MT>3
  • Home
  • About
  • People
  • Services
    • e-Discovery
    • Managed Review
    • Information Governance
    • Due Diligence
  • Blog
  • News
  • Contact

Countdown to GDPR:  Parliamentary Committee Recommends Substantial Revisions to PIPEDA – Part 3 – Online Reputation / “Right to be Forgotten”

15/5/2018

 

Read the original article by Kirsten Thompson, Charles Morgan and Maureen Gillis at Cyberlex:

As reported in our recent post, on February 28, 2018, the House of Commons Standing Committee on Access to Information, Privacy and Ethics tabled in the House of Commons a report entitled Towards Privacy by Design: Review of the Personal Information Protection and Electronic Documents Act. The recommendations in the Committee’s Report are also heavily influenced by the direction set in the European Union General Data Protection Regulation, (“GDPR”) which comes into force this year.

We have prepared a multi-part series of posts focusing in more depth on each section of the Report.

In this post, we summarize and comment on the Committee’s findings set out in Part 3 of the Report, which treats the issues of the “right to be forgotten”, the destruction of personal information and “privacy by design”.

The other posts in this series are:

Part I – Overview and Context of the Report

Part 2 – Consent

Part 3 – Online Reputation/ “Right to be Forgotten”

Part 4 – Enforcement Powers of the Privacy Commissioner

Part 5 – Adequacy of PIPEDA under the GDPR

Right to be Forgotten

The issue of online reputation has long been a topic of interest for lawyers whose practice addresses issues of defamation. However, in 2014, the topic was given novel treatment when the Court of Justice of the European Union (“CJEU”) rendered its decision on the issue of de-indexing in Google Spain v. AEPD and Mario Costeja Gonzales (“Google Spain”).

In that matter (which involved an individual who wished to have Google remove links between his name and website content related to an old bankruptcy proceeding that he had been involved in), the CJEU found that search engines, such as Google, must consider requests made by individuals to remove certain websites from the results produced when their name is searched. The case became associated with a nascent so-called “right to be forgotten”, since enshrined in the GDPR.

With this as the backdrop, the Committee examined whether PIPEDA should be amended to include an analogous, express “right to be forgotten” and, if so, what form(s) such a right should take.

The Committee’s first finding in this regard was that when online reputational damage occurs in the context of personal relationships rather than commercial transactions, PIPEDA does not apply (since the latter only applies to the collection, use and disclosure of personal information in a commercial context).   Moreover, the Committee noted that the Criminal Code treats a number of related offences, such as regards the publication of intimate images without consent. Accordingly, the Committee clarified that the scope of their analysis was limited to the protection of privacy and online reputation in the context of commercial transactions.

Second, the Committee noted that the “right to be forgotten” could be addressed through two distinct types of remedies: (a) the right to erasure; and (b) the right to de-indexing. The former involves the right of an individual to have his/her personal information deleted from a website; the latter involves the mere de-referencing or de-indexing of such website from search results that include the individual’s name (while leaving the source documents themselves in place).

Right to Erasure

As regards the right to erasure, the Committee noted that PIPEDA does not expressly contain such a right, although the principles of “consent”, “limited retention” and “accuracy” may be applied in some instances to give effect to a limited right of erasure in certain circumstances.

For example, according to Principle 4.3.8 of Schedule 1 to PIPEDA, an individual has the right to withdraw consent to the collection, use and disclosure of his/her personal information. If this is then combined with the limited retention principle, pursuant to which an organization may only retain personal information for so long as it is necessary for the fulfilment of the purposes for which it was collected, then (in some circumstances) an individual may successfully argue that, upon withdrawal of their consent, the organisation that holds their information should destroy it.

Moreover, pursuant to the “accuracy” principle, organisations should provide opportunities for individuals to update and correct any inaccuracies in the information that is held about them, particularly where such information may be used to make a decision about the individual. Finally, the Committee noted the recent Federal Court decision (A.T. v. Global24h.com) in which the court ordered the removal of personal information from a website because it determined that the information had not been collected for appropriate purposes, in violation of Section 5(3) of PIPEDA.

In this context, several of the Committee witnesses argued that PIPEDA should be amended to create a more comprehensive right of erasure (to address situations of cyberbullying or revenge porn, for example) that would be similar in scope to the right of erasure found in the GDPR. Others, however, raised substantive concerns about the potential negative impact on freedom of expression, as protected by the Charter. A representative of the Association of Canadian Archivists argued that a right of erasure must not unduly interfere with preserving the integrity of public documents.

Ultimately, the Committee expressed the view that individuals should have the right to have their personal information removed when they end a business relationship with a service provider or when the information was collected, used or disclosed contrary to PIPEDA. The Committee recommended that legislators look to the GDPR as a model as a means of clarifying the scope of such a right. Finally, the Committee concluded that, at a minimum, young people should have the right to have information that is posted about them (by themselves or by others) taken down.

Right to De-indexing

As regards the right to data de-indexing, the Committee not only noted the above-cited Google Spain decision, but also the more recent Supreme Court of Canada decision of Google Inc. v. Equustek Solutions Inc. (discussed in our previous post, here).

Although the latter case involved a de-indexing order in the context of litigation related to the unlawful publication of confidential information and trade secrets, some Committee witnesses argued that a similar logic could be applied to justify de-indexing of personal information. In this regard, as discussed in our previous post, the Office of the Privacy Commissioner of Canada (“OPC”) argued that this form of right to be forgotten already exists in PIPEDA and that it considered it appropriate to have search engines provide the first level of review of a de-indexing request. Since this approach raised concerns regarding the proper role of the private sector in administering administrative remedies, Committee witnesses argued for the importance of a transparent decision-making process and the OPC proposed a series of criteria that should be applied in relation to any de-indexing request.

Ultimately, the Committee recommended that the legislator consider including a de-indexing framework in PIPEDA and that the right be expressly recognized in cases related to personal information posted online by individuals when they were minors.

Destruction of Personal Information

Reinforcing the Committee’s discussion of the right to erasure (discussed above), certain witnesses argued that the erasure of data should be compulsory – not simply recommended – once it is no longer necessary for the purpose for which it was collected. Some argued that PIPEDA should be amended to include a clear definition of what is meant by the “destruction” of data, especially in contexts where complete destruction may be impractical (such as where traces of data may be stored in back-up storage). The Committee expressed support for such recommendations.

Privacy by Design

Finally, the Committee explored the idea of expressly introducing “privacy by design” principles into an amended PIPEDA. “Privacy by design” is meant to ensure that privacy considerations are taken into account at all stages of product development, including in relation to the design, marketing and retirement of the product.

The approach is based on the following seven foundational principles:

  1. Proactive not reaction; preventative not remedial
  2. Privacy as a default setting
  3. Privacy embedded into design
  4. Full functionality – Positive sum, not zero sum
  5. End to end security
  6. Visibility and transparency
  7. Respect for user privacy.

Key Take-Aways

Many Canadian businesses have followed the implementation of GDPR (coming into force in May 2018) only vaguely, on the assumption that the new EU data protection regulation will not apply. However, it is clearly time for all Canadian businesses to start paying much closer attention to privacy developments occurring “across the pond”. This is because the GDPR not only has extra-territorial application, it is also providing to be a major source of “inspiration” as Canadian legislators turn their minds to updating Canadian data protection law. Indeed, as Canada assesses what changes to PIPEDA (and analogous provincial legislation) may ultimately be required to maintain a favourable EU “adequacy status”, the GDPR principles may well find their way directly into Canadian legislation.


Comments are closed.

    Categories

    All
    Artificial Intelligence
    Blockchain
    Cyber Security
    E Discovery
    Information Governance
    Legaltech
    Privacy
    Social Media
    Technology


    Archives

    February 2021
    November 2020
    October 2020
    July 2020
    June 2020
    April 2020
    March 2020
    February 2020
    January 2020
    November 2019
    October 2019
    September 2019
    June 2019
    May 2019
    April 2019
    March 2019
    February 2019
    January 2019
    May 2018
    April 2018
    March 2018
    September 2017
    August 2017
    February 2017
    January 2017
    December 2016
    November 2016
    October 2016
    September 2016
    August 2016
    July 2016
    June 2016
    May 2016
    April 2016
    March 2016
    February 2016
    January 2016
    December 2015
    November 2015
    October 2015
    September 2015
    August 2015
    July 2015
    June 2015
    May 2015
    April 2015
    March 2015
    February 2015
    January 2015
    December 2014
    November 2014
    October 2014
    September 2014
    August 2014
    July 2014
    June 2014
    May 2014
    April 2014
    March 2014
    February 2014
    January 2014
    December 2013
    November 2013
    October 2013
    September 2013
    August 2013
    July 2013
    June 2013
    May 2013
    April 2013
    March 2013
    February 2013
    January 2013
    December 2012
    November 2012
    October 2012
    September 2012
    August 2012
    July 2012
    June 2012
    April 2012
    March 2012
    February 2012
    January 2012
    December 2011
    November 2011
    October 2011
    September 2011
    August 2011
    June 2011
    April 2011
    March 2011
    February 2011
    January 2011
    December 2010
    November 2010
    October 2010
    September 2010
    August 2010
    July 2010
    June 2010
    May 2010
    March 2010
    February 2010
    January 2010
    October 2009
    September 2009
    August 2009
    December 2008
    March 2008
    November 2007
    October 2007

130 Adelaide Street West Suite 2020
Toronto, Ontario M5H 3P5
​ ​
t: 416-642-2220  
tf: 1-877-642-2220  
f: 416-868-0673
Contact MT>3
@MT>3 2018. All Rights Reserved
Picture

Privacy Policy and Terms of Use

  • Home
  • About
  • People
  • Services
    • e-Discovery
    • Managed Review
    • Information Governance
    • Due Diligence
  • Blog
  • News
  • Contact