Canada’s Privacy Commissioner Pursues a Stronger Consent Framework and More Proactive Enforcement

On September 21^st, 2017, Daniel Therrien, Canada’s Federal Privacy Commissioner, tabled his annual report to Canada’s Parliament today. The report to Parliament includes results and recommendations with respect to the OPC’s study on consent. In addition, the Commissioner requests Parliament overhaul Canada’s federal private sector legislation – the Personal Information Protection and Electronic Documents Act (PIPEDA).

Consent and Technology

A key issue for regulators and businesses is how to obtain meaningful and valid consent to collect and use personal information in the digital age. Revisiting and enhancing the consent model under PIPEDA is grounded in the Commissioner’s five year strategic privacy priorities. In 2016, the OPC issued a consultation paper regarding the challenges of obtaining meaningful consent in a continuously evolving technological ecosystem where the traditional “privacy policy” may not always be suitable. The OPC received feedback through roundtables, focus groups, surveys and receipt of 51 submissions from organizations, information technology specialists, academics, advocacy groups and other stakeholders.

Four Key Elements in Privacy Policies: The Commissioner stated that the OPC will be issuing an updated version of its consent guidelines that will require businesses and organizations to highlight in a user friendly way the following four key elements in their privacy notices:

1. What information is being collected
2. Who is it being shared with, including an enumeration of third parties
3. The purposes for collecting, using or sharing including an explanation of purposes that are not integral to the service, and
4. Identify the risk of harm to individuals, if any.

Risk of Harm: The OPC is amending its guidelines to require organizations to consider the risk of harm to individuals when considering the form of consent used. This consideration will be in addition to the sensitivity of the personal information and the reasonable expectations of the individual. We expect to learn more about this in the updated guidelines.

No-Go Zones: Expect new guidance for businesses and no-go zones where the use of information, even with consent, should be prohibited as inappropriate. The guidance will be aimed to provide clarity on what the OPC considers “inappropriate uses” under subsection 5(1) of PIPEDA.

Alternatives to Consent: The Commissioner outlined three potential solutions for enhancing privacy protection where traditional consent models conflict with advances in technology, including:

1. De-identification: In some circumstances, like big data, de-identification protocols may be the right solution. The OPC will be issuing guidance on de-identification that will help businesses assess their protocols and reduce risk of re-identification to a low level where the information may be used without consent.
2. Publicly available information: The Commissioner agrees that the categories of publicly available information in PIPEDA’s regulations are out of date, and should be revisited by Parliament. For now these exceptions remain the same, but we may someday see changes to the regulations.
3. Call for reform of new exceptions: The Commissioner has requested that PIPEDA be amended to include new exceptions to consent (section 7 of PIPEDA) to address social activities not contemplated when PIPEDA was first drafted. The goal is to help organizations use data for new purposes that would benefit individuals and obtaining consent is not practical. For example, a mobile app wishes to now use information collected for geolocation mapping, and the business can demonstrate that the benefit of the new use of information outweighs the privacy incursion. This option would be considered a last resort and require pre-approval by the OPC.

Overhaul of PIPEDA including new Powers

The Commissioner reported that it is time to revisit how Canada’s federal privacy legislation, enacted in 2000, meets the realities of today’s digital world, including advances technology as well the addition of new enforcement powers already used by the OPC’s counterparts in the U.S. and Europe. The Commissioner proposed to Parliament that this overhaul include a new enforcement model that emphasizes proactive powers that are backed up by order-making authorities, including:

• involuntary audits
• issuing binding orders, and
• impose administrative monetary penalties.

The request for reform of PIPEDA is certainly a hot topic as businesses and organizations await how Canada’s status as an adequate country is, or is not affected as a result of Europe’s General Data Protection Regulations.

Expect a more aggressive OPC

However, do not expect the OPC to wait for new powers. The Commissioner ended his report to Parliament adding that, beginning today, we can expect a more proactive and aggressive OPC with respect to enforcement. The OPC is sending a signal that complaints to the OPC will no longer be the primary tool and the OPC will be shifting itself as a proactive regulator ready to initiate investigations. The Commissioner reported that a complaint-driven model has its limits:

People are unlikely to file a complaint about something they do not know is happening, and in the age of big data and the Internet of Things, it is very difficult to know and understand what is happening to our personal information. My Office, however, is better positioned to examine these often opaque data flows and to make determinations as to their appropriateness under PIPEDA.

This is an important message. The Commissioner is not waiting for legislative reform and has put businesses and organizations on notice to expect a more active OPC, one that will be on the lookout for “specific issues or chronic problems” that must be addressed – possibly resulting in more Commissioner-initiated investigations.

More information

You can read the OPC’s news release here.

You can read the Commissioner’s remarks and full Annual Report to Parliament here.