Question Period Note: RECOMMENDATIONS TO REFORM PIPEDA

In light of recent recommendations made by the Privacy Commissioner, will the Government of Canada move forward to strengthen Canada’s privacy regime?

• The Federal Government is committed to ensuring that data privacy legislation protects the privacy of Canadians’ personal information while supporting innovation;
• We thank the Office of the Privacy Commissioner for its annual report and will carefully consider its recommendations;
• We agree that legislative changes to Canada’s privacy regime are needed to provide Canadians with the strongest protection possible and to meet the challenges of the digital world; and
• The Government will use feedback received from the National Digital and Data consultations and from the proposals to modernize PIPEDA to inform the development of these legislative reforms.

SUPPLEMENTARY MESSAGES
If pressed on the OPC review of Statistics Canada’s Financial Transaction Data Pilot Project
• The Federal Government takes the privacy and confidentiality of Canadians' data very seriously, and the Chief Statistician has committed to implementing the recommendations in the OPC’s Annual Report;
• Statistics Canada is also deeply committed to upholding the strict privacy and confidentiality measures that Canadians expect of the agency; and
• The pilot project remains on hold until the privacy concerns of Canadians are addressed.

If pressed on the Privacy Commissioners’ findings on AggregateIQ’s privacy practices and the application of privacy laws to political parties
• We thank the Office of the Information and Privacy Commissioner for British Columbia and the Office of the Privacy Commissioner of Canada for their work investigating AggregateIQ’s privacy practices in the use and disclosure of voters’ personal information; and
• The continued integrity of our electoral processes is of the utmost importance. The Minister of Innovation, Science and Industry is looking closely at Canada’s privacy frameworks and is prepared to work with federal colleagues on these important issues.

If pressed on the Privacy Commissioner’s finding on Facebook privacy practices
• Facebook must back up its commitment to protect Canadians’ personal data with consistent and measurable actions. Canadians deserve greater transparency and control over the use of their personal information; and
• The Government continues to engage with online platforms and communicate our expectations. We expect greater action and specific measures to increase transparency, authenticity, integrity, and to combat the spread of disinformation;

If pressed on recommendation regarding enforcement powers of the Privacy Commissioner of Canada
• The Government of Canada is committed to examining options for strengthening PIPEDA’s enforcement regime; and
• Any proposal for stronger enforcement powers needs to be assessed in light of the impact on regulated organizations and on their ability to work collaboratively with the Office of the Privacy Commissioner, in particular small businesses.

Office of the Privacy Commissioner’s Annual Report

On December 10, 2019, the Office of the Privacy Commissioner (OPC) released its annual report for 2018-2019 including extensive recommendations for reform of the Personal Information Protection and Electronic Documents Act (PIPEDA) and the Privacy Act, in addition to the results of several high profile investigations under those Statutes.

In the report, Commissioner Therrien notes that reforms to the federal privacy framework should start with basing federal privacy laws on the rights of individuals. The report goes on to detail proposed reforms to PIPEDA, including a new preamble and purpose clause. The report highlights the OPC’s investigations in Facebook and Equifax as demonstrating the Statute’s current limitations, particularly with regard to enforcement powers and the accountability principle.

Specifically, the OPC’s recommendations would define privacy as a freedom from unjustified surveillance and provide that the purpose of the Statute is to uphold the fundamental human right of privacy in the commercial context. The OPC recommends that it should have the powers to engage in proactive inspections of organizations, require organizations to demonstrate accountability, and issue binding orders and penalties. The OPC also believes that PIPEDA should provide individuals with a private right of action.

The report is critical of certain longstanding government and industry positions, and of certain reforms that the Government has proposed under the Digital Charter and accompanying discussion paper on PIPEDA. With regard to codes of practice, the OPC criticizes industry-promulgated codes as a form of “self-regulation”; the OPC states that any instruments to translate general legal principles into specific contexts should be prescribed as “subsidiary binding rules” by the OPC or some other “emanation of the state.” The OPC also criticizes the accountability principle, in its current form, as a kind of “self-regulation” and believes that the Equifax case has demonstrated the need to include new protections, “such as the European regime of standard contractual clauses.” While the OPC supports “alternative solutions to protect privacy where consent is not feasible,” the report also notes concerns with exceptions to consent discussed in ISED’s paper on PIPEDA reform. The OPC describes “standard business practices,” as “too broad a concept that risks becoming a catch all exception, if not a gaping hole.” The OPC is also skeptical of the ability of organizations to appropriately define “socially beneficial purposes,” in support of which they would not require consent.

The report provides updates on key operational trends for the OPC. The OPC was able to resolve 63% of the cases it closed this year through early resolution (rather than full investigations). The OPC notes that the cases that it could not resolve have generally involved emerging technology, new business models, and cross-jurisdictional implications. The OPC’s backlog of open cases increased 16% this year; however, the report notes that temporary funding provided in Budget 2019 should help reduce the number of open investigations. Finally, the OPC notes that it has experienced a 500% increase in the number of incoming data breach reports since November 2018 when mandatory data breach reporting came into effect under PIPEDA. The OPC believes that part of the reason for the dramatic increase is excessive caution and over-reporting by many businesses; for instance, the OPC found that 33% of the reports it had received by March 2019 did not actually meet the reporting threshold of “real risk of significant harm” required by the Act.

OPC Investigations of Facebook/AggregateIQ and Equifax

The OPC Annual Report highlights its investigations into Facebook, stemming from the Cambridge Analytica scandal, as demonstrating the shortcomings of the current enforcement regime. The OPC had released the findings of its joint investigation, with the Office of the Information and Privacy Commissioner of British Columbia, in April 2019. The Commissioners found that Facebook had violated federal and provincial requirements around consent, safeguarding, and accountability by disclosing personal information to a third-party app. The OPC indicated Facebook refused to implement the recommendations in an acceptable manner. As a result, they plan to seek an order from the Federal Court to compel the company to make changes to its privacy practices.

The OPC and OIPC released the findings of their related joint investigation into AggregateIQ (AIQ), a BC data and advertising company and former service provider to Cambridge Analytica, in November 2019. The Commissioners found that AIQ failed to secure appropriate consent from individual voters in the consulting services it provided to political campaigns in Canada, the US, and the UK; the company did not take reasonable steps to ensure that consent obtained by its international clients was valid for its practices in Canada. As well, the company did not take reasonable security measures to protect personal information, leading to a privacy breach in 2018. The OPC and OIPC were satisfied with AIQ’s commitment to taking a number of measures to improve its security and will follow up with AIQ in the coming months to confirm that they have implemented the investigation recommendations.

In its April 2019 findings of its investigation of a 2017 data breach, the OPC found that Equifax Canada’s transfer of Canadians’ personal information to its US parent company to be “inconsistent” with consent obligations. Accordingly, the OPC launched a formal consultation on proposed revisions to its policy position on transborder data flows, that would have required organizations to obtain consent before disclosing personal information to an organization across a border, including for the purposes of processing the information. This raised significant concerns among business stakeholders across all sectors about the economic impacts of the position and in September 2019, the OPC announced that it would maintain its previous, longstanding position on transborder dataflows. The announcement was well received by stakeholders. Despite this, in its Annual Report, the OPC believes that the Equifax case highlights the insufficiency of the accountability regime.

OPC Investigation of Statistics Canada

The report details the OPC’s findings of its investigations into two administrative data pilot projects by Statistics Canada: the Financial Transactions Pilot Project, for which no data was collected; and the Credit Information Project, for which data was collected to provide Canadians and policy makers with statistics on debt levels. The investigation was launched in November 2018 following concerns expressed by Canadians regarding the privacy of their financial data. The Chief Statistician placed the projects on hold pending completion of the investigation and until the privacy concerns have been addressed.

Statistics Canada will continue to work with the Office of the Privacy Commissioner following the release of the report to chart a new approach to the gathering of personal information. Statistics Canada is also consulting the Canadian Statistics Advisory Council and international privacy and statistical experts to develop and embed the concepts of necessity and proportionality in the design of its statistical activities.

None