Increase the powers of the Privacy Commissioner of Canada

This is the first in our series on the privacy promises we can expect from a Liberal minority government.

(From Innovation, Science and Economic Development Canada’s ‘Strengthening Privacy for the Digital Age: Proposals to modernize the Personal Information and Protection of Electronic Documents Act.) 

1. Meaningful Consent

One of the commitments to increase the powers of the Privacy Commissioner of Canada concerns their ability to determine what type of consent needs to be generated with individuals when personal information is being collected by organizations.

While the Personal Information Protection and Electronic Documents Act (PIPEDA) already requires organizations to notify individuals of the purposes of the collection, use, or disclosure of personal information, further clarifications are necessary in order to determine what constitutes meaningful consent

Canada’s Digital Charter proposes increasing the powers of the Privacy Commissioner of Canada in order to realize and enforce the enhanced consent requirements that are necessary to achieve meaningful consent.  

With funding from the Office of the Privacy Commissioner of Canada, BC FIPA is holding a Design Jam in Ottawa on March 5th and 6th that explores meaningful consent and connected devices.

2. Fining Powers

The Privacy Commissioner of Canada is somewhat limited in their ability enforce privacy laws. They are able to conduct investigations, make recommendations, expose non-compliant organizations in the public interest, and pursue recourse in the Federal court—but are not able to issue fines against offending organizations.

Recently, we’ve seen two highly publicized examples that highlight the need for the Privacy Commissioner to be able to issue fines. The first, is the investigation into Facebook’s compliance with the Personal Information Protection and Electronic Documents Act, which found that Facebook violated the consent provisions in the Act when disclosing personal information to third-parties. In this case, Facebook did not comply with the investigation and the Privacy Commissioner has stated his intention to sue the company in federal court.

The second example is the joint investigation between the Office of the Privacy Commissioner of Canada (OPC) and the Office of the Information and Privacy Commissioner for BC (OIPC BC) into the conduct of a company called AggregateIQ. Once again, the investigation found that the company violated both federal and provincial privacy laws in their business operations. Despite this, the OPC and OIPC BC are unable to issue fines for non-compliance. However, unlike Facebook, AggregateIQ has demonstrated an interest in becoming compliant.

Canada’s Digital Charter proposes financial consequences for organizations that are non-compliant with PIPEDA. This follows the order-making powers that several provincial privacy commissioners already have, that the European Union’s General Data Protection Regulations created in their Information Commissioner’s Office, and that the United States’ Federal Trade Commission has used.

This new fining power will help to deter the kinds of high-profile incidents involving breaches of personal information we have seen occurring over the last several years.

3. Cessation and Records Preservation Orders

Under PIPEDA, the Privacy Commissioner of Canada already has investigatory powers. They are able to compel evidence, administer oaths, enter premises, examine documents, and interview witnesses. Canada’s Digital Charter propose amendments to PIPEDA in order to increase the Commissioner’s ability to initiate an investigation and to create order-making power in the form of cessation and records preservation orders.

The cessation and records preservation orders will allow the Commissioner to preserve records during the course of an investigation and to stop non-compliant organizations from further harming individuals through the non-compliant collection, use, and disclosure of their personal information.

4. Privacy Research

Lastly, Canada’s Digital Charter proposes that the Privacy Commissioner of Canada be able to conduct research into privacy themes in order to provide clarity on emerging issues.

Statement on Investigation Report into AggregateIQ

Privacy violations highlight the need for law reform

Earlier this week, the Office of the Privacy Commissioner of B.C. (OIPC BC) and the Office of the Privacy Commissioner of Canada (OPC) released a joint investigation report that found a B.C. company violated B.C.’s provincial and Canada’s federal privacy laws.

While conducting business on high-profile campaigns in the U.K., the U.S., and in Canada, the report states that AggregateIQ did not comply with the consent provisions in B.C.’s Personal Information Protection Act (PIPA) and Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), and did not employ reasonable security safeguards.

The report makes two recommendations in order for the offending company to become compliant with Canadian privacy laws:

  • That they take measures to ensure that the consent that they have received to collect, use, and disclose personal information is in compliance with PIPA and PIPEDA;
  • And that they employ reasonable security safeguards to protect the personal information in their control.

The OIPC BC and the OPC will collect evidence from the company in approximately six months to confirm that the recommendations have been implemented and that the company is now compliant.

Fines are the international standard for privacy enforcement

This response highlights the need for Canadian regulatory bodies to have the power to issue fines when they find organizations to be in violation of Canadian law.

When asked why no fines were issued despite the investigation finding the company to have violated Canadian privacy laws, the Information and Privacy Commissioner for B.C., Michael McEvoy said: “There are no fines because we do not have the authority to levy fines.”

Absent amongst the international media attention that this report received, is the observation that Canada’s privacy regulators are powerless to enforce privacy laws through fines.

International regulators are using their fining powers to compel compliance to great effect. Examples include the Federal Trade Commission’s $5 billion civil penalty against Facebook, and the Information Commissioner Office (ICO) in U.K.’s intention to fine British Airways more than £183 million.

In fact, the ICO in the U.K. has a standing enforcement notice against AggregateIQ, threatening fines of up to 20 million Euros should the company not comply with their notice within 30 days of the conclusion of the joint OIPC and OPC investigation.

This leads one to wonder if AggregateIQ is implementing the recommendations of the OIPC BC and OPC out of good faith, or because they face the threat of significant fines from an international regulatory body.

Canadian regulators need fining power to protect privacy

“At the end of the day, privacy, and the legislation that governs it, needs to be brought into the 21st century where the realities of cross-boundary data sharing leave much to be coveted in terms of protections for personal information,” says Joyce Yan, BC FIPA’s Interim Executive Director.

“We have been a longtime advocate for increasing the Commissioners’ powers, but with the case of AggregateIQ, it has become clear that order-making powers (a tool the federal Privacy Commissioner still doesn’t have in his toolkit) is simply not enough. The provincial and federal privacy laws are antiquated, and we are falling behind our foreign counterparts.”

We strongly urge our fellow privacy advocates to join us as we continue to push for law reform that gives Canadian regulators the power necessary to protect privacy and compel compliance.

Federal Election 2019 Results: What does a Liberal minority government mean for ATI and privacy?

Previously, we compared access to information and privacy commitments in the platforms of four of Canada’s major federal political parties. Now, we’ll take a look at what we can expect from a Liberal minority government.

With the election results in, we now have greater clarity about how Canada will proceed with access to information and privacy in the years to come.

According to our ranking system, the Liberal Party made a total of six commitments out of a possible eleven, none of which were related to access to information. The only party to make more commitments was the Green Party.

Should the Liberal Party keep its commitments, we can expect the changes outlined below to privacy and data protection in Canada. These changes are part of something that the Liberal Party is calling Canada’s Digital Charter and were proposed before the election, in early 2019.

In an attempt to ensure equality, not all of the items contained within Canada’s Digital Charter were included within our ranking system. As noted below, some of these abilities theoretically already exist within Canada’s legislative framework.

The changes are the following:

In the coming months, we’ll publish articles that explain what each of these promises mean for Canadians and their privacy.

It should also be noted that Canada’s Digital Charter is based on consultations that took place between June and October of 2018. After FIPA was not invited to participate in any of the sixteen consultations, we filed an access to information request to learn who was in attendance.  

We learned that civil society organizations were significantly underrepresented in all the roundtable discussions, while input from the technology industry was overrepresented. On average, less than ten per cent of attendants were from civil society. In one case, representation from civil society was entirely absent.

Check back in on the news section of our website as we release the articles exploring the new rights that were promised by the Liberal Party during their 2019 campaign. This page will also be updated to include links to the articles as they become available.

Which party will deliver most transparent government?

By Stanley Tromp

Stanley Tromp is a Vancouver independent journalist and author of the book Fallen Behind: Canada’s Access to Information Act in the World Context.

Canada’s Access to Information Act of 1982 is an essential law that allows citizens and the media to obtain government records on many vital topics, such as health and safety, crime, public finance and the environment. Yet today it could be equated to a rusted manual typewriter in the iPhone-Twitter age. In 2008, I wrote a book called Fallen Behind , which compared all the world’s freedom of information laws to reveal that our ATI Act had lagged far behind global FOI standards in their level of openness.

Over the past decade, more than 50 nations have passed FOI laws for a total of 128, and such access has come to be recognized by courts as a “human right.” In the authoritative Global Right to Information Rating system of the world’s laws, Afghanistan ranks number 1, while Canada – which ironically has so worked hard to transform that nation from a theocratic dictatorship into a modern democracy – ranks 58th. (The top ten list includes Serbia, Sri Lanka, Slovenia, Albania, India, Croatia, and Liberia.)

The problem has grown so much worse that, indeed, the second edition of this book – to be released later this year – could well be entitled Fallen Further Behind .

In the 2015 election campaign, Liberal leader Justin Trudeau made several FOI reform promises, and after he won, actually kept a few of them. In Ottawa this year, Bill C-58 was passed, which grants the Information Commissioner the power to order government to release records against its will.

Even this new power has received very mixed reviews, mostly negative. The Commissioner has objected that the Bill is in fact a “regression” of existing FOI rights, and the new power is not “a true order-making model” due to five serious failings with it, features that are mostly absent in the rest of the FOI world.

The Liberal party broke its pledge to have the prime minister’s and ministers’ offices covered under the ATIA, instead prescribing only some proactive release of some self-selected records, which is a form of faux transparency.

Overall, as Information Commissioner John Reid said in a 1999 speech: “It amuses me to see the profound change in attitude about access to information which occurs when highly placed insiders suddenly find themselves on the outside. And vice versa!”

To raise our ATI Act to world standards, the law needs a public interest override, a harms tests for all exemptions, some limit on the delays that authorities are allowed to claim, and new rules for officials to create and preserve records so as to defeat the growing menace of “oral government.” This last occurs when officials no longer commit their thoughts to paper, and convey them verbally instead, to avert the chance of the information emerging in response to FOI requests.

We also need FOI coverage of the wholly owned and controlled entities that perform public functions and spend billions of taxpayer’s dollars. Today more than 100 such quasi-governmental entities are still not covered by the ATIA . The exclusion of some of these such as the Canadian Blood Services, the nuclear Waste Management Organization and air traffic controllers could result in harm to public health and safety.

As well, the records of cabinet discussions are excluded completely from the scope of the FOI law only in Canada and South Africa, whereas other nations have a mandatory exemption for it. The ATIA ’s Section 21 exemption for policy advice is far broader than in most of the world, and it is being over applied to withhold countless records in the public interest. (Its 20 year secrecy limit is grossly overlong, compared to the five years set in Nova Scotia’s FOI law.) In the world, 78 nations grant citizens a right to access state-held information in their Constitutions or Bill of Rights, while Canada does not.

“As someone who travels around the world promoting the right to information, it is frankly a source of profound embarrassment to me how poorly Canada does on this human right,” writes Halifax lawyer and FOI expert Toby Mendel. “Given that everyone who uses this system regularly is aware that it is profoundly broken, it is inexplicable that it does not get fixed.”

By stubbornly holding Canada back in such an insular, stagnant backwater within the FOI world, Prime Minister Trudeau is placing our country’s reputation for democratic process at risk. When will the ATI Act be raised to accepted global standards? Will we have to wait another 36 years to finally bring it into the 21st century?

In this 2019 federal election campaign, Canadians should insist upon answers from all the candidates.