The Right to Data Portability

This is the second in our series on the privacy promises we can expect from a Liberal minority government.

From Innovation, Science and Economic Development Canada’s ‘Digital Charter: Trust in a digital world’, and the Liberal Party of Canada’s election 2019 platform document, ‘Forward: A real plan for the middle class’ (40).

In Canada’s Digital Charter, data portability fits within the fourth principle:

‘Transparency, Portability and Interoperability: Canadians will have clear and manageable access to their personal data and should be free to share or transfer it without undue burden.’

Clear and manageable access

Theoretically, Canadians already have “clear and manageable access” to their personal data.

For federal government institutions, Canadians have a right of access contained within section 12 of the Privacy Act. For private sector businesses, Canadians can submit requests to access personal information under the Personal Information Protection and Electronic Documents Act (PIPEDA).

In British Columbia, access to personal information held by provincial public bodies is realized through section 5 of the Freedom of Information and Protection of Privacy Act (FIPPA). For private businesses within the province, section 23 of the Personal Information Protection Act (PIPA) gives residents this ability.

In theory, the information rights enshrined within these four Acts already gives Canadians “clear and manageable access to personal data”. What’s new then is the ability to “share or transfer it without undue burden.”

What this means, exactly, is not quite as clear.

Sharing and transferring data without undue burden

In their 2019 election platform, the Liberal Party describes data portability as the ability for people to “take their data from platform to platform” (40).

From this, we might assume that someone would have the right to extract all of their data from a platform like Facebook, Twitter, or Snapchat, and transfer it to a new platform that offers a similar service.

Why would someone want to do this? One reason might be that an alternative service provider offers greater privacy protections, which in turn would create greater competition among monopolistic platforms.

This also gives Canadians the opportunity to make meaningful choices about how they share their personal information with platforms.

International models

In the European Union, Article 20 of the General Data Protection Regulations (GDPR) gives residents a right to data portability. This right allows data subjects to receive personal data about themselves from data controllers and transmit that data to other controllers.

The GDPR also ensures that the data is provided “in a structured, commonly used and machine-readable format” and provides the right to have the personal data transmitted directly from one data controller to another.

A major difference between the European Union’s GDPR and Canada’s PIPEDA is that Canada’s private sector privacy legislation frames privacy as data protection and not as a fundamental human right.

What does a humans rights based approach to privacy look like in legislation? Article 4 of the GDPR lists the fundamental rights the Regulation respects, which include:

“[T]he respect for private and family life, home and communications, the protection of personal data, freedom of thought, conscience and religion, freedom of expression and information, freedom to conduct a business, the right to an effective remedy and a fair trial, and cultural, religious and linguistic diversity.’

The proposed right to data portability is a significant step towards creating a human rights based approach to privacy in Canada. While it is not as comprehensive as the GDPR, it will give individuals greater autonomy in their ability to control their own personal data.

Increase the powers of the Privacy Commissioner of Canada

This is the first in our series on the privacy promises we can expect from a Liberal minority government.

(From Innovation, Science and Economic Development Canada’s ‘Strengthening Privacy for the Digital Age: Proposals to modernize the Personal Information and Protection of Electronic Documents Act.) 

1. Meaningful Consent

One of the commitments to increase the powers of the Privacy Commissioner of Canada concerns their ability to determine what type of consent needs to be generated with individuals when personal information is being collected by organizations.

While the Personal Information Protection and Electronic Documents Act (PIPEDA) already requires organizations to notify individuals of the purposes of the collection, use, or disclosure of personal information, further clarifications are necessary in order to determine what constitutes meaningful consent

Canada’s Digital Charter proposes increasing the powers of the Privacy Commissioner of Canada in order to realize and enforce the enhanced consent requirements that are necessary to achieve meaningful consent.  

With funding from the Office of the Privacy Commissioner of Canada, BC FIPA is holding a Design Jam in Ottawa on March 5th and 6th that explores meaningful consent and connected devices.

2. Fining Powers

The Privacy Commissioner of Canada is somewhat limited in their ability enforce privacy laws. They are able to conduct investigations, make recommendations, expose non-compliant organizations in the public interest, and pursue recourse in the Federal court—but are not able to issue fines against offending organizations.

Recently, we’ve seen two highly publicized examples that highlight the need for the Privacy Commissioner to be able to issue fines. The first, is the investigation into Facebook’s compliance with the Personal Information Protection and Electronic Documents Act, which found that Facebook violated the consent provisions in the Act when disclosing personal information to third-parties. In this case, Facebook did not comply with the investigation and the Privacy Commissioner has stated his intention to sue the company in federal court.

The second example is the joint investigation between the Office of the Privacy Commissioner of Canada (OPC) and the Office of the Information and Privacy Commissioner for BC (OIPC BC) into the conduct of a company called AggregateIQ. Once again, the investigation found that the company violated both federal and provincial privacy laws in their business operations. Despite this, the OPC and OIPC BC are unable to issue fines for non-compliance. However, unlike Facebook, AggregateIQ has demonstrated an interest in becoming compliant.

Canada’s Digital Charter proposes financial consequences for organizations that are non-compliant with PIPEDA. This follows the order-making powers that several provincial privacy commissioners already have, that the European Union’s General Data Protection Regulations created in their Information Commissioner’s Office, and that the United States’ Federal Trade Commission has used.

This new fining power will help to deter the kinds of high-profile incidents involving breaches of personal information we have seen occurring over the last several years.

3. Cessation and Records Preservation Orders

Under PIPEDA, the Privacy Commissioner of Canada already has investigatory powers. They are able to compel evidence, administer oaths, enter premises, examine documents, and interview witnesses. Canada’s Digital Charter propose amendments to PIPEDA in order to increase the Commissioner’s ability to initiate an investigation and to create order-making power in the form of cessation and records preservation orders.

The cessation and records preservation orders will allow the Commissioner to preserve records during the course of an investigation and to stop non-compliant organizations from further harming individuals through the non-compliant collection, use, and disclosure of their personal information.

4. Privacy Research

Lastly, Canada’s Digital Charter proposes that the Privacy Commissioner of Canada be able to conduct research into privacy themes in order to provide clarity on emerging issues.

FIPA is hiring a new Executive Director!

The BC Freedom of Information and Privacy Association is looking for a new Executive Director.

Our current Executive Director, Sara Neuert, will be leaving FIPA at the end of October, and FIPA is looking for a passionate, knowledgeable leader who is looking to make a difference in the world of information and privacy rights.

The organization

The BC Freedom of Information and Privacy Association (BC FIPA) is a non-partisan, non-profit society that was established a quarter century ago to promote and defend freedom of information and privacy rights in Canada. Our goal is to empower citizens by increasing their access to information and their control over their own personal information.  We serve a wide variety of individuals and organizations through programs of public education, public assistance, research, and law reform advocacy.

The position

The Executive Director reports to and advises the FIPA Board of Directors, and currently oversees one full-time staff, occasional part-time staff, volunteers, and contractors.  This position is accountable for the leadership of the organization, and for the communication and expansion of the organization’s messages and values.

Primary responsibilities include, but are not limited to, the following:

Governance and leadership

  • Work with the Board to ensure the Association’s vision, mission, and strategic priorities remain current;
  • Work collaboratively with partner organizations at local, provincial and national levels;
  • Support the Board by organizing and attending meetings, and advising the Board on all relevant issues.

Research, client assistance, and law reform

  • Plan, coordinate and supervise public interest advocacy campaigns, and special events;
  • Provide direct assistance to FIPA clients on issues related to information and privacy rights;
  • Propose, plan, and manage special projects, including law reform initiatives, that contribute to the Association’s goals;
  • Conduct research on topics related to the Association’s mandate, and direct staff and contract researchers.

Operational planning, management, and reporting

  • Conduct organizational and strategic planning in conjunction with the Board of Directors;
  • Ensure legal requirements under the Societies Act are fulfilled;
  • Direct FIPA day-to-day operations in conjunction with the Program Director;
  • Supervise all financial operations;
  • Prepare annual and ad hoc reports for FIPA’s major funders.

Human resources planning

  • Recruit and direct staff, volunteers, and contractors, including pro bono lawyers;
  • Determine staff requirements.

Fundraising

  • Responsible for the overall diversification of funding and resource development;
  • Oversee all fundraising activities, including grant application, donation and membership drives, and special events;
  • Ensure grant proposals, applications, and reports are completed and submitted on time.

Communications, stakeholder and member relations

  • Coordinate and conduct communications and relations with government, media, other stakeholders, and community groups;
  • Act as the main spokesperson for the Association, including by responding to media requests for comment and by preparing written material that presents the position of the Association;
  • Seek out and build collaborative initiatives and relationships with stakeholder organizations;
  • Supervise preparation of promotional and information materials;
  • Attend stakeholder events, representing the Association’s interests and priorities;
  • Supervise all FIPA communications content, including web and social media, a quarterly bulletin, press releases, and other publications.

The candidate

The successful candidate will not only have the expertise and experience to manage and expand a non-profit group dedicated to civil liberties issues, but will also have the entrepreneurial bent and the positive, enthusiastic attitude necessary to help FIPA grow.

Qualifications

You are an excellent leader who can organize and supervise a team, work with a board of directors, Association members, and partners, build and contribute to coalitions of allies, and communicate with a range of audiences and stakeholders.  You are a creative and critical thinker who can follow through on a strategic plan while responding to emerging issues.  You are keenly interested in information and privacy rights, and you are familiar with current issues in these fields. You understand how these issues connect to broader debates about civil liberties, human rights, and democratic institutions.  You possess a strong working understanding of the laws and policies that govern privacy rights and freedom of information, especially in BC, and you have experience using the law strategically, either as a lawyer or with substantial experience working with the tools of the Canadian legal system.

You will possess:

  • Demonstrated successful management experience in the non-profit sector, including experience in fundraising
  • A proven track record in communications and advocacy in the non-profit sector
  • Excellent analytical, problem-solving, and organizational abilities
  • Experience and competence in research and writing
  • Professional capability with computers and electronic communications
  • A law degree and / or a graduate degree in social sciences, communications, or another relevant discipline.

Working conditions

This is a full-time position based out of our office in Vancouver, B.C. Some travel required, possibly to Ottawa and/or Victoria.

BC FIPA is an equal opportunity employer and encourages women, Indigenous people, people of colour, and LGBTQIA and individuals from other diverse communities to apply.

Information and instructions for applicants

Individuals interested in this opportunity are asked to submit an e-mail outlining their interest in the position, with two attached files consisting separately of a cover letter and resume.  Please include your name and the phrase “Application for Executive Director” in the subject line of the e-mail and send to BC FIPA at search@fipa.bc.ca.

No phone calls please.  For questions about the position, please email FIPA President, Mike Larsen, at mike@fipa.bc.ca

All attached files must be in PDF format only; other formats will not be accepted or considered.  Files must not be locked or password protected, nor should they contain any hyperlinks.  We will not consider any materials which require us to use a hyperlink to access.

Please note that only short-listed applicants will be contacted.

Application Submission and Candidate Selection Timelines

BC FIPA is striving to have the Executive Director position filled by mid- to late October.  The position will remain open until a suitable candidate is hired.  Interested parties are strongly encouraged to submit their application as soon as possible.

Additional Information Regarding Candidate Selection

Short-listed applicants should be prepared to participate in further interviews with members of the Selection Committee, either in person or via teleconference.  Short-listed applicants should also be prepared to provide additional materials to the selection committee such as:

  • A sample of communications based on scenarios specified by the Selection Committee
  • An example of communications work with respect to policy or advocacy in previous positions
  • Names and contact details of at least three qualified professional references

2019 Update to ‘The Connected Car’

Cover of the Connected Car update for 2019

This report updates FIPA’s 2015 ground-breaking report, The Connected Car: Who is in the Driver’s Seat? As may be expected, there have been major developments both in technology and policy since our first Connected Car report.

Technology that was once exclusively available in high end vehicles has become commonplace. According to one estimate, 98 per cent of vehicles in North America and Europe will be connected by 2021. Car companies are constantly seeking new ways to profit from the collection of data taken from their vehicles, often in partnership with large technology companies like Apple and Google.

Cover of the Connected Car update for 2019

As technology advances, there have been more studies undertaken on what these changes mean for privacy rights. There have been pushes for stronger and more comprehensive legislative activity. Perhaps the most significant legislative change to date is the General Data Protection Regulation in the European Union. Other jurisdictions have also been mooting improved legislation as well as codes or standards to govern particular sectors of the economy or society, including Canada.

The privacy policies of the various car companies have also changed since 2015, generally for the better. One major improvement over what we found in 2015 was that with two exceptions, companies selling connected cars in Canada had their privacy policies available on their Canadian websites.

This allowed us to do a comparison of the privacy policies of the various companies (Original Equipment Manufacturers or OEMs) selling large numbers of cars and trucks in Canada (more than 1000 sales per annum).
We reviewed the privacy policies of 36 different vehicle brands of manufacturers from all over the world. The scope of the research focused on the policies’ treatment of protected data, the openness and accountability of protected data, the accountability to third party processors, whether the policy recognizes the right of access for an individual to his or her own data, the accuracy and security of the data, the purpose specification and notice of changes, the limitations of the use, collection and retention of data, and the types of consent mechanisms that are being used by the manufacturers. In addition, we considered if there are any options for the individual to opt-out. We compared our findings to our 2015 findings in our original Connected Car report to see what had changed.

We found that OEMs’ terms of service and privacy policies respecting connected car services showed significant improvement over 2015. Still these policies are still inadequate when compared to all major data protection principles and requirements under Canadian data protection law.

Although some manufacturers have made an effort to be specific about their uses of personal data and to explain their policies more clearly, key elements of OEM policies are still often unclear or expressed in very broad language. The worst examples are the very broad purposes OEMs continue to provide for collecting, using and sharing personal information, sometimes alongside specifics and sometimes not. While there is now a wider disparity among OEMs in terms of the adequacy of their connected car privacy policies, certain gaps and problems remain across the board.

In light of these shortcomings, and the federal Privacy Commissioner’s repeated statements that he has not received a complaint about this issue, we have decided to remedy this situation. A complaint to Commissioner Therrien is attached to this report, and we hope it will give him the opportunity to bring clarity in an authoritative ruling on this issue.

Download the resource.

For more than twenty years, the B.C. Freedom of Information and Privacy Association has relied on the support of our community to provide resources, educational programming, and one-on-one advice. By making a contribution to the Association in exchange for this resource, you’re helping us provide another two decades of service to Canadians and supporting more publications like this in the future. There is no minimum donation amount. Every bit helps.

Click here to make a donation. We hope you consider supporting the Associations.

Let us know what you think: If you have comments, questions, or concerns about the report, please send them to FIPA at fipa@fipa.bc.ca or tweet to us @BCFIPA.