Upload
others
View
4
Download
0
Embed Size (px)
Citation preview
Home Innovation, Science and Economic Development Canada Innovation for a Better Canada Canada's Digital Charter
Strengthening Privacy for the Digital AgeFrom: Innovation, Science and Economic Development Canada
Proposals to modernize the Personal Information Protection and Electronic Documents Act
IntroductionTechnology has long brought enormous benefits, along with profound changes, to almost every aspect of human life. Much as the
printing press revolutionized society starting in the 15th century, the digital revolution has had, and will continue to have, an
enormous impact on daily life. Business, communications, entertainment, transportation, banking, education, health care, our
interpersonal interactions and our physical movements — almost every aspect of our lives is mediated by digital technology. And
with those interactions, enormous amounts of data about individuals is being created and harnessed for a vast array of purposes.
Digital and data-driven technology is already empowering science, supporting innovation, and driving economic growth. For
example, advancements in areas including robotics, artificial intelligence (AI), quantum computing, and nanotechnology are leading
to ground-breaking discoveries with significant economic and social benefits. But while these technological achievements are in
many ways enriching our society, this transformation also brings with it challenges and uncertainty that we as a country must be
prepared to address. In response to this, some stakeholders have called for the Government to adopt a National Data Strategy.
On June 19, 2018, the Government of Canada launched its National Digital and Data consultations to demonstrate its commitment to
continuing to work together to make Canada a nation of innovators. As we noted in Canada’s Digital Charter in Action: A Plan by
Canadians, for Canadians, we asked Canadians across the country to share their unique perspectives and ideas on what are some
of the challenges and areas of opportunity for Canada in this time of transformation. And we received a resounding response — from
small business owners and multi-national companies; students, teachers, and researchers; innovators and entrepreneurs; and
everyone in between.
Canadians shared their optimism with us about the great social and economic potential for Canada in this digital age. But they also
shared their concerns about how personal data could be used. Simply put, the way forward on data collection, management and use
must be built on a strong foundation of trust and transparency between citizens, companies and government.
Trust is indeed the lynchpin of the digital and data-driven economy. Yet, clearly, individuals' trust is at risk. Popular media is rife with
stories of data breaches; misuse of personal information by large companies; foreign interference, and malicious actors;
cyberbullying; along with increasing concern about the impacts of the digital and data revolution on issues ranging from our mental
health to democratic institutions . Ineffective or inconsistent security hygiene; a lack of competition; and business models that are
based on surveillance of individuals have left individuals increasingly wary of how the products and services on which they now
depend for nearly all aspects of their activities are collecting and using their personal information.
Trust, the Digital Economy and the Personal Information Protection and Electronic Documents Act
In the early days of the commercial Internet, when e-commerce was emerging, the Government of Canada enacted the Personal
Information Protection and Electronic Documents Act (PIPEDA) to ensure trust in the emerging economy. Its stated purpose is:
to establish, in an era in which technology increasingly facilitates the circulation and exchange of information, rules to govern the
collection, use and disclosure of personal information in a manner that recognizes the right of privacy of individuals with respect
to their personal information and the need of organizations to collect, use or disclose personal information for purposes that a
reasonable person would consider appropriate in the circumstances.
A principles-based, technology-neutral law, PIPEDA applies to a wide-range of commercial activity, and is overseen by an Agent of
Parliament, the Office of the Privacy Commissioner of Canada. In the nearly 20 years since it came into force, commercial activity
has evolved rapidly and in ways unforeseen. Based on the internationally accepted privacy principles contained in the Organisation
for Economic Co-operation and Development (OECD) Guidelines on the Protection of Privacy and Transborder Flows of Personal
Data, (Privacy Guidelines) , the 10 interrelated privacy principles (and related sub-paragraphs) in PIPEDA guide organizations'
personal information handling activities. One of these principles, Knowledge and Consent, along with a limited set of exceptions to
consent, authorize those activities, which are required to be "appropriate in the circumstances." The rest of the principles, such as
accountability, openness, accuracy, access, safeguards, redress, among others, are intended to ensure that organizations treat
personal information in a manner that is fair and understandable to the average person and in keeping with their reasonable
expectations. The law has been applied to a wide variety of business activities, including in the context of trans-border data flows,
and has proven to be reasonably nimble in the nearly 20 years of its existence.
1 2
3
4
5
6
Page 1 of 14Strengthening Privacy for the Digital Age - Innovation for a Better Canada
12/11/2019https://www.ic.gc.ca/eic/site/062.nsf/eng/h_00107.html
That said, it has been criticized , particularly in terms of its consent regime and enforcement model, for not providing the kinds of
incentives in a data- and digitally-driven economy to ensure that organizations are in compliance. The House Standing Committee on
Access to Information, Privacy and Ethics, has also recommended updates to improve individual control and organizational
transparency, in order to strengthen privacy protections in an age where individuals feel a lack of control and understanding. The
Government of Canada has stated its agreement with recommendations made in several recent Parliamentary reports that
changes are required to Canada's federal private-sector privacy regime to ensure that rules for the use of personal information in a
commercial context are clear and enforceaable and will support the level of privacy protection that Canadians expect.
The principles outlined in Canada's Digital Charter, along with their supporting activities, collectively provide the foundation for
achieving a strong and vibrant digital economy for Canada. The reform of PIPEDA must contribute to achieving the outcomes related
to these principles. PIPEDA, as a key element of Canada's marketplace framework, must also contribute to achieving an inclusive
digital economy that provides a level playing field, fairness of opportunity, enhanced security and privacy, predictability for business,
and international competitiveness.
Canada is facing these opportunities and challenges in parallel with other leading nations as part of a global innovation race. Our
global competitors are taking aggressive action in terms of supporting trust and privacy to lead in a data-driven, digital global
marketplace.
Next generation privacy and e-protection laws, specifically in the European Union but also in the United States, are impacting
domestic policies and practices. There is a desire for an approach to personal information protection in the private sector that meets
Canada's needs and remains interoperable with leading jurisdictions. While there is commonality amongst privacy statutes in
Canada and abroad, a number of important distinctions between Canadian and international frameworks are challenging the goal of
an integrated digital economy both at the domestic and international levels.
The Government is considering how best to modernize its private-sector policy and regulatory framework in order to protect privacy
and support innovation and prosperity. In short, the goal is to respect individuals and their privacy by providing them with meaningful
control without creating onerous or redundant restrictions for business; enable responsible innovation on the part of organizations;
and ensure an enhanced, reasoned enforcement model.
Specifically, the Government is proposing clarifications under PIPEDA that detail what information individuals should receive when
they provide consent; certain exceptions to consent; data mobility; deletion and withdrawal of consent; incentives for certification,
codes, standards, and data trusts; enhanced powers for the Office of the Privacy Commissioner; as well certain modernizations to
the structure of the law itself and various definitions. The proposals outlined in this paper fall within a broader conceptual framework,
detailed in Annex A, for advancing policy work in the digital and data context.
With this discussion paper, Innovation, Science and Economic Development (ISED) Canada is continuing the dialogue on "Trust and
Privacy" that was initiated in the Data and Digital consultations in 2018. This paper outlines a series of policy considerations related
to specific proposals that would serve to enhance consumers' control, enable responsible innovation and enhance enforcement.
The Government is also studying potential reforms to the Privacy Act, which governs the personal information-handling practices of
federal institutions. That initiative is being led by Justice Canada, working closely with the Treasury Board Secretariat.
Part 1: Enhancing individuals' control
Issue:
The increased volume and complexity of data flows has strained the traditional knowledge-and-consent system and left individuals
without meaningful control over their personal information and privacy.
Why is this an issue?
Digital platforms and services have become an integral part of how Canadians live, work and play. Yet, platforms and products are
increasingly designed to gather and share data and/or monitor users by default, reducing consumer choice and making consent less
relevant. As noted by Teresa Scassa: "…the Personal Information Protection and Electronic Documents Act's consent-based regime
may need to be supplemented, and there is considerable interest in consumer- and competition-friendly tools, such as data
portability, that give consumers more control over their personal information. Increasingly, public harms — algorithmic bias and the
manipulation of individuals and groups — flow from the capture and use of personal information. New frameworks are required for
the ethical use of data."
PIPEDA's requirement for knowledge and consent requires organizations to inform individuals of the purpose of the collection, use or
disclosure of their personal information, and to obtain their consent. In practice, however, it has meant that individuals have borne a
great deal of the responsibility to inform themselves of an organization's privacy management practices and to understand the
nature, purpose and consequences of consenting to have their information collected, used and disclosed by the organization.
This is what Daniel Solove from George Washington University Law School has labeled a Privacy Self-Management approach,
whereby the onus is on the individual to manage their privacy. Complex data flows involving numerous parties strain an
individual's ability to fully comprehend what they are consenting to. Although many organizations have privacy policies in place,
these are notoriously long and complex to understand, and most individuals neither have time nor sufficient legal training to
understand them . Solove notes that "(b)ecause individual decisions to consent to data collection, use, or disclosure might not
7
8
9
10
11
Page 2 of 14Strengthening Privacy for the Digital Age - Innovation for a Better Canada
12/11/2019https://www.ic.gc.ca/eic/site/062.nsf/eng/h_00107.html
collectively yield the most desirable social outcome, privacy self-management often fails to address these larger social values."
The multiplicity of online interactions can present challenges to individuals to understand the nature and extent of information sharing
that occurs in this environment.
Furthermore, a lack of transparency around automated decision-making processes and the resulting decisions increases individuals'
concerns related to bias and potential discrimination. Ian Kerr notes that "... AIs [artificial intelligences] are designed in ways that
raise unique challenges for privacy. Many use machine learning to excel at decision-making; this means AIs can go beyond their
original programming, to make 'discoveries' in the data that human decision-makers would neither see nor understand... I would
therefore submit that PIPEDA requires a duty to explain decision-making by machines." There is also the emerging presence of
software agents and bots interacting in the marketplace. This has the potential to deceive users and undermine confidence in the
digital marketplace and underscores the need for measures to ensure trust is maintained.
Canadians have made their concerns very clear. Eighty-four percent of Canadians are concerned with the use of personal
information by social media platforms . Nearly three in four (74%) Canadians think they have less privacy protection than ten years
ago . Ninety percent of Canadians would be "very" or "fairly" likely to sever ties with businesses that use data "unethically" .
Seventy-one percent of Canadians would be more likely to do business with a company if it was subject to strict financial penalties.
According to the Canadian Automobile Association's survey of Canadians regarding autonomous vehicles, 81 percent of Canadians
feel a "need for clear, enforced rules to protect their privacy of personal information when it comes to vehicle data."
The results of the National Data and Digital Consultations showed that Canadians want more transparency in how their data is being
collected and how it is being used. However, current models that rely completely on the provision of an individual's consent to
complex and lengthy privacy policies are inadequate and do not help to build trust. Canadians also want greater control over how
their information is used, and need to see the value of the benefits it brings. Moreover, next generation privacy laws are including
new responses to these issues by providing for explicit new rights for data mobility, expanding on rights around transparency and
automated decision-making, and for deletion of their information. Canada needs to consider these options as possible responses to
ensure that Canadians have the control they need to trust the data and digital economy.
A. Possible options — Consent and transparency
• The ETHI study on PIPEDA, as well as consultations undertaken by the OPC, have resulted in a number of suggestions on
how to improve individuals' control, and what the role of consent in privacy protection should be. Personal information
protection laws, including PIPEDA (in consent and the existing exceptions to it) and the GDPR (outlined in its grounds for
"processing"), recognize a variety of grounds for the handling of personal information. A number of proposals currently being
put forward for a national US privacy law also reflect such an approach. Indeed, the Privacy Commissioner noted, "(i)n seeking
to find solutions to the challenges of the consent model in the digital realm, it may be that consent is simply not practicable in
certain circumstances."
• The first possible set of options focuses on consent, exceptions to consent, transparency, and the definition of de-identified
information and publicly available information. One potential approach for PIPEDA is to specify what information is needed as
the basis for meaningful consent. Requiring too much detailed information in the consent process can overwhelm individuals
or become yet another screen on a device to click-through in the rush to get to the product or service. That said, when it comes
to transparency in automated-decision making or accountability, an area of increasing concern as we move towards artificial
intelligence and machine learning, a light should be shone on the use of these technologies to help inform individuals and
oversight bodies about the basis for impactful decisions about individuals — a fundamental tenet of privacy protections.
• Equally, we must focus consent on situations where there is an opportunity for individuals to make a meaningful and informed
decision. To do so it will be necessary to identify purposes for which consent may not be necessary or even appropriate.
• A component of this issue concerns the concept of de-identification.
• Under PIPEDA, personal information is defined as information about an identifiable individual. According to the Federal Court
of Canada, "information will be about an 'identifiable individual' where there is a serious possibility that an individual could be
identified through the use of that information, alone or in combination with other information." "About" means that the
information is not just the subject of something but also relates to or concerns the subject. Generally speaking, the definition
of personal information is given a broad and expansive interpretation. In the era of Big Data, however, when vast amounts of
data are being created every day, this potentially means that any piece of data could be considered to be about an identifiable
individual. Moreover, there are increasingly sophisticated means to re-identify information that ostensibly appears to be non-
personal. The idea that the anonymization of information, which would render such information outside the scope of privacy
legislation, is practically attainable, is unlikely. That said, a risk-based approach, in which de-identified information could be
defined and its use allowed in certain specified circumstances, with penalties for re-identification, could be taken to both
address privacy concerns and enable innovation.
• Concepts such as pseudonymous information are being incorporated into other privacy laws , in recognition that there is a
desire to use information that need not necessarily be personally identified, but that remain identifiable, and that protections are
needed for such information. The concept of pseudonymous information could be incorporated into exceptions to consent, to
clarify that while this information may not be "identified", it still retains a privacy interest and must be protected.
• ETHI also raised concerns about consent and personal information in the public domain. PIPEDA currently contains the
Regulations Specifying Publicly Available Information, which are outside of the knowledge and consent requirements. Drafted
at the same time as PIPEDA, it reflects to some degree, the technology and uses of its time, and includes information sets
(such as registries) that were mandated to be publicly available. Personal information and classes of personal information are
listed, along with restrictions (generally, the collection, use or disclosure of such information must relate directly to the purposes
for which it was made publicly available), and are exempt from the requirements for knowledge and consent. Some have
12
13
14
15 16
17
18
19
20
21 22
23
24
25
Page 3 of 14Strengthening Privacy for the Digital Age - Innovation for a Better Canada
12/11/2019https://www.ic.gc.ca/eic/site/062.nsf/eng/h_00107.html
argued that these Regulations need updating to reflect the current environment; others have raised concerns about the need to
respect the privacy interests attached to such information. This issue also relates to individuals' online reputation, which is
discussed further, later in this Part.
We therefore propose to:
Provide more meaningful controls and increased transparency to individuals by:
• Requiring organizations to provide individuals with the information they need to make informed decisions, including requiring
specific, standardized, plain-language information on the intended use of the information, the third parties with which
information will be shared, and prohibiting the bundling of consent into a contract.
• Providing for certain alternatives or exceptions to consent to facilitate use of personal information by business under specific
circumstances, to cover, for example, common uses of personal information for standard business activities. Likewise, adding a
definition of de-identified information, along with an exception to consent for its use and disclosure for certain prescribed
purposes and penalties for re-identification, could also enable the use of such information for appropriate purposes, while at the
same time ensuring that it is otherwise subject to the protections afforded under PIPEDA. Developing such a definition,
however, will be challenging given that nearly any information can be personal information.
• Consent would still be required for those uses that have the biggest impact on individuals. This would of course not encompass
those situations where consent is inappropriate or contrary to the activity, such as investigations, responding to subpoenas or
other lawful means to compel the production of information.
• Informing individuals about the use of automated decision-making, the factors involved in the decision, and where the decision
is impactful, information about the logic upon which the decision is based. Such a requirement would not extend to revealing
confidential commercial information to an individual. As more complex data uses, especially those that do not involve human
discretion, such as those supporting the development of artificial intelligence, increasingly move out of research labs and into
the marketplace, automated decision-making will become the norm. With it comes the risk of misuse of personal information
that can result in undue discrimination and bias. The purpose of shining more light on automated decisions is to assist
individuals in better understanding how such decisions are made about them.
• Requiring enhanced transparency of practices, by explicitly requiring organizations to demonstrate their accountability,
including in the context of transborder data flows. This proposal is explored further in Parts 2 and 3.
• Exploring the definition of publicly available information.
Considerations and questions:
• PIPEDA already requires organizations to notify individuals of the purposes for the collection, use or disclosure, and to inform
individuals of the types of personal information being collected as part of being open about their personal information policies
and practices. The Office of the Privacy Commissioner of Canada (along with its provincial counterparts in Alberta and British
Columbia) has issued guidance on this question. Under consideration are further clarifications in law.
◦ Will the additions we are proposing be enough to increase meaningful consent for individuals?
◦ Some jurisdictions have defined enhanced measures, such as prohibitions or explicit consent, linked to the collection
and processing of sensitive personal information, whereas PIPEDA has always taken a contextual approach. Should
sensitive personal information be defined, with specific protections added?
• Taken together, enhancing consent requirements where the impact is greatest, and reducing reliance on consent for common
practices or trust environments (see Part 2), could provide a balanced approach for individuals and businesses. For example, it
could give more meaningful control to individuals and reduce the risk of "consent fatigue" by removing the need to consent to
uses that most individuals would consider reasonable and focusing on those of greater risk. For business, it could provide
greater certainty about those practices where consent is required and reduce the risk of objection to common business
practices (though they will still need to be open about these practices by outlining them in a privacy policy readily available to
individuals).
• The term "standard business practices" could capture purposes such as fulfilling a service; using information for authentication
purposes; sharing information with third-party processors; risk management; or meeting regulatory requirements. The
accountability principle, as well as all other requirements under the Act would continue to apply.
◦ What are the benefits or risks of removing the requirement to obtain consent to process personal information for purposes
that are considered to be standard business practices?
◦ What activities should be captured by such a provision?
◦ What must be outside the scope of such a provision?
• This approach would require companion amendments to enhance the oversight role for the Privacy Commissioner. The
existing overarching requirement that purposes be appropriate would, of course, remain.
• The concept of de-identified/pseudonimized data is being recognized in other laws as a way forward to enable innovation and
protect privacy, with appropriate conditions surrounding it. Adopting a similar approach as exists in other jurisdictions will also
help with interoperability concerns and will bring greater certainty to individuals and organizations, especially in the cross-
border context. In Part 2, we propose a particular use, without consent, for de-identified information, related to research and
data trusts.
• While de-identification can provide for increased security and confidence to allow increased data use and sharing, there are
increasingly sophisticated techniques that permit the re-identification of so-called de-identified or anonymized data.
26
27
28
Page 4 of 14Strengthening Privacy for the Digital Age - Innovation for a Better Canada
12/11/2019https://www.ic.gc.ca/eic/site/062.nsf/eng/h_00107.html
◦ What other protections for de-identified data would be required to mitigate the risks of re-identification?
• Lastly, with respect to publicly available information, this is a very complex issue, with many implications for individuals and
organizations. Recent controversies have illustrated the privacy implications that arise from the use of social media information,
for example.
◦ Does the current definition provide enough clarity and certainty for businesses and individuals to understand how
personal information in the public domain should be protected?
B. Possible options — data mobility
"Data mobility " refers to enabling individuals to request that the personal information that they have provided to an organization, be
provided to another organization. It has been touted as having the potential to empower individuals to "vote with their feet" so to
speak. It is viewed by some as an evolution to the existing provisions in PIPEDA for access to one's own personal information and
for withdrawal of consent.
Studies in other jurisdictions have determined that data mobility has the potential to enhance consumer choice thus fostering the
emergence and growth of innovative new goods and services, in addition to supporting greater individual control over data and
encouraging competition. As noted by Michael Geist in his Senate testimony on data mobility in the banking sector, "there are
undoubtedly security protocols and standards to be developed, but the starting point is regulated support for a consumer-focused
system that gives consumer control by opening their data at their request."
We therefore propose to:
Introduce new data mobility opportunities to enhance individuals' control over information by:
• Providing an explicit right for individuals to direct that their personal information be moved from one organization to another in a
standardized digital format, where such a format exists.
Considerations and questions:
• This approach would need to be complemented by the development of common approaches to data transference, reception,
and use, potentially through codes of practice or the development of technical standards.
• Exceptions to the requirement to port data must be provided in situations where it would be contrary to law enforcement,
prejudice an investigation, would reveal proprietary processes or technologies, or where it is not technically feasible.
• There are a number of issues with respect to implementation of data mobility under PIPEDA. In particular there is a question as
to whether the provision should capture derived information (e.g. a profile or categorization of the individual by that
organization), and information pertaining to a third party (e.g. the individual's contact list). It will also be important to manage
expectations. Data mobility can raise significant consumer expectations; for example, there may be instances where a
competitor does not yet exist or where mobility may not be technically feasible.
◦ Should a provision for data mobility refer strictly to information that is provided by the individual and exclude derived
information?
◦ Should a provision for data mobility capture 3rd party information?
C. Possible options — online reputation
• There has been a great deal of discussion in recent years about the impact of the online environment on individuals' ability to
manage their privacy and reputation. While social media facilitates connectivity amongst individuals, it can also present
challenges for individuals to control all possible third-party use of their personal information. The incident involving Facebook
and Cambridge Analytica is but one example of this.
• Some of PIPEDA's existing provisions are helpful in addressing reputation issues; in particular those allowing individuals to
correct the accuracy of their information, withdraw consent for the use of their information, and to go on the record in relation to
disputed personal information. There are also provisions limiting the retention of personal information and requiring disposal of
personal information when no longer required. In all, these contribute to providing individuals with some measure of control.
• However, there are limits to the effect of these provisions in the online environment and the Government recognizes the
particular risks to youth and children.
• Some responses put forward in other jurisdictions include de-indexing and source takedown/deletion. De-indexing involves the
removal or suppression of certain links in online search engine results. Source takedown/deletion refers to the removal of
personal information from sites where the information is directly provided by an individual.
• At the time of writing, the application of PIPEDA to search engines is before the Federal Court of Canada . This discussion
paper will therefore not focus on de-indexing at this time.
• Another key challenge is that storage of information has become extremely cheap, and the amount of information that can be
retained is vast. Although PIPEDA currently requires personal information to be kept only as long as needed to fulfill identified
purposes, this often does not happen. In an age in which personal information is increasingly monetized, the incentives to keep
personal information — in case it may be of use at a later point — are great. Stale information may be used against individuals
and have impacts on their reputation. It can also be replicated easily (this is particularly challenging in the social media
context).
• The following are possible options to enhance existing abilities to remove personal information at the source:
29
30
31
32
33
34
35
Page 5 of 14Strengthening Privacy for the Digital Age - Innovation for a Better Canada
12/11/2019https://www.ic.gc.ca/eic/site/062.nsf/eng/h_00107.html
Enhance the ability of individuals to maintain their online reputation by:
• Requiring organizations to inform minors about their right to delete or de-identify their personal information that they provided
and how to do so, with minimal exceptions;
• Providing all individuals with the explicit right to request deletion of information about them that they provided, with some
caveats.
• Ensuring the accuracy and integrity of information about an individual throughout the chain of custody by requiring
organizations to communicate changes or deletion of information to any other organization to whom it has been disclosed.
• Exploring the use of defined retention periods to increase data integrity and decrease the risk of misuse.
Considerations and questions:
• These options expand on or clarify existing rights under PIPEDA. They also reflect a movement in other jurisdictions towards
providing individuals with explicit rights to deletion of their information in certain circumstances.
• The possible options would clarify and enhance PIPEDA's rules around deletion and withdrawal of consent, thereby giving
individuals, in particular youth, greater control over their personal information and reputation. Providing a specific right for
young people recognizes the importance of being able to explore interests and friendships online without these activities
prejudicing them later in life.
• There is a potential for such provisions to impose a compliance burden on organizations, and to unnecessarily impede access
to information that is critical for business.
• For example, it may be challenging in some instances for an organization to know who is a minor. It may also be difficult to
comply with a deletion request when information was provided by a third party.
◦ Do these proposals adequately enhance control for young people?
◦ What parameters should be considered in order to mitigate the burden to organizations of complying with such
provisions?
◦ Should there be a defined retention period under PIPEDA?
Part 2: Enabling responsible innovation
Issue:
Increasingly, new business models and emerging technologies rely on complex uses of personal information by a variety of players.
This has led to calls for enhanced access to personal information for the development of innovative products and services. At the
same time, this triggers the need for increased accountability and higher standards of care to ensure privacy and security are
respected. Added to this is the concern that it is not always clear how a principles-based law applies to new business
models/technologies.
Why is this an issue?
As noted in Canada’s Digital Charter in Action: A Plan by Canadians, for Canadians: "Canada has the right ingredients to thrive in an
increasingly digital world. We have strong research capacity, a diverse and highly educated workforce, and a strong investment
climate. We are tech savvy and well-connected with 87 percent of Canadians and 95 percent of Canadian businesses connected to
the Internet. Eighty-eight percent of Canadians have a mobile device."
Data is the fuel to grow the Canadian data-driven economy, yet complex data flows involving numerous parties, often across
borders, can reduce an individuals' sense of control over of their personal information and ultimately their trust that it can be
adequately protected. This combined with the perceived lack of transparency around automated decision-making processes,
including programmatic processes, increase individuals' concerns over potential for abuse of data collected/used.
Almost every organization is now in the data business in some way, resulting in a lack of clarity about who is accountable for
personal information. The autonomous vehicle industry is illustrative of this point. In addition to the sensors the vehicle manufacturer
has placed within the vehicle, there are the other platforms and application developers that are also collecting data about the vehicle
and the driver. In other instances, there is increasing collaboration between public and private sectors (a timely example is in the
smart city scenario), which raises concerns about accountability, appropriate uses of data in the public interest, and access to data
for public policy-making.
Given the importance of data- and digitally-driven innovation to Canada's economy and future prosperity, the legislative frameworks
that support this marketplace must be balanced and fit for purpose.
A. Possible option: Enabling data trusts for enhanced data sharing
When compared to other jurisdictions, countries such as Canada could benefit from models that maximize the use of available data
and provide a means to securely pool the data in pursuit of innovation and public good, particularly in areas such as health or
transportation. Emerging solutions, such as "data trusts" may provide a way forward to help enable responsible innovation,
particularly in the case of public-private partnerships.
36
37
Page 6 of 14Strengthening Privacy for the Digital Age - Innovation for a Better Canada
12/11/2019https://www.ic.gc.ca/eic/site/062.nsf/eng/h_00107.html
Data trusts would involve trusted third parties managing access by organizations to sensitive databanks for research and
development purposes, while protecting privacy and ensuring that organizations use data appropriately. Trusts are a framework for
fiduciary asset management; policymakers, firms, and experts have begun to explore the potential application of such a trust model
to data governance. Bianca Wylie and Sean McDonald of the Centre for International Governance Innovation have identified data
trusts as providing "a way for data rights holders to aggregate and build leverage toward collectively bargaining for more balanced,
publicly beneficial data relationships... The act of creating a data trust... is inherently specific, requiring the parties involved to agree
on a common purpose, a governance structure and a clear theory of shared benefit." Data trusts treat datasets as the assets that
an independent third party must manage according to contractual terms designed to ensure the responsible, appropriate use of
those assets.
We therefore propose the following:
Encourage use of data for research/innovation
• By establishing a regime for use of de-identified data in PIPEDA, the creation of data trusts could be supported, whereby de-
identified information could be processed without consent when managed by a data trust. This could be done by revising the
existing consent exception for research to encourage the creation of a data trust. Such a regime could create a clear legal
framework for the sharing of information without the need to seek consent but would otherwise ensure appropriate coverage
under the Act.
• This approach would need to be accompanied by prohibitions against intentional re-identification or targeting of individuals in
data, or re-identification as the result of negligence or recklessness.
• This approach would need to clearly establish linkages between enforcement of PIPEDA and oversight of a data trust.
Considerations and questions:
• Data trusts could potentially provide a secure and privacy-enhancing means to share data in order to spur the development of
AI innovations in a broad spectrum of the economy. Data trusts have the potential to allow for greater sharing and use of data
for socio-economically beneficial purposes within a framework that protects against abuses of that data.
• Canada's closest allies are exploring trusts in AI/data policies. The United Kingdom is examining data trusts as standard
contracts for sharing of public- and private-sector data and Australia is in the process of creating new entities to manage
private access to public-sector data.
• There are also a number of private-sector examples of data trusts, such as firms that serve as a GDPR-compliant data
controller on the behalf of its clients or organizations that will provide academics with access to data through a trusted
intermediary for approved research purposes.
• The model has the potential to provide both trusted access and disclosure of data as well as a level of oversight and
accountability of those that gain access to data through the possibility of authentication and identity schemes.
◦ Could PIPEDA be harnessed to encourage the development of data trusts, in particular the existing exception to
knowledge and consent for the disclosure of personal information for research and statistical purposes?
Possible options — self-regulation and technical standards
In keeping with Canada's strategic objective to preserve the free flow of information across borders while maintaining meaningful
privacy protection, Canada is engaged in international fora that promote global interoperability of privacy frameworks. Specifically,
Canada supports multilateral approaches to privacy that seek to "bridge" privacy regimes internationally such that a form of "mutual
recognition" is established across multiple countries or regions. APEC's Cross Border Privacy Rules System (of which Canada is a
participant) is a good example. Given various initiatives are currently underway to "bridge" the APEC system with non-legislative EU
legal instruments for transborder flows, the APEC system could be of considerable interest (and utility). The OECD Privacy
Guidelines is another example of the type of international arrangement that Canada supports. Promoting global interoperability of
privacy frameworks is a key foundation of Canada's approach to privacy. Integration of codes and standards as part of a statutory
framework can further assist in aligning privacy frameworks both domestically and internationally.
PIPEDA provides a baseline for privacy protection, and currently contemplates a role for codes of practice. Other jurisdictions have
recognized the value of codes, standards and certification schemes in improving regulatory agility, and supporting responsible
innovation. These schemes have the potential to provide more specific protections for certain sectors or activities, and to increase
transparency and certainty for individuals. Furthermore, such approaches could potentially help individuals make choices based on
organizations' privacy practices. In short, there is a need to recognize the value and utility of standards, codes and certification as
tools to underpin privacy "rules" and try to influence and encourage their development in areas that reflect Canadian requirements,
priorities and interests. Moreover, adherence to codes and standards could incentivize compliance and potentially help enable a
more proactive enforcement model. In Revisiting the Governance of Privacy, Contemporary Policy Instruments in a Global
Perspective, Colin Bennett and Charles Raab propose, "In domestic and international arenas, standards could fill important gaps in
the enforcement regime, relieve regulators of compliance work and serve as credible methods of certification for transnational
transfers of data."
We therefore propose the following:
Incentivize the use of standards and codes
38
39
40
41
42
Page 7 of 14Strengthening Privacy for the Digital Age - Innovation for a Better Canada
12/11/2019https://www.ic.gc.ca/eic/site/062.nsf/eng/h_00107.html
• The development of codes of practice, accreditation/certification schemes and standards could be encouraged through formal
recognition in PIPEDA as a means of demonstrating due diligence in regards to compliance with certain provisions of the Act.
• This could be further supported by providing the Minister of ISED, as part of his responsibilities for administration of the Act,
with broad regulation-making authority related to accreditation/certification schemes.
• Validation of codes or certification mechanisms could be achieved through recognition by the OPC and serve as a mitigating
factor in the event of investigations or enforcement action.
Considerations and questions:
• Certification, codes of conduct and standards could be used as mechanisms to enhance international interoperability and
coherence across substantially similar legislation. However, there are two potential downsides to certification and codes, in
particular: typically, these are expensive, and without appropriate oversight, they can be at best meaningless and at worst
deceptive.
• To address the concern about oversight, if officially provided for under PIPEDA, they could offer a route for proactive oversight
by OPC.
◦ Would a certification mechanism for companies to proactively demonstrate compliance with PIPEDA, with the OPC being
given authority to periodically review an organization's adherence to the certification scheme or code, be welcomed by
both organizations and consumers?
◦ What role could other organizations play, for example, the Standards Council of Canada?
◦ How could such bodies co-operate?
Part 3: Enhancing Enforcement and Oversight
Issue:
There is a growing view that the ombudsman model and enforcement of PIPEDA, which relies largely on recommendations ,
naming of organizations in the public interest, and recourse to the Federal Court, to effect compliance with privacy laws, is outdated
and does not incentivize compliance, especially when compared to the latest generation of privacy laws. The current state of affairs
cannot continue; meaningful but reasoned enforcement is required to ensure that there are real consequences when the law is not
followed.
Why is this an issue?
There are currently constrained consequences and impacts on organizations for non-compliance with PIPEDA. Following an
investigation, the Privacy Commissioner can make recommendations, enter into a compliance agreement with an organization or
pursue the matter in Federal Court, where there will be a de novo hearing. Should there be recommendations at the end of an
investigation, an organization will likely incur costs associated with implementing those. If the Commissioner makes his findings
public and names the organization, there may be some negative attention, which can impact the bottom line. However, while the
Commissioner's recommendations are often followed, this is not always the case. Indeed, a recent privacy incident has its roots in a
complaint investigation by the Privacy Commissioner from 10 years ago, where the Commissioner found that the earlier
recommendations were not fully followed or implemented, and the behaviour that was offside the law continued . The lack of
consequences for egregious behaviour has been noted as being unfair to others in the economy, and is unacceptable. Good players,
who seek advice, make improvements, and who, in short, spend money to ensure compliance, may welcome a more level playing
field.
The possibility of stronger financial consequences for organizations that are offside of the law will incentivize them to take measures
to be in compliance. There are some indications, based on the response of organizations when breach reporting became mandatory
in 2018, and with it, the possibility of fines for willfully not reporting or keeping records of breaches, that the threat of financial
penalties causes organizations to pay attention. Likewise, when the GDPR came into force, much of the media coverage and
discussion in various fora centred on the substantial fines that could accrue to organizations found offside of the law . Although the
United States is currently considering a federal privacy law covering the private sector, the Federal Trade Commission (FTC) has
negotiated a number of settlements under its current (and more limited) privacy rules. Closer to home, some of the Privacy
Commissioner's provincial counterparts (and all three who oversee provincial private-sector privacy law) have order-making powers.
Should Bill C-58 pass, the Information Commissioner, an Agent of Parliament like the Privacy Commissioner, would also have order-
making power.
It should also be recognized, though, that non-compliance can sometimes be the result of a lack of clarity or certainty in terms of
organizations' obligations under the Act. Organizations may want to comply but have difficulty understanding what they need to do in
certain circumstances. Our proposals to address this are outlined further in Parts 2 and 4.
While the current model largely emphasizes mediation and negotiation, as well as education, to achieve compliance objectives, high-
profile and significant incidents involving unexpected uses of personal information, as well as breaches, are eroding confidence in
the digital economy and raising privacy concerns. Now is the time to strengthen Canada's privacy framework to ensure that
Canada's federal private-sector privacy regime does not fall further behind.
43 44
45
46
Page 8 of 14Strengthening Privacy for the Digital Age - Innovation for a Better Canada
12/11/2019https://www.ic.gc.ca/eic/site/062.nsf/eng/h_00107.html
Possible options — enhance the Commissioner's powers
The Commissioner currently has a range of investigation powers, including the ability to compel evidence, administer oaths, enter
premises, examine documents, and interview witnesses. He or she may initiate an investigation on his or her own, where there are
reasonable grounds, and he or she can accept complaints from any member of the public. At the end of an investigation, the
Commissioner can issue a report with recommendations or enter into a compliance agreement. He or she may also take a matter to
the Federal Court at the end of an investigation (there is no recourse to the Court in cases where the Commissioner initiated the
complaint). The Court can then order remedies or award damages. The Commissioner may also conduct an audit if the
Commissioner has reasonable grounds to believe that the organization has contravened a provision of the Act or Schedule 1. The
Commissioner has no recourse to the Federal Court at the end of an audit.
Apart from these investigatory powers, PIPEDA requires the Commissioner to educate organizations and individuals on the Act,
conduct research, develop guidance and encourage the development of codes of practice.
An effective enforcement regime generally involves activities related to four key components :
We therefore propose modernizing Canada's private-sector privacy law by incentivizing compliance of multi-nationals and small- and
medium-sized enterprises (SMEs) by:
A. Education/ Outreach:
• Maintaining the Privacy Commissioner's education and awareness mandate to provide high-quality guidance on complex
matters that are covered by PIPEDA as well as it ongoing implementation.
• Extending the Minister's existing authority under PIPEDA to request that the Privacy Commissioner undertake research, to
include privacy themes relevant to the Minister's mandate in his research and guidance development, which may allow for
greater clarity for industry on emerging issues and placing it within a broader policy role for the Department.
Investigation and Audit:
• Providing increased discretion to the Commissioner on whether to investigate complaints, and allowing for consideration of
adherence to standards, certification or codes of practice in making decisions to investigate.
• Providing for increased flexibility for auditing or reviewing organizations (related to the proposed option, outlined in Part 2, to
give the OPC authority to periodically review an organization's adherence to the certification scheme or code).
• Exploring options and mechanisms to provide for increased cooperation and information sharing with other enforcement
agencies.
C. Tools to address non-compliance or offences:
• Providing the Privacy Commissioner, in the context of its investigation and audit functions, with circumscribed order-making
power in the form of cessation and records preservation orders. These powers may be used by the Commissioner to halt
collection, use or disclosure of personal information by a non-compliant organization. With respect to cessation orders, the use
of such orders can be further circumscribed to situations where the non-compliance has caused or is likely to cause a risk of
harm or significant distress to an individual. This would provide a strong tool that the Commissioner can deploy to protect
individuals when organizations put them and their personal information at risk.
• Extending the existing regime for fines to other key provisions of the Act, including and in particular consent requirements,
data safeguard requirements, limiting use, disclosure and retention requirements. This involves the Privacy Commissioner
referring matters of concern to the Attorney General of Canada for investigation. New obligations pertaining to deletion and
data mobility would be considered key provisions of the Act, and subject to fines.
47
48
Page 9 of 14Strengthening Privacy for the Digital Age - Innovation for a Better Canada
12/11/2019https://www.ic.gc.ca/eic/site/062.nsf/eng/h_00107.html
• Substantially increasing the range of fines that are tied to offences under the Act, and provide for a scheme that identifies the
mitigating and aggravating factors that should be considered, including adherence to codes, certification or standards. Scalable
enforcement that takes into account the impacts on SMEs may need to be considered.
• Further empowering the Court to order statutory damages for certain contraventions. PIPEDA could be amended to prescribe a
range of damage awards, setting out minimum and maximum amounts for contraventions of specific provisions.
D. Advance/Proactive Advice
• Reviewing the Office of the Privacy Commissioner's current proactive advisory activities to ensure that such activities can
support new or emerging business models and technologies. Given that privacy is only one of many elements needed to
consider when developing new innovative business models, it may be preferable to have multi-stakeholder dialogue and
approaches to support codes of practice and standards in such areas. This could be leveraged through ISED's access to
stakeholder communities.
Considerations and questions:
• For business, this approach provides a level of certainty (in terms of the nature of orders that can be issued) and some
incentives to comply with the law (cessation orders and the possibility of fines). For individuals, this approach also provides
certainty, as well as some stronger tools to protect their rights, particularly when a cessation order is made.
• This approach allows the Commissioner to make more efficient use of resources.
• The proposal more closely aligns with enforcement regimes of other jurisdictions, in particular the provinces and the EU.
• Further examination of other options (some proposed by the Privacy Commissioner, such as Administrative Monetary Penalties
or AMPs) is needed as they may have impacts on machinery of government. The goal is to ensure that incentives are strong,
that SMEs are not unfairly penalized, and that individuals' personal information is appropriately protected.
◦ If an AMP regime is introduced, would this mechanism need to be mediated by a third party (for example, by a tribunal)?
◦ Will offence-related fines be a strong enough incentive given that the current fining powers have never been used in the
nearly 20 years of the law's existence and that they are outside the control of the Privacy Commissioner?
◦ How do we ensure administrative fairness in a model with stronger enforcement mechanisms and an education/advisory
mandate?
◦ Given the significance of impacts on individuals in the digital and data economy, what should be the appropriate range of
statutory damages (and conditions) to be included in the Act?
◦ How could codes of practice (and possibly certification schemes) be part of a renewed enforcement scheme that
incentivizes organizations, gives greater certainty and brings transparency and accountability to practices, to the benefit
of all stakeholders in the data economy?
Part 4: Areas of Ongoing Assessment
Issue:
PIPEDA is a principles-based and technology neutral law. These are its strengths and should remain. However, it has been criticized
for, among other things, being inaccessible to individuals and organizations, especially small- and medium-sized organizations due
to its complex structure. Evolving business models, and the numerous players involved, mean that the scope of application of the law
should be examined in order to ensure that Canadians are protected and businesses have a level playing field and that
accountabilities — along with the responsibilities that entails — are appropriately apportioned.
Why is this an issue?
Clarity of obligations
PIPEDA is a creature of compromise, and its drafting reflects that. When PIPEDA was enacted, it followed a number of years in
which there was pressure on government and industry to act with respect to personal information protection. The passage of the EU
Directive 95/46 EC, the burgeoning e-commerce industry, and growing concerns among Canadians about how their personal
information was being used led to consideration of how best to proceed to ensure trust in the economy and to support Canada's
trade goals. Industry, preferring self-regulation, along with representatives of consumer groups, academia and government,
developed the CSA Model Code, which contained 10 principles of privacy protection, based on the OECD Privacy Guidelines. The
federal government ultimately decided, however, that self-regulation was not enough, and moved to legislate. In doing so, it chose to
incorporate the Model Code into the Act, without changes to the language, given that the Code had represented a consensus among
industry, consumer protection advocates, academics and government participants. It was of the view that this would be the most
effective and expeditious way to act in a relatively short timeframe.
Although praised for being principles based and technology neutral, PIPEDA has been criticized for being difficult to understand .
Having rights and obligations contained in Schedule 1, instead of in the body of the law, and cast in non-legal language, mixing
obligations with best practices (shall v. should) have posed challenges for individuals and organizations, as well as the courts, to
understand.
49
Page 10 of 14Strengthening Privacy for the Digital Age - Innovation for a Better Canada
12/11/2019https://www.ic.gc.ca/eic/site/062.nsf/eng/h_00107.html
As a result, it is difficult for individuals to challenge organizations' compliance, and for organizations to understand their obligations.
Moreover, PIPEDA applies to other issues, apart from privacy (the Electronic Documents part of its name, or Parts 2 to 5,
specifically).
The Government has supported a number of initiatives to enhance digital literacy. To assist with this, we are proposing redrafting the
law to set out personal information protection rights and requirements in a manner that is easier for all to understand.
Scope of application, accountability
Since PIPEDA was enacted, new business models and types of organizations have emerged which are not traditionally acting as
"controllers" or "processors". As the business environment continues to evolve and more players appear (for example in the Internet
of Things or AI environments), the applicability of the Act should be updated and clarified, including in the context of transborder data
flows.
A growing number of organizations and entities are engaging in non-commercial data collection activities. While these activities are
not covered under PIPEDA, it might be appropriate to assess the relevance of extending PIPEDA to these activities.
Ensuring that the Act properly applies to the various players is also particularly important when considering accountability and the
need for privacy management programs that include flexible risk assessment processes, including Privacy by Design.
Considerations and questions
• It will be important to maintain the principles-based and technology-neutral approach. Alberta and British Columbia's respective
Personal Information Protection Acts offer solid examples of maintaining that approach in the text. The nuances — the respect
for context, individuals' expectations and overall emphasis on reasonableness should remain.
◦ What are the risks and benefits of these important "house-keeping" measures?
◦ Are there others?
Next steps
Discussions that result from this paper will inform the development of options for legislative reform.
Annex A: Overview of marketplace policy conceptual frameworkThe conceptual framework outlines a complete policy approach that focuses on the whole of the marketplace. Such an approach is
not limited to legislative and regulatory reform, but also creates incentive for industry-led standards and codes while also supporting
international progressive agreements, which address digital commerce considerations.
Page 11 of 14Strengthening Privacy for the Digital Age - Innovation for a Better Canada
12/11/2019https://www.ic.gc.ca/eic/site/062.nsf/eng/h_00107.html
Footnotes
"Social Media Use and Perceived Social Isolation Among Young Adults in the U.S." Primack, Brian A., et al
https://dx.doi.org/10.1016%2Fj.amepre.2017.01.010
1
Democracy Under Threat: Risks and Solutions in the Era of Disinformation and Data Monopoly, Standing Committee on
Access to Information, Privacy and Ethics; December 2018
https://www.ourcommons.ca/DocumentViewer/en/42-1/ETHI/report-17/page-5
2
Zuboff, Shoshana, in The Age of Surveillance Capitalism (2018), and elsewhere.3
Section 3, Personal Information Protection and Electronic Documents Act4
For clarity, throughout this paper, we are referring to PIPEDA, by which we mean Part I of PIPEDA, which sets out the
rules for personal information handling in the course of a commercial activity.
5
See, http://www.oecd.org/sti/ieconomy/oecd_privacy_framework.pdf6
Towards Privacy by Design: Review of the Personal Information Protection and Electronic Documents Act, Report of the
Standing Committee on Access to Information, Privacy and Ethics, February 2018, at
https://www.ourcommons.ca/DocumentViewer/en/42-1/ETHI/report-12/
7
Ibid; Democracy Under Threat: Risks and Solutions in the Era of Disinformation and Data Monopoly, Standing Committee
on Access to Information, Privacy and Ethics; December 2018, at
https://www.ourcommons.ca/DocumentViewer/en/42-1/ETHI/report-17; Driving Change: Technology and the future of the
automated vehicle, Report of the Standing Senate Committee on Transport and Communications, January 2018, at
https://sencanada.ca/content/sen/committee/421/TRCM/Reports/COM_RPT_TRCM_AutomatedVehicles_e.pdf
8
Scassa, Teresa, "Why Canada needs a national data strategy," http://policyoptions.irpp.org/magazines/january-2019/why-
canada-needs-a-national-data-strategy/
9
Solove, Daniel J., "Introduction: Privacy Self-Management and the Consent Dilemna," at
https://pdfs.semanticscholar.org/809c/bef85855e4c5333af40740fe532ac4b496d2.pdf
10
McDonald, Aleecia M. and Lorrie Faith Cranor. "The Cost of Reading Privacy Policies." I/O Journal of Law and Policy for
the Information Society. 2008 Privacy Year in Review Issue.
11
Solove p.188112
Testimony by Ian Kerr to the The House Standing Committee on Access to Information, Privacy and Ethics, April 4, 2017.
http://www.ourcommons.ca/DocumentViewer/en/42-1/ETHI/meeting-54/evidence
13
2018 Globe & Mail/Nanos Research survey https://www.theglobeandmail.com/politics/article-canadians-concerned-about-
how-facebook-political-parties-protect/; http://www.nanos.co/wp-content/uploads/2018/12/2018-1331C-Globe-November-
Personal-Information-Populated-Report-with-Tabs.pdf
14
2016 Survey of Canadians on Privacy, Office of the Privacy Commissioner of Canada https://www.priv.gc.ca/en/opc-
actions-and-decisions/research/explore-privacy-research/2016/por_2016_12/
15
2017 Deloitte Canada survey on Data Ethics https://www2.deloitte.com/ca/en/pages/deloitte-
analytics/articles/DataEthics2017.html
16
2016 Survey of Canadians on Privacy, Office of the Privacy Commissioner of Canada, ibid17
From a brief to the Standing Senate Committee on Transport and Communication, presented by the Canadian Automobile
Association, May 9, 2017. https://sencanada.ca/content/sen/committee/421/TRCM/Briefs/TRCM_BriefCAA_e.pdf
18
From the OPC's Discussion paper exploring enhancements to consent. See, https://www.priv.gc.ca/en/opc-actions-and-
decisions/research/explore-privacy-research/2016/consent_201605/
19
Page 12 of 14Strengthening Privacy for the Digital Age - Innovation for a Better Canada
12/11/2019https://www.ic.gc.ca/eic/site/062.nsf/eng/h_00107.html
See OPC, Alberta and BC Guidelines for Obtaining Meaningful Consent at https://www.priv.gc.ca/en/privacy-
topics/collecting-personal-information/consent/gl_omc_201805/
20
See Centre for Information Policy Leadership,
https://www.informationpolicycentre.com/uploads/5/7/1/0/57104281/cipl_paper_-_learning_from_the_eu_gdpr_-_what_elements_should_the_us_ado....pdf
and the Privacy Commissioner of Canada at https://www.priv.gc.ca/en/opc-actions-and-decisions/submissions-to-
consultations/sub_ised_181123/
21
"The principle of consent has devolved from its role as a lynchpin of the privacy protective regulatory system a generation
ago to a façade, which offers us today no more than the appearance and illusion of control over our personal information,
while enabling in reality widespread corporate commercial data processing. Hastened along toward its demise by rapid
technological development and new social and political paradigms of information sharing, the idea of consent, and the
overarching principles of individual choice and control over personal information which it serves, can still be salvaged
through a new regulatory approach. This approach should focus on the retention of consent in meaningful instances which
have significant implications for individuals — such as the health-care, employment, and education contexts."
See A. Levin, submission to OPC consultation on consent, at https://www.priv.gc.ca/en/about-the-opc/what-we-
do/consultations/consultation-on-consent-under-pipeda/submissions-received-for-the-consultation-on-
consent/sub_consent_10/
22
Gordon v. Canada (Health), 2008 FC 258. http://www.canlii.org/en/ca/fct/doc/2008/2008fc258/2008fc258.html23
Canada (Information Commissioner) v. Canada (Transportation Accident Investigation and Safety Board), 2006 FCA 157.
http://www.canlii.org/en/ca/fca/doc/2006/2006fca157/2006fca157.html
24
General Data Protection Regulation25
See, www.ourcommons.ca/DocumentViewer/en/42-1/ETHI/report-12/page-75#1826
Guidelines for Obtaining Meaningful Consent, issued May 2018. https://www.priv.gc.ca/en/privacy-topics/collecting-
personal-information/consent/gl_omc_201805/
27
General Data Protection Regulation, Article 928
The commonly used term is "data portability." However, we wanted to underscore that we are contemplating scenarios in
which individuals may tell one organization to move their personal information to another. Some have interpreted "data
portability" as turning data over to individuals at their request, leaving it up to the individual to give it to another
organization. That is not typically technically feasible nor would it be fair to individuals.
29
Note: In May 2018, the Australian government adopted the Consumer Data Right and it is implementing it on a sector-by-
sector basis, beginning with the financial sector. Consumer Data Right" (CDR) to entitle individuals to access their data
and direct its transfer to other accredited organizations, i.e., a right to data portability. In January 2018, the UK's Open
Banking law came into force. In general terms, "open banking" is a framework that allows consumers to share financial
transaction data with other financial service providers.
30
Testimony from Michael Geist to the Senate Standing Committee on Banking, Trade and Commerce, April 11, 2019.
http://www.michaelgeist.ca/2019/04/open-banking-is-already-here/
31
There are also other legal frameworks that contribute to limiting some of the more egregious examples of privacy
invasions in this context. For example, the Criminal Code prohibits the non-consensual sharing of intimate images
32
Towards Privacy by Design: Review of the Personal Information Protection and Electronic Documents Act, Report of the
Standing Committee on Access to Information, Privacy and Ethics, February 2018, at
https://www.ourcommons.ca/DocumentViewer/en/42-1/ETHI/report-12/
33
https://www.priv.gc.ca/en/opc-news/news-and-announcements/2018/an_181010/34
And even if it is not used against individuals, retaining vast amounts of personal information indefinitely raises the risks of
security breaches that can have serious impacts on individuals and organizations.
35
California S.B. 568, https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201320140SB56836
Page 13 of 14Strengthening Privacy for the Digital Age - Innovation for a Better Canada
12/11/2019https://www.ic.gc.ca/eic/site/062.nsf/eng/h_00107.html
Canada’s Digital Charter in Action: A Plan by Canadians, for Canadians, p. 16.
http://www.ic.gc.ca/eic/site/062.nsf/eng/h_00107.html
37
McDonald, Sean, and Bianca Wylie, "What Is a Data Trust?", Centre for International Governance Innovation, (October 9,
2018). https://www.cigionline.org/articles/what-data-trust
38
A trust involves an asset, grantor, trustee, and beneficiary. The grantor transfers legal ownership of the asset to a trustee,
subject to a contract that defines the purposes of the trust and names a beneficiary. The trustee has a fiduciary
responsibility to manage that asset in the interest of the beneficiary and in line with the purposes of the trust.
39
This question explores the scope and parameters of the current provision in PIPEDA (paragraph 7(3)(f)) which permits
disclosure of personal information for statistical or scholarly study or research. This would also seek to explore related
questions of adequate safeguards and de-personalization of data in this context.
40
The OECD Going Digital Integrated Policy Framework recommends promoting interoperable privacy regimes to facilitate
cross-border data flows. See OECD (2019), Going Digital: Shaping Policies, Improving Lives, OECD Publishing, Paris, pp
121-123, https://doi.org/10.1787/9789264312012-en
41
Bennett, Colin, and Charles Raab, "Revisiting the Governance of Privacy: Contemporary Instruments in Global
Perspective", Regulation and Governance, vol. 12, no. 3 (September 2018).
https://onlinelibrary.wiley.com/doi/pdf/10.1111/rego.12222
42
See various Parliamentary reports, including the ETHI Committee's report on PIPEDA at
http://www.ourcommons.ca/DocumentViewer/en/42-1/ETHI/report-12/page-120#fn261-rf and
http://www.ourcommons.ca/DocumentViewer/en/42-1/ETHI/report-17/page-27#1
43
The Digital Privacy Act amended PIPEDA to introduce compliance agreements. These are agreements between an
organization and the Privacy Commissioner, whereby the organization agrees to undertake a number of measures, and
the Commissioner agrees not to take the organization to Federal Court unless the agreement is not fulfilled. The
Commissioner has entered into a handful of these since the provisions came into force.
44
See, https://www.priv.gc.ca/en/opc-actions-and-decisions/investigations/investigations-into-businesses/2019/pipeda-2019-
002/
45
To cite one of many examples, "(t)he GDPR completely changes the compliance risk for organizations which suffer a
personal data breach due to revenue based fines and the potential for US style group litigation claims for compensation.
As we saw in the US when mandatory breach notification laws came into force, backed up by tough sanctions for not
notifying, the GDPR is driving personal data breach out into the open," noted Ross McKean, a partner at DLA Piper
specializing in cyber and data protection. See, https://www.helpnetsecurity.com/2019/02/07/gdpr-numbers-january-2019/
46
In its paper, "Regulating for Results: Strategies and Priorities for Leadership and Engagement," the Centre for Information
Policy Leadership sets out four types of functions of a data (privacy) protection authority: leader, police officer, complaint
handler, authoriser. See,
https://www.informationpolicycentre.com/uploads/5/7/1/0/57104281/cipl_final_draft_-_regulating_for_results_-_strategies_and_priorities_for_leadership_and_engagement_2_.pdf
47
Under PIPEDA as currently drafted, there are two categories of offence: an offence punishable on summary conviction
and liable to a fine not exceeding $10,000 (per offence); an indictable offence and liable to a fine not exceeding
$100,000 — (maximum of $100,000 per offence). These categories of offences are distinguished based on the severity of
the contravention. Typically, summary offences are less serious than indictable offences. The Attorney General of Canada
has the discretionary power to qualify the contravention as either type of offence depending on the nature of the
contravention. Fines are applied by the Courts.
48
Dr. Teresa Scassa has summarized these criticisms in her blog, dated July 9, 2018
http://www.teresascassa.ca/index.php?option=com_k2&view=item&id=279:pipeda-reform-should-include-a-
comprehensive-rewrite&Itemid=80
49
Date modified:
2019-05-21
Page 14 of 14Strengthening Privacy for the Digital Age - Innovation for a Better Canada
12/11/2019https://www.ic.gc.ca/eic/site/062.nsf/eng/h_00107.html