Suzanne Morin on the enforcement of meaningful consent under PIPEDA
Last month, the CBA made a submission commenting on the parliamentary review of PIPEDA. Suzanne Morin, the Vice-Chair of the CBA National Privacy and Access Section, represented the CBA.
CBA National: Broadly, what is the CBA’s position on this issue?
Suzanne Morin: The CBA Sections have made numerous submissions on PIPEDA since its enactment in 2001 and continue to support the existing consent and ombudsperson models in PIPEDA in the absence of a compelling need for legislative change. Within these existing models, however, a handful of targeted amendments are needed: first to the concept of publicly available information to ensure our PIPEDA framework remains technology neutral, and second to allow the Office of the Privacy Commissioner of Canada (OPC) to issue non-binding advance opinions.
N: As PIPEDA has existed for a number of years and one could argue it has been put to the test. How has it worked – and not worked – so far?
SM: If we think about this from an enforcement perspective, the OPC has been enforcing privacy rights by leveraging its powers: i) to investigate and issue formal findings, including “naming names” when in the public interest, ii) to audit, and iii) to take organizations that fail to uphold their PIPEDA obligations to court. In turn, Canadian courts have proven to be well-placed to assess damages uncovered by OPC investigations and they have recognized new common law torts or civil actions adding to the Canadian privacy legal framework.
Taken together, this “tool kit” approach has proven to be very powerful in forcing domestic and foreign organizations of all sizes to revise their privacy practices. So we think it would be prudent to wait and see how the OPC’s new power to issue and enforce binding compliance agreements through the courts is interpreted and used, and how the new regime for breach reporting, which is not yet in force, with the potential for fines, unfolds next year.
N: Is meaningful consent properly enforced in Canada? Or should we be broadening the grounds on consent?
SM: PIPEDA speaks directly to the principle of consent, laying the foundation that businesses must seek meaningful or valid consent. Businesses cannot force individuals to consent to the use of personal information beyond legitimately identified purposes. PIPEDA’s consent model comes with ten fair information principles, including accountability, limiting collection, identifying purposes and safeguards to name a few. Importantly, as an overarching umbrella, all treatment of personal information is subject to the “reasonable person test,” which limits the use of personal information to what is reasonable in the circumstances.
The PIPEDA consent model, supported by a much broader legal framework that encompasses public and private sector laws, criminal and human rights legislation and emerging common law and civil actions, continues to be both robust in its protection of the privacy of Canadians (including vulnerable groups) and flexible for business in the face of rapidly evolving technologies, business models and customer privacy expectations.
N: As it stands now, the right to be forgotten is not explicitly recognized in PIPEDA, or in any other statute. But some see the courts moving in a direction that may lead to the emergence of a right to be forgotten here. Where does the CBA stand on this issue?
SM: We have not developed any recommendations on whether a specific right to be forgotten should be included in PIPEDA or introduced into our broader Canadian legal framework, but it is an issue that merits attention. PIPEDA includes certain key elements that are relevant when speaking about the right to be forgotten, such as the right for an individual to withdraw consent or to delete certain information, the obligation on organizations to get rid of personal information they no longer need and to use published personal information for consistent purposes.
We need to be mindful that PIPEDA, and other private sector laws, are not the “catch-all” for issues that arise from the ongoing evolution of technology. Beyond PIPEDA, there are numerous other considerations – such as the right to freedom of expression which is a critical piece of our democratic fabric found in the Charter.
N: What does it mean to have “adequacy status” with the EU, and is Canada at risk of losing that status with new European regulations coming in force in 2018? What steps is the CBA suggesting to ensure the status is retained?
SM: Canada has enjoyed limited adequacy status under the EU’s 1995 Data Protection Directive since 2001. This status has enabled the convenient transfer of personal information from the EU to organizations in Canada. Recent developments in the EU are raising questions about whether Canada’s adequacy status may be at risk. It’s unclear what the EU’s new approach will be. But when the time comes, they will examine the entire Canadian legal framework, including public and private sector privacy laws, laws concerning public security, defence and national security, criminal law and our international commitments.
We need to remember that PIPEDA is only one part of Canada’s privacy legal framework, and may not be the only or even appropriate vehicle for addressing EU adequacy concerns that may arise. So, adequacy is great, but I think for Canada it is not adequacy at all costs.
N: Where, in your view, is the debate about privacy rights (with respect to consumers) headed in the few years?
SM: As I mentioned earlier, the privacy rights of Canadians are much broader than the rights they have in PIPEDA. Canadian privacy rights, as well as the obligations of businesses and our government, exist in an extensive legal framework – in federal and provincial level laws, in the private and public sectors, in criminal and human rights legislation, and emerging common law torts and civil actions.
Personally, I think there is too much focus on what the law says, and not enough attention on its interpretation and application – PIPEDA itself is extremely flexible. In the next few years, I think we will see a lot more collaboration between business, privacy regulators, academics and consumer and privacy groups – because we have to. We will definitely see new ways of communicating with consumers, focusing on what really matters to them, and being more transparent, because consumers are demanding it.
Photo licensed under Creative Commons by perspec_photo88.