(Read the original article by Kirsten Thompson, Charles Morgan and Maureen Gillis at Cyberlex)

As reported in our recent post,  on February 28, 2018, the House of Commons Standing Committee on Access to Information, Privacy and Ethics tabled in the House of Commons a report entitled Towards Privacy by Design: Review of the Personal Information Protection and Electronic Documents Act. The recommendations in the Committee’s Report are also heavily influenced by the direction set in the European Union General Data Protection Regulation, (“GDPR”) which comes into force this year.

We have prepared a multi-part series of posts focusing in more depth on each section of the Report.

In this post, we summarize and comment on the Committee’s findings set out in Part 5 of the Report, which assesses whether amendments to PIPEDA may be required in order to ensure that Canada maintains its current EU adequacy status (i.e. as a country that provides “adequate protection” for personal data in order to facilitate cross-border data flow between the EU and Canada).

The other posts in this series are:

Part 1– Overview and Context of the Report

Part 2 – Consent

Part 3 – Online Reputation/ “Right to be Forgotten”

Part 4 – Enforcement Powers of the Privacy Commissioner

Part 5 – Adequacy of PIPEDA under the GDPR

Assessing Adequacy

In 1995, the EU adopted Directive 95/46/EC (the “EU Data Protection Directive”). Article 25 of that Directive prohibits members states (and companies within their borders) from transferring personal data to a non-member state whose laws do not adequately protect the data. Non-member states can be brought into the zone of protection if the EU determines their domestive privacy regime to be “adequate”. For the purposes of Article 25, Canada’s PIPEDA received a favourable adequacy decision in 2001.

On May 25, 2018, the EU GDPR will replace the EU Data Protection Directive. Under the GDPR, the EU will again have to assess the adequacy of PIPEDA’s protections every four years. In the context of the latter assessment, however, PIPEDA will ultimately be assessed in light of the new, higher standards of protection set out in the GDPR. Accordingly, the questions before the Committee in Part 5 of the Report were: a) whether PIPEDA in its current form would successfully maintain its adequacy status; and b) if not, what changes may be require in order to maintain such status.

Several witnesses to the Committee recommended that an analysis of requisite amendments not focus too narrowly on simply meeting the GDPR adequacy requirements or on mirroring, one by one, its provisions. Instead, several witnesses argued that the Canadian privacy regime should continue to evolve in a manner consistent with a broader range of international standards to address new issues such as the “Internet of things”. Indeed, the European Data Protection Supervisor indicated in his submission that the applicable standard of adequacy is now that the protections be “essentially the equivalent” and, accordingly, that the Committee should not focus on a point by point mapping of the new requirements of the GDPR, such as privacy by design and data portability, but rather that the Canadian legislator take a “global approach” to the assessment of adequacy.

In this context, some of the areas of obvious discrepancy as between the EU GDPR and PIPEDA are as follows:

As regards the last point, several witnesses indicated that the lack of enforcement powers constituted PIPEDA’s greatest adequacy “gap”.

Ultimately, the Committee did not indicate any specific position as regards whether any amendments to PIPEDA were required or, if so, what amendments should be adopted.

Instead, the Committee simply recommended that the Government of Canada should determine what changes, if any to PIPEDA will be required in order to maintain its adequacy status under the GDPR and, if it is determined that such changes required to maintain such status are not in the Canadian interest, that the Government of Canada create alternate mechanism to allow for the seamless transfer of data between Canada and the EU.

Finally, as the Committee noted that the adequacy assessment would also apply to Canada’s provincial privacy laws, the Committee recommended that the government of Canada work with the provinces and territories to ensure that all jurisdictions are duly aware of the relevant adequacy requirements.

Take aways

Canada’s current adequacy status will be maintained under the GDPR at very least until the EU decides to perform a new adequacy assessment. This latter exercise must occur within four years of the coming into force of the EU GDPR. As there are several areas of obvious discrepancy as between the GDPR requirements and the privacy protections set out under PIPEDA in its current form, we can expect that the Government of Canada will conclude that amendments to PIPEDA will be required to maintain its adequacy status on a going forward basis.

In this context, it is likely that the Government of Canada will decide to proceed with at least some amendments to PIPEDA, although its assessment of required changes will be taken on a global basis (rather than on a point by point mapping of rights and obligations set out in the GDPR) and that such assessment with be made on the basis of the best interests of Canada, in light of an ever-evolving context for data protection.

(Read the original article by Kirsten Thompson, Charles Morgan and Maureen Gillis at Cyberlex)

As reported in our recent post, on February 28, 2018, the House of Commons Standing Committee on Access to Information, Privacy and Ethics tabled in the House of Commons a report entitledTowards Privacy by Design: Review of the Personal Information Protection and Electronic Documents Act.  The recommendations in the Committee’s Report are also heavily influenced by the direction set in the European Union General Data Protection Regulation, (“GDPR”) which comes into force this year.

We have prepared a multi-part series of posts focusing in more depth on each section of the Report.

In this post, we summarize and comment on the Committee’s findings set out in Part 4 of the Report, which addresses the issue of whether the Office of the Privacy Commissioner of Canada (“OPC”) should be given enforcement powers, what those powers should be, and explores some of the challenges associated with enhancing the OPC’s powers.

The other posts in this series are:

Part 1 – Overview and Context of the Report

Part 2 – Consent

Part 3 – Online Reputation/ “Right to be Forgotten”

Part 4 – Enforcement Powers of the Privacy Commissioner

Part 5 – Adequacy of PIPEDA under the GDPR

The Report made a number of recommendations and consideration of the OPC enforcement powers was a key component. The Report’s recommendations, if implemented, could significantly expand the ability of the OPC to impose penalties—both monetary and otherwise—on private Canadian businesses and federally regulated entities, as well as broadening the OPC’s powers to audit such entities.

Current Enforcement Powers

PIPEDA empowers the Privacy Commissioner of Canada to investigate complaints regarding violations of the Act, which can be initiated by individuals or by the OPC itself. Generally speaking, the Privacy Commissioner’s enforcement powers reflect an ombudsman model, whereby the OPC investigates and mediates complaints under PIPEDA as a neutral third party. The Privacy Commissioner has the power to summon witnesses, administer oaths and compel production of evidence, but not to issue final orders. With the Digital Privacy Act amendments in 2015, the Privacy Commissioner can enter into a compliance agreement with an organization, pursuant to which the organization agrees to steps it will take to bring itself in compliance with PIPEDA. The Privacy Commissioner can also apply to the Federal Court for a court order for matters that remain unresolved following the foregoing process, requesting either an order requiring an organization to comply with its compliance agreement or another court order provided for under the Act.

The OPC has long called for enforcement powers (most recently in its 2016-17 Annual Report to Parliament on the Personal Information Protection and Electronic Documents Act and the Privacy Act) but the power to enter into compliance agreements has been the only notable change in its powers to date.

Enforcement Considerations

In the opinion of numerous academic and industry commentators, the limited enforcement powers currently available to the Privacy Commissioner under PIPEDA hamper the effectiveness of the OPC as a regulator. Indeed, current and past Privacy Commissioners have also proposed to the government that granting stronger enforcement powers and incentives for compliance with PIPEDA would enhance the ability of the OPC to protect individuals’ privacy rights. Different enforcement options that have been recommended and considered include the ability for the Privacy Commissioner to impose statutory damages, administrative monetary penalties, and make orders. In addition, the OPC has recommended legislative changes to empower it to be take proactive steps in respect of matters such as online reputation.

In the course of its review, the Committee heard from 68 witnesses and received 12 written submissions. Many of these oral and written submissions expressed support for amending PIPEDA to grant the Privacy Commissioner broader enforcement powers, though the specifics of these recommended powers varies. The enforcement powers proposed by witnesses in their submissions to the Committee included, among others, the following:

• - granting the Privacy Commissioner broad discretionary authority to impose administrative monetary penalties or the authority to impose fines;
• - introducing a statutory right of action exercisable by individuals without a prior complaint to the OPC, supported by statutory damages;
• - establishing a maximum deterrent fine based on a percentage of the offending business’ worldwide turnover for the previous year and a second threshold amount, the greater of which would be applied (an approach consistent with the European Union’s General Data Protection Regulation, or “GDPR”);
• - authorizing the Privacy Commissioner to impose fines on organizations specifically in cases of substantial or systemic non-compliance with privacy obligations; and
• - empowering the Privacy Commissioner to encourage, and in some cases require, the use of privacy protection tools such as codes of conduct, privacy seals, and privacy impact assessments.

Other suggested approaches included giving the OPC a more proactive role by enabling the Privacy Commissioner to issue advance compliance rulings regarding new technologies, thereby lessening the need for later investigation and enforcement.

Comparing Canada’s privacy legislation to that of other countries around the world, the Report noted that data protection authorities in the United Kingdom, Ireland, New Zealand, and Spain have order-making powers, with the United Kingdom and Spain also having the ability to impose fines. In the UK, fines of up to £25,000 are permitted, whereas in France, fines of up to €300,000 are allowed. Under the GDPR, as noted, fines are based on a percentage of an organization’s annual revenue.

Report Recommendations

The Committee concluded in the Report that there is a demonstrated need to grant the Privacy Commissioner enforcement powers related to PIPEDA and recommended modelling the Canadian approach after the system currently in place in the United Kingdom. Specifically, the Report recommended that PIPEDA be amended to give the Privacy Commissioner enforcement powers, including the power to make orders and impose fines for non-compliance.

In addition, the Report recommended that PIPEDA be amended to give the Privacy Commissioner broad audit powers, including the ability to choose which complaints to investigate, which follows a recommendation made by former Privacy Commissioner Jennifer Stoddart. Such powers would augment the existing powers of the Privacy Commissioner under PIPEDA to conduct audits of how organizations governed by the Act use personal information, make public any information that comes to the Privacy Commissioner’s knowledge in the performance or exercise of any of his or her duties if it is in the public interest, and coordinate with provincial counterparts in initiatives such as the development of model contracts.

Key Take-Aways

The question of granting broader enforcement powers to the Privacy Commissioner goes to the heart of the OPC’s purpose and role. If the OPC is to have an open and collaborative relationship with businesses to encourage and facilitate design of products and services that respect Canadians’ privacy rights, some fear that a stronger enforcement mandate for the OPC could deter such cooperation and openness from the business community. On the other hand, creating a body of precedents for enforcement of PIPEDA could help build greater certainty and confidence among businesses by demonstrating consistency and predictability in application of the legislation.

In the course of submissions, some concern was expressed by business community representatives that broad enforcement powers for the OPC could discourage legitimate business use of information due to fears of non-compliance and the costs of associated compliance endeavours. Seen from another perspective, however, greater enforcement powers for the Privacy Commissioner could help level the playing field between organizations acting prudently and making investments in compliance and those disregarding privacy legislation.

Order making power and other enforcement powers are not a done deal. There are significant legal risks associated with the introduction of order making powers, include the outstanding constitutional problems  (chiefly concerning the division of powers).

The introduction of order making powers, including the ability to impose monetary penalties, would create even more disparity between the Commissioner’s powers under the Privacy Act (the public sector privacy legislation which the OPC also administers) and those under PIPEDA.

Finally, the introduction of order making powers, including the ability to impose monetary penalties, would likely require a significant overhaul of the OPC’s current institutional structure as the current structure means that the OPC is not only charged with investigating alleged violations but would also be charged with making decisions. A 2011 Report titled Powers and Functions of the Ombudsman in the Personal Information Protection and Electronic Documents Act: An Effectiveness Study notes that “it would seem that replacing the Office with an agency in the decentralized organizations category, and more specifically, a social regulatory agency…endowed with administrative powers (e.g. power of investigation), decision-making powers (e.g. power to make orders and impose penalties) and regulatory powers, is an option that could be given serious attention”.