Canada's privacy law governing much of the business that takes place on the internet – including widespread collection of people's personal information – is in need of an update.
That's the recommendation of a report released Feb. 28 by the standing committee on access to information, privacy and ethics, resulting from its review of PIPEDA (the Personal Information Protection and Electronic Documents Act). The report made a number of suggestions including strengthening requirements for consent to use personal data, the right to withdraw that consent and the "right to be forgotten" online. It also heeded repeated calls by the Office of the Privacy Commissioner of Canada to be given enforcement powers with "teeth," including the right to impose fines and more flexibility to choose what to investigate. The government is expected to respond to the report within 120 days.
The push to modernize privacy laws in this country has become more urgent as the European Union's wide-ranging General Data Protection Regulation (GDPR) is set to come into force in May. An important aspect of crossborder trade has been the granting of "adequacy status," which allows data to flow freely between jurisdictions that have agreed their respective privacy protections are adequate. In the past year, some privacy advocates have suggested that the GDPR's stricter rules could put Canada's adequacy with the EU at risk, if changes are not made here.
"A smoother regulatory framework between Canada and Europe is a competitive advantage for Canada," said Chantal Bernier, former interim privacy commissioner of Canada, and an adviser in the privacy and cybersecurity practice at law firm Dentons Canada LLP.
One of the key recommendations of the recent report was that the government should work with EU counterparts – as well as Canada's provinces and territories – to maintain that status.
"It creates impetus, if not pressure, on other countries and economies of the world to at least consider whether the GDPR rules should be adopted in their own jurisdictions," federal Privacy Commissioner Daniel Therrien said in an interview. "It raises the bar. I don't think Canada needs to adopt exactly the same regime as in Europe, but it sets an important standard."
However, some in the advertising industry are raising alarms about potentially "devastating" consequences of some of the recommendations. Of particular concern is the suggestion of an "opt-in" system becoming the default model for consent to use personal information.
"The way it is now, there is a reasonable exchange that doesn't require explicit opt-in between the consumer and the online experience. To make it the default creates friction," said Sonia Carreno, president of the Interactive Advertising Bureau of Canada. "What we're worried about is, where will this lead?"
Mr. Therrien agreed that new consent models would need to find a balance between business interests and privacy. "Even consumers may not like the outcome if they have to give consent every 15 seconds," he said.
Collecting information is sanctioned under PIPEDA as long as it is used for "legitimate business purposes," such as to fulfill a service. However, the report said the law should clarify what is legitimate. Ms. Carreno said the industry will be advocating for targeted advertising to be included in the scope of legitimate use of data.
People often have little understanding of how their data are collected and used, and more transparency is crucial to obtaining meaningful consent, the report argues. That includes giving them more information about the complex algorithms that are often used to process their information. Because consent may be a different process for minors, it also urged the government to consider specific rules for consent for collecting, using and sharing minors' personal information. In addition, the report argues that people should have the ability to revoke their consent for the collection, use and sharing of their personal information. PIPEDA already states that people should be able to withdraw their consent, but there are circumstances that make deletion of that information difficult – such as when information has already been shared with third parties or has been posted publicly.
It also suggested that the law should go further in requiring that businesses destroy personal information they have collected once that information is no longer needed.
It raised the importance of anonymized data – information about a person that does not have his or her name or other identifying details attached – but acknowledged that there is a risk of re-identifying in some cases, and said the government should examine how best to protect depersonalized data.
The new regulations coming into force in the European Union stipulate that people should have the right to data "portability," or the ability to transfer their information from one service provider to another. The report recommended that Canada follow Europe's lead on that point.
The report also recommends using the European legislation as a model for strengthening the "right to erasure" in Canadian law, giving people the right to have information posted about them online removed in some cases – while also maintaining freedom of the press and freedom of expression. It also recommended that the government consider enshrining the right to "de-indexing," or having personal information removed from search results on services such as Google. In both cases, it stressed that this right should especially be considered in cases where people's information was posted online when they were minors.
The report specifically points to "Privacy by design," a concept developed roughly 20 years ago by former Ontario information and privacy commissioner Ann Cavoukian. The concept essentially advocates for privacy considerations being built into every stage of a product's development, design and marketing – that privacy should be protected whether or not an individual takes action to ensure that protection. That is a key concept of the new law being implemented in the European Union, and the committee stressed that it should inform the modernization of PIPEDA.
"Privacy forms the foundation of our freedom," Ms. Cavoukian said in an interview. "For all those naysayers out there who say, 'give it up, privacy is dead.' I say, 'Are you kidding me? It's about to have a resurgence'."