Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) sets standards for the collection, use and disclosure of personal information by Canada’s private sector. Unfortunately, it was designed for an economy in which personal information was a by-product of doing business, rather than a core commercial asset capable of limitless exploitation.

In today’s digital environment, businesses avidly harvest personal data. They do so in order to profile and track their customers: to predict their preferences, assess their creditworthiness, determine the price they are willing to pay and, in many cases, sell the data to third parties. So-called free apps and platforms proliferate; these rely upon the collection and monetization of vast amounts of personal information. In this data free-for-all, PIPEDA mainly establishes fair information principles, combined with weak enforcement rules.

Consent is the cornerstone of the Act, and consent to the collection of one’s personal information is meant to be informed. A company’s privacy policy is the means by which most consumers are given notice about what personal information is collected, for what purposes and with whom it is shared.

But privacy policies today are long, complex and legalistic. When it comes to stating purposes, they are often vague. Reading a privacy policy before clicking “I agree” requires time and effort, and the reader might still not really understand what is going to happen to their personal information. Multiply this experience by the number of daily contacts we all have with companies that collect our personal information in physical and virtual environments. Then multiply it further by the constant collection of background data by our phones, our Internet service providers, our smart appliances and even our cars. It is not surprising that consent is broken. There is simply too much to manage, and often the way it is presented to consumers makes it difficult for them to make informed choices. In this context, clicking “I agree” without reading privacy policies is an act of surrender, not of consent.

In 2015, PIPEDA was amended to clarify that consent is valid only if it is reasonable to expect that an individual “would understand the nature, purpose and consequences of the collection, use or disclosure of the personal information to which they are consenting.” This appears to push the onus onto organizations to ensure they have communicated their practices effectively. Yet this has proven to be wishful thinking: the statute lacks the enforcement mechanisms that might make a real difference in encouraging meaningful legal compliance.

Canada’s privacy commissioners have addressed PIPEDA’s inadequacy on many occasions. The last commissioner, Jennifer Stoddart, pushed for significant amendments to the law, as has the current commissioner, Daniel Therrien. For the most part, they have been unsuccessful.

Nevertheless, change may soon be on its way. The EU’s new General Data Protection Regulation (GDPR) took effect in May 2018. Although Europe is an ocean away, this might be the kick needed to get Parliament to amend PIPEDA. In fact, it was the GDPR’s predecessor, the EU Data Protection Directive, that led to PIPEDA in the first place. Now, because the EU insists that processing of its nationals’ personal data outside the EU meet EU standards, it has been able to use the threat of cutting off data flows to noncompliant countries to motivate foreign governments to do something about protection of data in the private sector.

As PIPEDA barely met the standards set in the Data Protection Directive, undoubtedly it falls below the GDPR’s new standards, which are tailored for the age of big data. If data are to continue to flow from Europe to Canada, Canada will have to do something about PIPEDA, and soon. The House of Commons Standing Committee on Access to Information, Privacy and Ethics (ETHI) recently issued a report on PIPEDA that highlights many of its weaknesses and makes recommendations for reform. In drafting its report, ETHI clearly had the GDPR in mind.

When Parliament acts to amend PIPEDA, how it deals with consent will be worth watching. In its recent report on consent, part of the 2016-17 Annual Report to Parliament on the Personal Information Protection and Electronic Documents Act and the Privacy Act, the Office of the Privacy Commissioner of Canada (OPC) supported keeping consent at the heart of PIPEDA. At the same time, it made recommendations for improving the meaningfulness of consent.

Interestingly, the majority of the OPC’s recommendations are ones for which no legislative change is required. It is of the opinion that many improvements could be achieved through guidance that it will provide within the current legislative framework. Examples of this might be assisting organizations to provide more timely and meaningful information about their personal information practices; exploring technological mechanisms to enhance consent; providing guidance for obtaining consent from children and youth; and identifying “no-go zones” where the collection, use or disclosure of personal information is simply not acceptable.

Where the OPC does recommend legislative change, it is predominantly in order to improve enforcement. This would include the ability to conduct compliance reviews and order-making powers for the commissioner, as well as the power to levy fines. It would also include a new private right of action for individuals. Currently, individuals can go to court only after filing a complaint and waiting over a year for the commissioner’s nonbinding report of findings.

Like the OPC, ETHI concludes that consent should remain at the core of PIPEDA. It makes several recommendations to enhance consent, including making it the default rule that consumers must opt in to any collection, use or disclosure of their information, clarifying when and how consent can be revoked and specifically addressing consent for minors.

Some of the committee’s recommendations touch on but do not deal directly with consent. One is that the government consider “the collection, use and disclosure of depersonalized data…, data that has been aggregated and presented in such a way that it is impossible to identify the owner” as a way to protect privacy in the big data context. ETHI also recommends clarifying when already-collected personal information can be used for “legitimate business interests” without the need to seek fresh consent. These recommendations do not seem adequate in the current context, where consent seems to be badly broken, but perhaps ETHI is of the same mind as the OPC, that much can be achieved by the OPC’s guidance strategies.

Of some concern are ETHI’s recommendations for new exceptions to consent requirements. These include a disturbing proposal to eliminate the need for consent to collection, use or disclosure of the vast troves of personal information found on social media sites.

ETHI also calls for greater enforcement powers for the OPC. Both seem to be of the view that if the privacy commissioner had a bigger stick, businesses would take more care in complying with PIPEDA’s obligations. Certainly, in an environment where personal information is a hugely valuable commodity, it seems essential that there be serious enforcement measures to prevent a personal data free-for-all.

As we head into a period of PIPEDA reform, there is an urgent need to transform the soft, ombuds model of gently encouraged compliance into a model that gives real powers to the privacy commissioner to protect Canadians’ privacy interests. It is the recommendations about enforcement, therefore, that are the most significant part of ETHI’s and the OPC’s work on consent and PIPEDA reform. The modest recommendations for shoring up consent depend upon the commissioner having real powers to incentivize Canadian businesses to clean up their privacy acts. As the Cambridge Analytica/Facebook scandal has made clear, the abuse of personal information for commercial gain not only harms individuals, it can also undermine broader social values. Privacy is not just a personal right but a public good.

This article is part of the Recalibrating Canada’s Consumer Rights Regime special feature.

Photo: Privacy Commissioner Daniel Therrien holds a news conference at the National Press Theatre in Ottawa, September 21, 2017. THE CANADIAN PRESS/Sean Kilpatrick.

Do you have something to say about the article you just read? Be part of the Policy Options discussion, and send in your own submission. Here is a link on how to do it. | Souhaitez-vous réagir à cet article ? Joignez-vous aux débats d’Options politiques et soumettez-nous votre texte en suivant ces directives.

Teresa Scassa
Teresa Scassa is the Canada Research Chair in Information Law and Policy at the University of Ottawa’s Faculty of Law. She is a member of the Canadian Advisory Council on Artificial Intelligence and a senior fellow with the Centre for International Governance Innovation (CIGI).

Vous pouvez reproduire cet article d’Options politiques en ligne ou dans un périodique imprimé, sous licence Creative Commons Attribution.

Creative Commons License

More like this