On May 21, 2019 the Minister of Innovation, Science and Economic Development announced Canada’s new Digital Charter that includes a number of proposals, including reforming Canada’s privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA). The Digital Charter is intended to lay the foundation for increasing consumer trust in the digital economy.
In order to put the principles of the Charter in action, a number of issues are discussed and questions raised under “Strengthening Privacy for a Digital Age”, including enhancing individuals’ meaningful control over their personal information. The government acknowledges that given complex data flow models in the marketplace and digitally driven innovation, there is a lack of clarity on who is accountable for privacy best practice, and what exactly that should look like. There is also a proposal to redraft PIPEDA to integrate the Schedule 1 principles into the body of the Act in order to allow for clearer interpretation of the legal rules.
Given that PIPEDA reform is also expected to address transborder data flows, the Federal Privacy Commissioner, Daniel Therrien, has stated at the recent 2019 IAPP Canada Symposium, that their consultation on transborder flows is being suspended. The consultation was expected to revisit whether an organization needs consent when disclosing personal information to a third party in the context of an outsourcing relationship.
Given that the current law may be drastically changed in the coming years, the Commissioner has stated that the consultation will be resumed in a new context with a focus on the future law. Until then, there appears to be a great deal of confusion – PIPEDA-governed organizations are essentially being told that it’s business as usual, but the Equifax decision clearly highlights that the Commissioner’s interpretation of PIPEDA has headed in a different direction. A stricter approach to data sharing by the regulator is still something to contend with, but consent models for outsourcing practically won’t work. PIPEDA reform to help clarify will take years to address this.
The Federal Commissioner also hopes that PIPEDA reform will strengthen enforcement and has been pushing for order making powers for some time. Most recently, the federal and B.C. privacy commissioners found Facebook violated the country’s privacy laws during its investigation of the Cambridge Analytica revelations. The two agencies offered recommendations Facebook could implement to address deficiencies; however, the social media company disputed the findings and refused to apply any of the guidance. As stated by the Federal Commissioner, the fact that Facebook can simply disagree with the findings regarding lack of transparency and consent is a disgrace. The Federal Commissioner is now taking Facebook to Federal Court, but the case will have to be commenced from scratch and could take years to resolve.
What is clear to me is that our current law just isn’t set up well for heavy fines. Fines would certainly help the Commissioner’s office flex their muscles, but PIPEDA is nothing like the GDPR. It is a principle-based law that must be revamped with clear, specific rules for businesses to follow. An FTC representative at the IAPP Global Privacy Summit in Washington D.C. eloquently discussed the chilling effect fines under data protection laws can have if the laws don’t have clear, specific rules. So where does Canada land? Giving PIPEDA teeth will go hand in hand with revamping the law. It will take time, and while we wait, it is critical that businesses focus on transparency and their privacy accountability framework – “demonstrable accountability”, a term used regularly by Therrien, is what the regulators in Canada are looking for.
For assistance with your consent practices, developing transparent privacy policies or to better understand your privacy obligations as an accountable organization, contact PRIVATECH.