The Right to Data Portability

This is the second in our series on the privacy promises we can expect from a Liberal minority government.

From Innovation, Science and Economic Development Canada’s ‘Digital Charter: Trust in a digital world’, and the Liberal Party of Canada’s election 2019 platform document, ‘Forward: A real plan for the middle class’ (40).

In Canada’s Digital Charter, data portability fits within the fourth principle:

‘Transparency, Portability and Interoperability: Canadians will have clear and manageable access to their personal data and should be free to share or transfer it without undue burden.’

Clear and manageable access

Theoretically, Canadians already have “clear and manageable access” to their personal data.

For federal government institutions, Canadians have a right of access contained within section 12 of the Privacy Act. For private sector businesses, Canadians can submit requests to access personal information under the Personal Information Protection and Electronic Documents Act (PIPEDA).

In British Columbia, access to personal information held by provincial public bodies is realized through section 5 of the Freedom of Information and Protection of Privacy Act (FIPPA). For private businesses within the province, section 23 of the Personal Information Protection Act (PIPA) gives residents this ability.

In theory, the information rights enshrined within these four Acts already gives Canadians “clear and manageable access to personal data”. What’s new then is the ability to “share or transfer it without undue burden.”

What this means, exactly, is not quite as clear.

Sharing and transferring data without undue burden

In their 2019 election platform, the Liberal Party describes data portability as the ability for people to “take their data from platform to platform” (40).

From this, we might assume that someone would have the right to extract all of their data from a platform like Facebook, Twitter, or Snapchat, and transfer it to a new platform that offers a similar service.

Why would someone want to do this? One reason might be that an alternative service provider offers greater privacy protections, which in turn would create greater competition among monopolistic platforms.

This also gives Canadians the opportunity to make meaningful choices about how they share their personal information with platforms.

International models

In the European Union, Article 20 of the General Data Protection Regulations (GDPR) gives residents a right to data portability. This right allows data subjects to receive personal data about themselves from data controllers and transmit that data to other controllers.

The GDPR also ensures that the data is provided “in a structured, commonly used and machine-readable format” and provides the right to have the personal data transmitted directly from one data controller to another.

A major difference between the European Union’s GDPR and Canada’s PIPEDA is that Canada’s private sector privacy legislation frames privacy as data protection and not as a fundamental human right.

What does a humans rights based approach to privacy look like in legislation? Article 4 of the GDPR lists the fundamental rights the Regulation respects, which include:

“[T]he respect for private and family life, home and communications, the protection of personal data, freedom of thought, conscience and religion, freedom of expression and information, freedom to conduct a business, the right to an effective remedy and a fair trial, and cultural, religious and linguistic diversity.’

The proposed right to data portability is a significant step towards creating a human rights based approach to privacy in Canada. While it is not as comprehensive as the GDPR, it will give individuals greater autonomy in their ability to control their own personal data.

LifeLabs breach highlights data protection crisis in Canada

Vancouver, December 18, 2019 –  Yesterday, LifeLabs announced a data breach that affects 15 million Canadians. The breach, which primarily impacts clients in BC and Ontario, includes highly sensitive personal information, like medical diagnostic test results and genetic information.

The information was breached on October 28, 2019. LifeLabs has paid an unreported sum to cybercriminals for the return of the data, but it is unknown if copies of the data were made by the cybercriminals. LifeLabs is offering one year of cyber protection monitoring and security insurance to its customers.

This latest breach means that, in a period of just one year, every Canadian has likely been the victim of a data breach or knows someone who has.

According to figures released by the Office of the Privacy Commissioner of Canada, 28 million Canadians have been the subject of a data breach since November 1, 2018. With an additional 15 million Canadians impacted by the LifeLabs breach, that means there were more than 43 million incidents between November 2018 and November 2019.

This situation represents a crisis for privacy and data protection in Canada.

“Canadian privacy laws, both federal and provincial, are simply inadequate,” says Joyce Yan, FIPA’s Interim Executive Director. “They do not and will not protect Canadians from the potential harms that come from our increasingly digital world. Urgent law reform is needed. Every privacy commissioner in Canada needs to have investigatory, order-making, and fining power. Data breaches must be reported to them immediately.”

While breach notification became mandatory at the federal scale last year, it is still not a requirement provincially. As well, it is not required that companies notify individuals when their data has been breached. Public bodies are not required to report breaches at all.

“Private companies must face repercussions for negligent data handling practices,” says Yan. “These should include financial penalties for the company, financial penalties for individuals at the company, possible charges of criminal negligence, and financial compensation for those impacted.”

During an interview, LifeLabs CEO Charles Brown stated that he did not know if the data that was breached was even encrypted.

“This is an unacceptable and irresponsible position for leadership to hold. The head of a company that is entrusted with processing data that relates to the intimate aspects of our lives—our health, wellness, and biology—must be informed about the security measures taken to protect that information,” says Yan.

The Information and Privacy Commissioners for Ontario and BC are investigating the breach and will release a report at that investigation’s conclusion.

Contact:

Joyce Yan, Interim Executive Director

BC Freedom of Information and Privacy Association

Email: fipa (at) fipa.bc.ca

Phone:  604-739-9788

-30-

Increase the powers of the Privacy Commissioner of Canada

This is the first in our series on the privacy promises we can expect from a Liberal minority government.

(From Innovation, Science and Economic Development Canada’s ‘Strengthening Privacy for the Digital Age: Proposals to modernize the Personal Information and Protection of Electronic Documents Act.) 

1. Meaningful Consent

One of the commitments to increase the powers of the Privacy Commissioner of Canada concerns their ability to determine what type of consent needs to be generated with individuals when personal information is being collected by organizations.

While the Personal Information Protection and Electronic Documents Act (PIPEDA) already requires organizations to notify individuals of the purposes of the collection, use, or disclosure of personal information, further clarifications are necessary in order to determine what constitutes meaningful consent

Canada’s Digital Charter proposes increasing the powers of the Privacy Commissioner of Canada in order to realize and enforce the enhanced consent requirements that are necessary to achieve meaningful consent.  

With funding from the Office of the Privacy Commissioner of Canada, BC FIPA is holding a Design Jam in Ottawa on March 5th and 6th that explores meaningful consent and connected devices.

2. Fining Powers

The Privacy Commissioner of Canada is somewhat limited in their ability enforce privacy laws. They are able to conduct investigations, make recommendations, expose non-compliant organizations in the public interest, and pursue recourse in the Federal court—but are not able to issue fines against offending organizations.

Recently, we’ve seen two highly publicized examples that highlight the need for the Privacy Commissioner to be able to issue fines. The first, is the investigation into Facebook’s compliance with the Personal Information Protection and Electronic Documents Act, which found that Facebook violated the consent provisions in the Act when disclosing personal information to third-parties. In this case, Facebook did not comply with the investigation and the Privacy Commissioner has stated his intention to sue the company in federal court.

The second example is the joint investigation between the Office of the Privacy Commissioner of Canada (OPC) and the Office of the Information and Privacy Commissioner for BC (OIPC BC) into the conduct of a company called AggregateIQ. Once again, the investigation found that the company violated both federal and provincial privacy laws in their business operations. Despite this, the OPC and OIPC BC are unable to issue fines for non-compliance. However, unlike Facebook, AggregateIQ has demonstrated an interest in becoming compliant.

Canada’s Digital Charter proposes financial consequences for organizations that are non-compliant with PIPEDA. This follows the order-making powers that several provincial privacy commissioners already have, that the European Union’s General Data Protection Regulations created in their Information Commissioner’s Office, and that the United States’ Federal Trade Commission has used.

This new fining power will help to deter the kinds of high-profile incidents involving breaches of personal information we have seen occurring over the last several years.

3. Cessation and Records Preservation Orders

Under PIPEDA, the Privacy Commissioner of Canada already has investigatory powers. They are able to compel evidence, administer oaths, enter premises, examine documents, and interview witnesses. Canada’s Digital Charter propose amendments to PIPEDA in order to increase the Commissioner’s ability to initiate an investigation and to create order-making power in the form of cessation and records preservation orders.

The cessation and records preservation orders will allow the Commissioner to preserve records during the course of an investigation and to stop non-compliant organizations from further harming individuals through the non-compliant collection, use, and disclosure of their personal information.

4. Privacy Research

Lastly, Canada’s Digital Charter proposes that the Privacy Commissioner of Canada be able to conduct research into privacy themes in order to provide clarity on emerging issues.

Statement on Investigation Report into AggregateIQ

Privacy violations highlight the need for law reform

Earlier this week, the Office of the Privacy Commissioner of B.C. (OIPC BC) and the Office of the Privacy Commissioner of Canada (OPC) released a joint investigation report that found a B.C. company violated B.C.’s provincial and Canada’s federal privacy laws.

While conducting business on high-profile campaigns in the U.K., the U.S., and in Canada, the report states that AggregateIQ did not comply with the consent provisions in B.C.’s Personal Information Protection Act (PIPA) and Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), and did not employ reasonable security safeguards.

The report makes two recommendations in order for the offending company to become compliant with Canadian privacy laws:

  • That they take measures to ensure that the consent that they have received to collect, use, and disclose personal information is in compliance with PIPA and PIPEDA;
  • And that they employ reasonable security safeguards to protect the personal information in their control.

The OIPC BC and the OPC will collect evidence from the company in approximately six months to confirm that the recommendations have been implemented and that the company is now compliant.

Fines are the international standard for privacy enforcement

This response highlights the need for Canadian regulatory bodies to have the power to issue fines when they find organizations to be in violation of Canadian law.

When asked why no fines were issued despite the investigation finding the company to have violated Canadian privacy laws, the Information and Privacy Commissioner for B.C., Michael McEvoy said: “There are no fines because we do not have the authority to levy fines.”

Absent amongst the international media attention that this report received, is the observation that Canada’s privacy regulators are powerless to enforce privacy laws through fines.

International regulators are using their fining powers to compel compliance to great effect. Examples include the Federal Trade Commission’s $5 billion civil penalty against Facebook, and the Information Commissioner Office (ICO) in U.K.’s intention to fine British Airways more than £183 million.

In fact, the ICO in the U.K. has a standing enforcement notice against AggregateIQ, threatening fines of up to 20 million Euros should the company not comply with their notice within 30 days of the conclusion of the joint OIPC and OPC investigation.

This leads one to wonder if AggregateIQ is implementing the recommendations of the OIPC BC and OPC out of good faith, or because they face the threat of significant fines from an international regulatory body.

Canadian regulators need fining power to protect privacy

“At the end of the day, privacy, and the legislation that governs it, needs to be brought into the 21st century where the realities of cross-boundary data sharing leave much to be coveted in terms of protections for personal information,” says Joyce Yan, BC FIPA’s Interim Executive Director.

“We have been a longtime advocate for increasing the Commissioners’ powers, but with the case of AggregateIQ, it has become clear that order-making powers (a tool the federal Privacy Commissioner still doesn’t have in his toolkit) is simply not enough. The provincial and federal privacy laws are antiquated, and we are falling behind our foreign counterparts.”

We strongly urge our fellow privacy advocates to join us as we continue to push for law reform that gives Canadian regulators the power necessary to protect privacy and compel compliance.