Pulling PIPEDA Apart – Canadian Privacy Highlights from 2019

2019 was an eventful year for privacy in Canada and an active one for the Office of the Privacy Commissioner of Canada (OPCC), as indicated by the 2018/2019 Annual Report, which was published later than usual by the Office in December 2019.  The report frames privacy as a fundamental human right and provides the OPCC’s own views with respect to PIPEDA reform, a topic that the federal government has highlighted as a priority in recent mandate letters. The Commissioner stresses the importance of a law that: remains relevant despite technological changes; puts an end to self-regulation; ensures demonstrable accountability; and provides enforcement mechanisms that gives individuals access to a quick and effective remedy for the protection of their privacy rights, and that creates compliance incentives.

Meanwhile, as mandatory breach reporting under PIPEDA celebrated its one year anniversary on November 1, 2019, the OPCC advised that 680 security and privacy breaches had been reported exactly one year after these PIPEDA amendments came into force, and 58% of those were a result of unauthorized access to personal information. Additional statistics released by the Commissioner included a six-fold increase in breaches being reported to the Commissioner since mandatory breach reporting came into effect. A quarter of the reported breaches involved social engineering attacks such as phishing, pointing to the importance of training employees to identify suspicious requests.

Seven key 2019 PIPEDA decisions were also published by the OPCC, many of them based on investigations of issues that had received a great deal of public attention in years prior. The reports demonstrate that the OPCC is broadly addressing key privacy issues when publishing decisions, and also providing guidance to businesses through their decisions beyond addressing the organization under investigation. The decisions were:

  • PIPEDA Report of Findings #2019-001: Equifax decision in light of the 2017 data breach. This finding resulted in a re-analysis of transborder data flows and then a re-instatement of the Commissioner’s 2009 position on transfers for processing.
  • PIPEDA Report of Findings #2019-002: Decision against Facebook in the wake of discovery of the social media giant’s disclosure of personal information to a third party app that was later used by Cambridge Analytica for targeted political messaging.
  • PIPEDA Report of Findings #2019-003: Investigation into the authentication and transfer practices used during Loblaws’ gift card offering. This decision provides a useful analysis of Loblaws’ privacy policy and contractual clauses with service providers that led to a finding that the accountability requirements in PIPEDA had been met.
  • PIPEDA Report of Findings #2019-004: Joint investigation of AggregateIQ Data Services by the OPCC and the Privacy Commissioner of British Columbia, focusing on compliance with the consent and data security requirements in PIPA and PIPEDA. This investigation was launched based on AIQ’s alleged involvement with the EU referendum vote.
  • PIPEDA Report of Findings #2019-005: 411Numbers, operating more than a dozen websites providing free access to telephone numbers of individuals residing in Canada and other countries around the world, ceases the practice of charging a removal fee due to this investigation.
  • PIPEDA Report of Findings #2019-006: Grey House Publishing Canada was found to have lacked consent when publishing personal information. The OPCC stressed that in creating a directory, organizations should be careful in assessing whether information they are collecting is personal information or business contact information, as defined in PIPEDA. If personal, information obtained on-line can only be collected and used if adequate consent has been obtained.
  • PIPEDA Report of Findings #2019-007: Finding that Transunion (and credit reporting agencies in general) are authorized to rely on a PIPEDA consent exemption in order to disclose credit information to Statistics Canada (Subparagraph 7(3)(c.1)(iii): Disclosure of personal information without the knowledge or consent of an individual to a government institution that has made a request for the information, identified its lawful authority to obtain the information and indicated that the disclosure is requested to administer a law of Canada). Statistics Canada requested records for its Credit Information Project, which was aimed at generating statistics relating to household debt levels, among other subjects. Note that the OPCC who also oversees compliance with the public sector Privacy Act found this project to be invasive however and recommended that it be redesigned by Stats Can with privacy in mind

As we head into the new decade, with PIPEDA legislative reform still on the distant horizon, it is important that privacy accountability be at the forefront in 2020 – with a rights-based approach, we are nudged to ask the deeper questions such as: What are the risks of de-identified data being re-identified? Why and how should privacy rights be respected? How would each of us representing data controllers want our own personal information managed?

In Canada, the 10 principles/pillars of the CSA Model Code for the Protection of Personal Information (CAN/CSA-Q830-96) provide general best practice and flexibility, with the Commissioner filling in the gaps in interpretation with guidance documents and investigation reports. Its up to organizations and privacy lawyers to use the space provided to make sound decisions that responsibly protect personal information in our innovative, data-driven world.

For assistance with key privacy decisions and complying with the privacy laws in Canada, contact PRIVATECH.

0