Strengthening Privacy for the Digital Age

From: Innovation, Science and Economic Development Canada

Proposals to modernize the Personal Information Protection and Electronic Documents Act

Introduction

Technology has long brought enormous benefits, along with profound changes, to almost every aspect of human life. Much as the printing press revolutionized society starting in the 15th century, the digital revolution has had, and will continue to have, an enormous impact on daily life. Business, communications, entertainment, transportation, banking, education, health care, our interpersonal interactions and our physical movements — almost every aspect of our lives is mediated by digital technology. And with those interactions, enormous amounts of data about individuals is being created and harnessed for a vast array of purposes.

Digital and data-driven technology is already empowering science, supporting innovation, and driving economic growth. For example, advancements in areas including robotics, artificial intelligence (AI), quantum computing, and nanotechnology are leading to ground-breaking discoveries with significant economic and social benefits. But while these technological achievements are in many ways enriching our society, this transformation also brings with it challenges and uncertainty that we as a country must be prepared to address. In response to this, some stakeholders have called for the Government to adopt a National Data Strategy.

On June 19, 2018, the Government of Canada launched its National Digital and Data consultations to demonstrate its commitment to continuing to work together to make Canada a nation of innovators. As we noted in Canada’s Digital Charter in Action: A Plan by Canadians, for Canadians, we asked Canadians across the country to share their unique perspectives and ideas on what are some of the challenges and areas of opportunity for Canada in this time of transformation. And we received a resounding response — from small business owners and multi-national companies; students, teachers, and researchers; innovators and entrepreneurs; and everyone in between.

Canadians shared their optimism with us about the great social and economic potential for Canada in this digital age. But they also shared their concerns about how personal data could be used. Simply put, the way forward on data collection, management and use must be built on a strong foundation of trust and transparency between citizens, companies and government.

Trust is indeed the lynchpin of the digital and data-driven economy. Yet, clearly, individuals' trust is at risk. Popular media is rife with stories of data breaches; misuse of personal information by large companies; foreign interference, and malicious actors; cyberbullying; along with increasing concern about the impacts of the digital and data revolution on issues ranging from our mental healthFootnote 1 to democratic institutionsFootnote 2. Ineffective or inconsistent security hygiene; a lack of competition; and business models that are based on surveillance of individualsFootnote 3 have left individuals increasingly wary of how the products and services on which they now depend for nearly all aspects of their activities are collecting and using their personal information.

Trust, the Digital Economy and the Personal Information Protection and Electronic Documents Act

In the early days of the commercial Internet, when e-commerce was emerging, the Government of Canada enacted the Personal Information Protection and Electronic Documents Act (PIPEDA) to ensure trust in the emerging economy. Its stated purpose is:

to establish, in an era in which technology increasingly facilitates the circulation and exchange of information, rules to govern the collection, use and disclosure of personal information in a manner that recognizes the right of privacy of individuals with respect to their personal information and the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances.Footnote 4

A principles-based, technology-neutral law, PIPEDAFootnote 5 applies to a wide-range of commercial activity, and is overseen by an Agent of Parliament, the Office of the Privacy Commissioner of Canada. In the nearly 20 years since it came into force, commercial activity has evolved rapidly and in ways unforeseen. Based on the internationally accepted privacy principles contained in the Organisation for Economic Co-operation and Development (OECD) Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, (Privacy Guidelines)Footnote 6, the 10 interrelated privacy principles (and related sub-paragraphs) in PIPEDA guide organizations' personal information handling activities. One of these principles, Knowledge and Consent, along with a limited set of exceptions to consent, authorize those activities, which are required to be "appropriate in the circumstances." The rest of the principles, such as accountability, openness, accuracy, access, safeguards, redress, among others, are intended to ensure that organizations treat personal information in a manner that is fair and understandable to the average person and in keeping with their reasonable expectations. The law has been applied to a wide variety of business activities, including in the context of trans-border data flows, and has proven to be reasonably nimble in the nearly 20 years of its existence.

That said, it has been criticizedFootnote 7, particularly in terms of its consent regime and enforcement model, for not providing the kinds of incentives in a data- and digitally-driven economy to ensure that organizations are in compliance. The House Standing Committee on Access to Information, Privacy and Ethics, has also recommended updates to improve individual control and organizational transparency, in order to strengthen privacy protections in an age where individuals feel a lack of control and understanding. The Government of Canada has stated its agreement with recommendations made in several recent Parliamentary reportsFootnote 8 that changes are required to Canada's federal private-sector privacy regime to ensure that rules for the use of personal information in a commercial context are clear and enforceaable and will support the level of privacy protection that Canadians expect.

The principles outlined in Canada's Digital Charter, along with their supporting activities, collectively provide the foundation for achieving a strong and vibrant digital economy for Canada. The reform of PIPEDA must contribute to achieving the outcomes related to these principles. PIPEDA, as a key element of Canada's marketplace framework, must also contribute to achieving an inclusive digital economy that provides a level playing field, fairness of opportunity, enhanced security and privacy, predictability for business, and international competitiveness.

Canada is facing these opportunities and challenges in parallel with other leading nations as part of a global innovation race. Our global competitors are taking aggressive action in terms of supporting trust and privacy to lead in a data-driven, digital global marketplace.

Next generation privacy and e-protection laws, specifically in the European Union but also in the United States, are impacting domestic policies and practices. There is a desire for an approach to personal information protection in the private sector that meets Canada's needs and remains interoperable with leading jurisdictions. While there is commonality amongst privacy statutes in Canada and abroad, a number of important distinctions between Canadian and international frameworks are challenging the goal of an integrated digital economy both at the domestic and international levels.

The Government is considering how best to modernize its private-sector policy and regulatory framework in order to protect privacy and support innovation and prosperity. In short, the goal is to respect individuals and their privacy by providing them with meaningful control without creating onerous or redundant restrictions for business; enable responsible innovation on the part of organizations; and ensure an enhanced, reasoned enforcement model.

Specifically, the Government is proposing clarifications under PIPEDA that detail what information individuals should receive when they provide consent; certain exceptions to consent; data mobility; deletion and withdrawal of consent; incentives for certification, codes, standards, and data trusts; enhanced powers for the Office of the Privacy Commissioner; as well certain modernizations to the structure of the law itself and various definitions. The proposals outlined in this paper fall within a broader conceptual framework, detailed in Annex A, for advancing policy work in the digital and data context.

With this discussion paper, Innovation, Science and Economic Development (ISED) Canada is continuing the dialogue on "Trust and Privacy" that was initiated in the Data and Digital consultations in 2018. This paper outlines a series of policy considerations related to specific proposals that would serve to enhance consumers' control, enable responsible innovation and enhance enforcement.

The Government is also studying potential reforms to the Privacy Act, which governs the personal information-handling practices of federal institutions. That initiative is being led by Justice Canada, working closely with the Treasury Board Secretariat.

Part 1: Enhancing individuals' control

Issue:

The increased volume and complexity of data flows has strained the traditional knowledge-and-consent system and left individuals without meaningful control over their personal information and privacy.

Why is this an issue?

Digital platforms and services have become an integral part of how Canadians live, work and play. Yet, platforms and products are increasingly designed to gather and share data and/or monitor users by default, reducing consumer choice and making consent less relevant. As noted by Teresa Scassa: "…the Personal Information Protection and Electronic Documents Act's consent-based regime may need to be supplemented, and there is considerable interest in consumer- and competition-friendly tools, such as data portability, that give consumers more control over their personal information. Increasingly, public harms — algorithmic bias and the manipulation of individuals and groups — flow from the capture and use of personal information. New frameworks are required for the ethical use of data."Footnote 9

PIPEDA's requirement for knowledge and consent requires organizations to inform individuals of the purpose of the collection, use or disclosure of their personal information, and to obtain their consent. In practice, however, it has meant that individuals have borne a great deal of the responsibility to inform themselves of an organization's privacy management practices and to understand the nature, purpose and consequences of consenting to have their information collected, used and disclosed by the organization.

This is what Daniel Solove from George Washington University Law School has labeled a Privacy Self-Management approach, whereby the onus is on the individual to manage their privacy.Footnote 10 Complex data flows involving numerous parties strain an individual's ability to fully comprehend what they are consenting to. Although many organizations have privacy policies in place, these are notoriously long and complex to understand, and most individuals neither have time nor sufficient legal training to understand themFootnote 11. Solove notes that "(b)ecause individual decisions to consent to data collection, use, or disclosure might not collectively yield the most desirable social outcome, privacy self-management often fails to address these larger social values." Footnote 12 The multiplicity of online interactions can present challenges to individuals to understand the nature and extent of information sharing that occurs in this environment.

Furthermore, a lack of transparency around automated decision-making processes and the resulting decisions increases individuals' concerns related to bias and potential discrimination. Ian Kerr notes that "... AIs [artificial intelligences] are designed in ways that raise unique challenges for privacy. Many use machine learning to excel at decision-making; this means AIs can go beyond their original programming, to make 'discoveries' in the data that human decision-makers would neither see nor understand... I would therefore submit that PIPEDA requires a duty to explain decision-making by machines."Footnote 13 There is also the emerging presence of software agents and bots interacting in the marketplace. This has the potential to deceive users and undermine confidence in the digital marketplace and underscores the need for measures to ensure trust is maintained.

Canadians have made their concerns very clear. Eighty-four percent of Canadians are concerned with the use of personal information by social media platformsFootnote 14. Nearly three in four (74%) Canadians think they have less privacy protection than ten years agoFootnote 15. Ninety percent of Canadians would be "very" or "fairly" likely to sever ties with businesses that use data "unethically"Footnote 16. Seventy-one percent of Canadians would be more likely to do business with a company if it was subject to strict financial penalties.Footnote 17 According to the Canadian Automobile Association's survey of Canadians regarding autonomous vehicles, 81 percent of Canadians feel a "need for clear, enforced rules to protect their privacy of personal information when it comes to vehicle data."Footnote 18

The results of the National Data and Digital Consultations showed that Canadians want more transparency in how their data is being collected and how it is being used. However, current models that rely completely on the provision of an individual's consent to complex and lengthy privacy policies are inadequate and do not help to build trust. Canadians also want greater control over how their information is used, and need to see the value of the benefits it brings. Moreover, next generation privacy laws are including new responses to these issues by providing for explicit new rights for data mobility, expanding on rights around transparency and automated decision-making, and for deletion of their information. Canada needs to consider these options as possible responses to ensure that Canadians have the control they need to trust the data and digital economy.

A. Possible options — Consent and transparency

We therefore propose to:

Provide more meaningful controls and increased transparency to individuals by:

Considerations and questions:

B. Possible options — data mobility

"Data mobilityFootnote 29" refers to enabling individuals to request that the personal information that they have provided to an organization, be provided to another organization. It has been touted as having the potential to empower individuals to "vote with their feet" so to speak. It is viewed by some as an evolution to the existing provisions in PIPEDA for access to one's own personal information and for withdrawal of consent.

Studies in other jurisdictionsFootnote 30 have determined that data mobility has the potential to enhance consumer choice thus fostering the emergence and growth of innovative new goods and services, in addition to supporting greater individual control over data and encouraging competition. As noted by Michael Geist in his Senate testimony on data mobility in the banking sector, "there are undoubtedly security protocols and standards to be developed, but the starting point is regulated support for a consumer-focused system that gives consumer control by opening their data at their request."Footnote 31

We therefore propose to:

Introduce new data mobility opportunities to enhance individuals' control over information by:

Considerations and questions:

C. Possible options — online reputation

Enhance the ability of individuals to maintain their online reputation by:

Considerations and questions:

Part 2: Enabling responsible innovation

Issue:

Increasingly, new business models and emerging technologies rely on complex uses of personal information by a variety of players. This has led to calls for enhanced access to personal information for the development of innovative products and services. At the same time, this triggers the need for increased accountability and higher standards of care to ensure privacy and security are respected. Added to this is the concern that it is not always clear how a principles-based law applies to new business models/technologies.

Why is this an issue?

As noted in Canada’s Digital Charter in Action: A Plan by Canadians, for Canadians: "Canada has the right ingredients to thrive in an increasingly digital world. We have strong research capacity, a diverse and highly educated workforce, and a strong investment climate. We are tech savvy and well-connected with 87 percent of Canadians and 95 percent of Canadian businesses connected to the Internet. Eighty-eight percent of Canadians have a mobile device."Footnote 37

Data is the fuel to grow the Canadian data-driven economy, yet complex data flows involving numerous parties, often across borders, can reduce an individuals' sense of control over of their personal information and ultimately their trust that it can be adequately protected. This combined with the perceived lack of transparency around automated decision-making processes, including programmatic processes, increase individuals' concerns over potential for abuse of data collected/used.

Almost every organization is now in the data business in some way, resulting in a lack of clarity about who is accountable for personal information. The autonomous vehicle industry is illustrative of this point. In addition to the sensors the vehicle manufacturer has placed within the vehicle, there are the other platforms and application developers that are also collecting data about the vehicle and the driver. In other instances, there is increasing collaboration between public and private sectors (a timely example is in the smart city scenario), which raises concerns about accountability, appropriate uses of data in the public interest, and access to data for public policy-making.

Given the importance of data- and digitally-driven innovation to Canada's economy and future prosperity, the legislative frameworks that support this marketplace must be balanced and fit for purpose.

A. Possible option: Enabling data trusts for enhanced data sharing

When compared to other jurisdictions, countries such as Canada could benefit from models that maximize the use of available data and provide a means to securely pool the data in pursuit of innovation and public good, particularly in areas such as health or transportation. Emerging solutions, such as "data trusts" may provide a way forward to help enable responsible innovation, particularly in the case of public-private partnerships.

Data trusts would involve trusted third parties managing access by organizations to sensitive databanks for research and development purposes, while protecting privacy and ensuring that organizations use data appropriately. Trusts are a framework for fiduciary asset management; policymakers, firms, and experts have begun to explore the potential application of such a trust model to data governance. Bianca Wylie and Sean McDonald of the Centre for International Governance Innovation have identified data trusts as providing "a way for data rights holders to aggregate and build leverage toward collectively bargaining for more balanced, publicly beneficial data relationships... The act of creating a data trust... is inherently specific, requiring the parties involved to agree on a common purpose, a governance structure and a clear theory of shared benefit."Footnote 38 Data trusts treat datasets as the assets that an independent third party must manage according to contractual terms designed to ensure the responsible, appropriate use of those assets.Footnote 39

We therefore propose the following:

Encourage use of data for research/innovation

Considerations and questions:

Possible options — self-regulation and technical standards

In keeping with Canada's strategic objective to preserve the free flow of information across borders while maintaining meaningful privacy protection, Canada is engaged in international fora that promote global interoperability of privacy frameworks. Specifically, Canada supports multilateral approaches to privacy that seek to "bridge" privacy regimes internationally such that a form of "mutual recognition" is established across multiple countries or regions. APEC's Cross Border Privacy Rules System (of which Canada is a participant) is a good example. Given various initiatives are currently underway to "bridge" the APEC system with non-legislative EU legal instruments for transborder flows, the APEC system could be of considerable interest (and utility). The OECD Privacy Guidelines is another example of the type of international arrangement that Canada supports. Promoting global interoperability of privacy frameworks is a key foundation of Canada's approach to privacy.Footnote 41 Integration of codes and standards as part of a statutory framework can further assist in aligning privacy frameworks both domestically and internationally.

PIPEDA provides a baseline for privacy protection, and currently contemplates a role for codes of practice. Other jurisdictions have recognized the value of codes, standards and certification schemes in improving regulatory agility, and supporting responsible innovation. These schemes have the potential to provide more specific protections for certain sectors or activities, and to increase transparency and certainty for individuals. Furthermore, such approaches could potentially help individuals make choices based on organizations' privacy practices. In short, there is a need to recognize the value and utility of standards, codes and certification as tools to underpin privacy "rules" and try to influence and encourage their development in areas that reflect Canadian requirements, priorities and interests. Moreover, adherence to codes and standards could incentivize compliance and potentially help enable a more proactive enforcement model. In Revisiting the Governance of Privacy, Contemporary Policy Instruments in a Global Perspective, Colin Bennett and Charles Raab propose, "In domestic and international arenas, standards could fill important gaps in the enforcement regime, relieve regulators of compliance work and serve as credible methods of certification for transnational transfers of data."Footnote 42

We therefore propose the following:

Incentivize the use of standards and codes

Considerations and questions:

Part 3: Enhancing Enforcement and Oversight

Issue:

There is a growing viewFootnote 43 that the ombudsman model and enforcement of PIPEDA, which relies largely on recommendationsFootnote 44, naming of organizations in the public interest, and recourse to the Federal Court, to effect compliance with privacy laws, is outdated and does not incentivize compliance, especially when compared to the latest generation of privacy laws. The current state of affairs cannot continue; meaningful but reasoned enforcement is required to ensure that there are real consequences when the law is not followed.

Why is this an issue?

There are currently constrained consequences and impacts on organizations for non-compliance with PIPEDA. Following an investigation, the Privacy Commissioner can make recommendations, enter into a compliance agreement with an organization or pursue the matter in Federal Court, where there will be a de novo hearing. Should there be recommendations at the end of an investigation, an organization will likely incur costs associated with implementing those. If the Commissioner makes his findings public and names the organization, there may be some negative attention, which can impact the bottom line. However, while the Commissioner's recommendations are often followed, this is not always the case. Indeed, a recent privacy incident has its roots in a complaint investigation by the Privacy Commissioner from 10 years ago, where the Commissioner found that the earlier recommendations were not fully followed or implemented, and the behaviour that was offside the law continuedFootnote 45. The lack of consequences for egregious behaviour has been noted as being unfair to others in the economy, and is unacceptable. Good players, who seek advice, make improvements, and who, in short, spend money to ensure compliance, may welcome a more level playing field.

The possibility of stronger financial consequences for organizations that are offside of the law will incentivize them to take measures to be in compliance. There are some indications, based on the response of organizations when breach reporting became mandatory in 2018, and with it, the possibility of fines for willfully not reporting or keeping records of breaches, that the threat of financial penalties causes organizations to pay attention. Likewise, when the GDPR came into force, much of the media coverage and discussion in various fora centred on the substantial fines that could accrue to organizations found offside of the lawFootnote 46. Although the United States is currently considering a federal privacy law covering the private sector, the Federal Trade Commission (FTC) has negotiated a number of settlements under its current (and more limited) privacy rules. Closer to home, some of the Privacy Commissioner's provincial counterparts (and all three who oversee provincial private-sector privacy law) have order-making powers. Should Bill C-58 pass, the Information Commissioner, an Agent of Parliament like the Privacy Commissioner, would also have order-making power.

It should also be recognized, though, that non-compliance can sometimes be the result of a lack of clarity or certainty in terms of organizations' obligations under the Act. Organizations may want to comply but have difficulty understanding what they need to do in certain circumstances. Our proposals to address this are outlined further in Parts 2 and 4.

While the current model largely emphasizes mediation and negotiation, as well as education, to achieve compliance objectives, high-profile and significant incidents involving unexpected uses of personal information, as well as breaches, are eroding confidence in the digital economy and raising privacy concerns. Now is the time to strengthen Canada's privacy framework to ensure that Canada's federal private-sector privacy regime does not fall further behind.

Possible options — enhance the Commissioner's powers

The Commissioner currently has a range of investigation powers, including the ability to compel evidence, administer oaths, enter premises, examine documents, and interview witnesses. He or she may initiate an investigation on his or her own, where there are reasonable grounds, and he or she can accept complaints from any member of the public. At the end of an investigation, the Commissioner can issue a report with recommendations or enter into a compliance agreement. He or she may also take a matter to the Federal Court at the end of an investigation (there is no recourse to the Court in cases where the Commissioner initiated the complaint). The Court can then order remedies or award damages. The Commissioner may also conduct an audit if the Commissioner has reasonable grounds to believe that the organization has contravened a provision of the Act or Schedule 1. The Commissioner has no recourse to the Federal Court at the end of an audit.

Apart from these investigatory powers, PIPEDA requires the Commissioner to educate organizations and individuals on the Act, conduct research, develop guidance and encourage the development of codes of practice.

An effective enforcement regime generally involves activities related to four key componentsFootnote 47:

Effective compliance: Text version

Education/Outreach

  • Develops guidance and educates the public and businesses on the Act and their related rights and obligations

Investigation and audit

  • Investigating complaints
  • Self-initiating complaints and/or auditing

Advance/Proactive Advice and Dialogue

  • Offering advice and guidance to organizations on proposed business models and the implementation of new technology

Tools to address non-compliance or offences

  • Administration of penalties, damage awards and fines for offences or to assist in correcting non-compliance

We therefore propose modernizing Canada's private-sector privacy law by incentivizing compliance of multi-nationals and small- and medium-sized enterprises (SMEs) by:

A. Education/ Outreach:

Investigation and Audit:

C. Tools to address non-compliance or offences:

D. Advance/Proactive Advice

Considerations and questions:

Part 4: Areas of Ongoing Assessment

Issue:

PIPEDA is a principles-based and technology neutral law. These are its strengths and should remain. However, it has been criticized for, among other things, being inaccessible to individuals and organizations, especially small- and medium-sized organizations due to its complex structure. Evolving business models, and the numerous players involved, mean that the scope of application of the law should be examined in order to ensure that Canadians are protected and businesses have a level playing field and that accountabilities — along with the responsibilities that entails — are appropriately apportioned.

Why is this an issue?

Clarity of obligations

PIPEDA is a creature of compromise, and its drafting reflects that. When PIPEDA was enacted, it followed a number of years in which there was pressure on government and industry to act with respect to personal information protection. The passage of the EU Directive 95/46 EC, the burgeoning e-commerce industry, and growing concerns among Canadians about how their personal information was being used led to consideration of how best to proceed to ensure trust in the economy and to support Canada's trade goals. Industry, preferring self-regulation, along with representatives of consumer groups, academia and government, developed the CSA Model Code, which contained 10 principles of privacy protection, based on the OECD Privacy Guidelines. The federal government ultimately decided, however, that self-regulation was not enough, and moved to legislate. In doing so, it chose to incorporate the Model Code into the Act, without changes to the language, given that the Code had represented a consensus among industry, consumer protection advocates, academics and government participants. It was of the view that this would be the most effective and expeditious way to act in a relatively short timeframe.

Although praised for being principles based and technology neutral, PIPEDA has been criticized for being difficult to understandFootnote 49. Having rights and obligations contained in Schedule 1, instead of in the body of the law, and cast in non-legal language, mixing obligations with best practices (shall v. should) have posed challenges for individuals and organizations, as well as the courts, to understand.

As a result, it is difficult for individuals to challenge organizations' compliance, and for organizations to understand their obligations. Moreover, PIPEDA applies to other issues, apart from privacy (the Electronic Documents part of its name, or Parts 2 to 5, specifically).

The Government has supported a number of initiatives to enhance digital literacy. To assist with this, we are proposing redrafting the law to set out personal information protection rights and requirements in a manner that is easier for all to understand.

Scope of application, accountability

Since PIPEDA was enacted, new business models and types of organizations have emerged which are not traditionally acting as "controllers" or "processors". As the business environment continues to evolve and more players appear (for example in the Internet of Things or AI environments), the applicability of the Act should be updated and clarified, including in the context of transborder data flows.

A growing number of organizations and entities are engaging in non-commercial data collection activities. While these activities are not covered under PIPEDA, it might be appropriate to assess the relevance of extending PIPEDA to these activities.

Ensuring that the Act properly applies to the various players is also particularly important when considering accountability and the need for privacy management programs that include flexible risk assessment processes, including Privacy by Design.

Considerations and questions

Next steps

Discussions that result from this paper will inform the development of options for legislative reform.

Annex A: Overview of marketplace policy conceptual framework

The conceptual framework outlines a complete policy approach that focuses on the whole of the marketplace. Such an approach is not limited to legislative and regulatory reform, but also creates incentive for industry-led standards and codes while also supporting international progressive agreements, which address digital commerce considerations.

Annex A: Text version

Figure illustrates a policy approach that lists activities focused at a domestic level at the bottom and moving up to activities at a global level. An arrow on the side of the figure illustrates the movement from domestic to global activities. The list of activities from top to bottom are:

  • International Trade
  • Standards and Codes / Data Trusts
  • Sector specific guidance / activity-based regulations (for example — connected and automated vehicles)
  • Legislation of General Application: Privacy & Data protection, Competition & IP statutes, Other marketplace policy statutes
Date modified: