My Appearance Before the Standing Committee on Access to Information, Privacy and Ethics to discuss PIPEDA

Today, I appeared before the Standing Committee on Access to Information, Privacy and Ethics to discuss PIPEDA with Chantal Bernier, Alysia Lau, John Lawford and Robert Gary Dickson.

My opening remarks are posted below (note that the introduction is in French but I have added the English translation in a footnote). I will provide the link to the full transcript once it is made available online.

APPEARANCE BEFORE THE STANDING COMMITTEE ON ACCESS TO INFORMATION, PRIVACY and ETHICS – FEBRUARY 14, 2017

Merci de l’invitation.

Je suis heureuse d’être ici aujourd’hui et d’avoir ainsi l’occasion de partager mes réflexions sur des sujets importants pour les Canadiens en matière de protection de la vie privée.  Je suis associée chez Borden Ladner Gervais LLP et j’enseigne également à la Faculté de droit de l’Université de Montréal. C’est à titre personnel que je comparais aujourd’hui, ne présentant que mes idées et non les opinions de mon cabinet ou de ses clients, ou encore d’autres organisations auxquelles je suis associée.

Je traiterai de deux sujets qui ont fait l’objet de consultations de la part du Commissariat à la protection de la vie privée au cours de la dernière année: (i) les enjeux touchant le consentement valable; et (ii) la réputation et le respect de la vie privée. De plus, je dirai quelques mots sur les pouvoirs d’exécution.

Bien que je témoignerai en anglais, je répondrai aux questions en français ou en anglais. [1]

1. Meaningful Consent

PIPEDA is based on the Fair Information Practices which were initially drafted in the early 1970s – and we should keep in mind that their main purpose was to address specific concerns pertaining to computerized databases and the fact that different public and private sector organizations could exchange personal information more easily without the knowledge or consent of individuals. At that time, the best way to deal with these new concerns was deemed to have individuals keep control of their personal information.

Forty years later, this concept is still one of the most predominant theories of privacy and the basis for data protection laws around the world, including PIPEDA. But the “notice and choice” approach is no longer realistic: Individuals are overloaded with information in quantities that they cannot realistically be expected to process or comprehend. As raised by the OPC, the complex information flows and new business models involving a multitude of third parties have also challenged the traditional consent model.

  • Considerations before Amending PIPEDA

A first issue is whether we should be amending PIPEDA on the issue of consent. Jean Carbonnier, one of the most prominent French jurists of the 20th century has stated (in French) “Ne légiférer qu’en tremblant”. What he meant was that we should be very cautious when enacting or amending laws. We have to be careful to make sure that the amendment will not be detrimental or problematic as soon as new technologies emerge.

The current wording pertaining to obtaining consent under PIPEDA is quite flexible, and is definitely flexible enough to accommodate new types of technologies and business models.

This being said, the downside of such flexibility is that it creates uncertainty. Therefore, policy guidance on enhancing transparency and obtaining valid consent is increasingly necessary to address some of this uncertainty and allow organizations to innovate without taking major legal risks. Businesses look up to the OPC to provide such guidance and its recent guidance on Online Behavioral Advertising, app development and IoT is quite useful. These documents are more than ever relevant and timely.

  • Evolving Social Norms

Under PIPEDA, in determining the form of consent to use, organizations shall consider the “reasonable expectations” of the individual. What these expectations are in any given context, and whether certain activities are legitimate from a privacy perspective, is often a function of many factors, including the prevailing social norms.

Another argument against amending PIPEDA on the notion of consent pertains to the fact that social norms in connection with any new technology or business practice may not yet be established.

The OPC has, over recent years, commissioned certain surveys meant to explore the awareness, understanding and perceptions of Canadians on certain issues and new technologies. These studies are increasingly important since they allow us to gain a better understanding of consumers and their expectations and help evaluate how the social norm in connection with a given technology or business practice is evolving.

  • Considering a Risk-based Approach

Over the last few years I have proposed, through various publications, that perhaps part of the solution to address some of the challenges pertaining to the consent model, could include the adoption of a risk-based approach or interpretation under which we would focus on obtaining express consent only for data collections, uses or disclosures if such activities may trigger a risk of harm for individuals. For instance, express consent would be required when using personal information to make an eligibility decision impacting the individual, a disclosure that would involve sensitive or potentially embarrassing information or a practice that would go against the expectation of the individual.

A risk-based approach may allow organizations to streamline their communications with individuals, reducing the burden and confusion on individual consumers since they would receive fewer requests for consent, and these requests would be meaningful in the sense that they would focus on what matters to them. Although this type of approach would imply rethinking, to some extent, PIPEDA’s current consent model, it could be further explored in a foreseeable future.

2. Online Reputation

The Office of the Privacy Commissioner of Canada recently chose to make reputation and privacy one of its priorities for the next few years and has launched a consultation last year in which it asks if there is a way to apply a “right to be forgotten” in Canada.

With Internet technologies, there is a temporal shift in the sense that pieces of information can outlive the context in which they were initially published and considered legitimate. Security expert Bruce Schneier stated a few years ago: “We’re a species that forgets stuff … We don’t know what it’s like to live in a world that never forgets.”

The right to be forgotten is the “right” famously coined by the Court of Justice of the European Union in its May 2014 landmark decision, in which it authorized an individual’s personal information pertaining to past debts to be removed from accessibility via a search engine.

While this right may sound appealing at first, especially in view of the protection granted to the privacy and reputation of individuals, the issue is more complex. Aside from the constitutional challenges that a right to be forgotten would raise, there are significant risks with entrusting private entities (i.e., search engines) with the tasks of arbitrating fundamental rights and values. A decision to de-index content is quite complex, as it would require considering numerous criteria, including the nature of the content, the potential audiences that might deem it useful, the credibility and quality of the content, whether the figure affected is a public one and whether the information is of public interest, to name just a few. It would fall to search engines to enforce this right, and these companies would have an incentive to err on the side of more removal, rather than less, in order to reduce costs or to avoid potential legal liability.

Courts, unlike private sector entities, have the expertise and independence to strike an appropriate balance between the two fundamental values that are often opposed in these types of requests, namely freedom of expression and privacy. On this issue, the Federal Court of Canada recently issued a decision in the Globe24h case last month, illustrating that courts should be the ones issuing orders to remove information from Google search results.

Quebec has a very stringent privacy and reputation legal framework in place. The right to privacy has been elevated to the rank of a fundamental right, protected by the Quebec Charter of Human Rights and Freedoms. The Civil Code of Québec prohibits the publishing of someone’s name, image, likeness or voice for a purpose “other than the legitimate information of the public.” While recovery for defamation in common law jurisdictions may be barred if the statements are true, in Quebec, the fact that information published is true does not suffice to avoid civil liability. This being said, even with this stringent legal framework in place, some challenges in addressing online reputation issues remain.

First, the notion of res judicata may prevent an individual from going before the courts and asking that certain information be removed if this request was made in the past and already decided upon. Periods of limitations must also be revisited to ensure that this legal framework can adequately address the fact that with the Internet, data legitimately published may, after a certain period, become irrelevant, or the fact that the data that was once considered outdated may become relevant again over time. Second, pursuing litigation can be quite expensive which may not make this type of tool or recourse always accessible.

Perhaps efforts should be directed to improving our legal framework, notably by increasing access to justice, or implementing a fast track system for online removal requests, rather than by copying a European style right to be forgotten.

Finally, the right to be forgotten includes extraterritorial issues that should be considered. The Federal Court of Canada in its Globe24h decision opened up an important debate on the jurisdictional reach of privacy laws. All eyes are now on the Supreme Court of Canada that will be rendering its decision dealing with these issues in the Equustek v. Google matter in the near future. 

3. Enforcement Powers

The former privacy commissioner of Canada, Jennifer Stoddard, had asked for stronger enforcement powers under PIPEDA which could include order-making powers and the power to impose penalties or statutory damages. In foreign jurisdictions (in the U.S., the EU), privacy regulators have such powers. This could provide an additional incentive for Canadian businesses to protect the personal information under their control. This being said, I wanted to raise one concern.

As mentioned earlier, PIPEDA is based on flexible technology neutral principles. The benefits of this flexibility is that it can accommodate new types of technologies and business models, but the downside of this flexibility is that it creates uncertainty – it is not always clear for businesses how they must comply with PIPEDA, especially when launching new products or services or innovative technologies. If, on top of this uncertainty, there is also the risk of statutory damages or penalties, I am concerned that businesses will hesitate to launch new products and services and that in the end, this will affect innovation and our competitive advantages as a nation driven by research, development and innovation.

I am of the view that any enforcement powers, penalties or statutory damages should come into play only once a certain practice is clearly illegal, and once the organization has been advised of such and is refusing to adjust its business practices.

***

As a final thought, I have some concerns with the adequacy test that Canada will undergo in the coming years. The European General Data Protection Regulation (GDPR) coming into force in 2018 will include certain new rights that are not currently included in PIPEDA : a right to be forgotten and a right to data portability.

We have important issues on our plate to ensure that our current data protection regime will survive and remain relevant in the future. We have some challenges with our current “notice and choice” model and perhaps addressing these issues should be our priority.

I have made written submissions in response to the OPC’s consultation on privacy and consent and its consultation and call for essays on online reputation. My submissions are available on the OPC’s website.

Thank you, and I welcome questions.

 

[1] Thank you for the invitation. I am delighted to be here today and have the opportunity to share my thoughts on important privacy issues. I am a partner at Borden Ladner Gervais LLP and I also teach at the University of Montreal Law Faculty. I appear today in a personal capacity, representing only my own views and not the views of my firm or its clients or other organizations with which I’m associated. I will mostly discuss the two topics which were the subject of consultations by the Office of the Privacy Commissioner in the last year: (i) privacy and consent; and (ii) online reputation. I will also have a few words on enforcement powers.  Although I will testify in English today, I will answer questions in French or English.

 

This content has been updated on February 14, 2017 at 20 h 55 min.