner’s office said it understands a review of the GDPR by the European Commission is required by May 2020. “We also understand that Canada’s adequacy will remain in force under the directive until the EC decides otherwise.”