This is the first in our series on the privacy promises we can expect from a Liberal minority government.
(From Innovation, Science and Economic Development Canada’s ‘Strengthening Privacy for the Digital Age: Proposals to modernize the Personal Information and Protection of Electronic Documents Act’.)
One of the commitments to increase the powers of the Privacy Commissioner of Canada concerns their ability to determine what type of consent needs to be generated with individuals when personal information is being collected by organizations.
While the Personal Information Protection and Electronic Documents Act (PIPEDA) already requires organizations to notify individuals of the purposes of the collection, use, or disclosure of personal information, further clarifications are necessary in order to determine what constitutes meaningful consent.
Canada’s Digital Charter proposes increasing the powers of the Privacy Commissioner of Canada in order to realize and enforce the enhanced consent requirements that are necessary to achieve meaningful consent.
With funding from the Office of the Privacy Commissioner of Canada, BC FIPA is holding a Design Jam in Ottawa on March 5th and 6th that explores meaningful consent and connected devices.
The Privacy Commissioner of Canada is somewhat limited in their ability enforce privacy laws. They are able to conduct investigations, make recommendations, expose non-compliant organizations in the public interest, and pursue recourse in the Federal court—but are not able to issue fines against offending organizations.
Recently, we’ve seen two highly publicized examples that highlight the need for the Privacy Commissioner to be able to issue fines. The first, is the investigation into Facebook’s compliance with the Personal Information Protection and Electronic Documents Act, which found that Facebook violated the consent provisions in the Act when disclosing personal information to third-parties. In this case, Facebook did not comply with the investigation and the Privacy Commissioner has stated his intention to sue the company in federal court.
The second example is the joint investigation between the Office of the Privacy Commissioner of Canada (OPC) and the Office of the Information and Privacy Commissioner for BC (OIPC BC) into the conduct of a company called AggregateIQ. Once again, the investigation found that the company violated both federal and provincial privacy laws in their business operations. Despite this, the OPC and OIPC BC are unable to issue fines for non-compliance. However, unlike Facebook, AggregateIQ has demonstrated an interest in becoming compliant.
Canada’s Digital Charter proposes financial consequences for organizations that are non-compliant with PIPEDA. This follows the order-making powers that several provincial privacy commissioners already have, that the European Union’s General Data Protection Regulations created in their Information Commissioner’s Office, and that the United States’ Federal Trade Commission has used.
This new fining power will help to deter the kinds of high-profile incidents involving breaches of personal information we have seen occurring over the last several years.
Under PIPEDA, the Privacy Commissioner of Canada already has investigatory powers. They are able to compel evidence, administer oaths, enter premises, examine documents, and interview witnesses. Canada’s Digital Charter propose amendments to PIPEDA in order to increase the Commissioner’s ability to initiate an investigation and to create order-making power in the form of cessation and records preservation orders.
The cessation and records preservation orders will allow the Commissioner to preserve records during the course of an investigation and to stop non-compliant organizations from further harming individuals through the non-compliant collection, use, and disclosure of their personal information.
Lastly, Canada’s Digital Charter proposes that the Privacy Commissioner of Canada be able to conduct research into privacy themes in order to provide clarity on emerging issues.