The Standing Committee on Access to Information, Privacy and Ethics is ready to table its report following its months’ long review of Canada’s Personal Information Protection and Electronic Documents Act. The committee adopted its report, entitled “Towards Privacy by Design: A Review of Personal Information Protection and Electronic Documents Act (PIPEDA)” Feb. 13 and ordered that the chair of the committee table the report to the House of Commons. The House of Commons will resume sitting Feb. 26, and the report could be tabled soon afterwards.

What should we expect to see in the report? The title provides a clue to its major theme. We expect to see a recommendation that PIPEDA be amended to expressly require “privacy by design.” What will be interesting is whether the committee will recommend Parliament give the Office of the Privacy Commissioner teeth by providing it with order-making powers. The combination of “privacy by design” and “order-making” would bring PIPEDA a giant step toward substantive equivalency with the European Union’s General Data Protection Direction. This would satisfy one of the goals of many privacy advocates: to ensure that Canada retains its adequacy designation when PIPEDA is reviewed by the EU against the GDPR once the GDPR goes into effect.

Privacy by design comes home

The concept of “privacy by design” can be traced back to the work of Ann Cavoukian when she was the Information Privacy Commissioner of Ontario. In its original form, privacy by design has seven foundational principles, including a proactive approach to embed privacy protective measures in design and to ensure that privacy is the default setting in systems.

The possibility that the committee will recommend legislating “privacy by design” would not be surprising. The committee heard from several witnesses who claimed that PIPEDA will be at risk of losing its “adequacy” designation when it is reviewed by the EU under the lens of the GDPR. These advocates cited “privacy by design” as a gap. Privacy by design is embedded in Article 25 of the GDPR. Article 25 requires data controllers to consider privacy impacts early in the design stage and to ensure that data minimization occurs. This may involve ensuring that user settings default to the minimum amount of data sharing necessary to provide the services requested by the individual. The organization should deploy pseudonymization and other techniques to limit the impact of the collection and use of personal information on an individual.

Although a comparison of PIPEDA with the GDPR was a consistent theme in the committee hearings, the committee had a special opportunity to hear directly from the data protection authority for the European Union institutions, bodies and agencies. June 13, 2017, the committee held a special meeting to hear from Giovanni Buttarelli, the European Data Protection Supervisor. During his testimony, Buttarelli cited Article 25 of the GDPR as an important legislated addition to EU data protection law. He also noted that Canada’s Privacy Commissioner Daniel Therrien cited “privacy by design” as a key difference between the GDPR and PIPEDA. Moreover, throughout the committee’s hearings, Liberal Member of Parliament Raj Saini consistently asked witnesses whether it would be important to embed an express requirement for privacy by design in PIPEDA. Witnesses generally stated that an express legislative requirement would help.

Legislating privacy by design won’t be the committee’s only recommendation; however, it may be an organizing principle for several other possible recommendations. For example, the committee heard from many witnesses on the issue of children. Legislating an age for consent could be vulnerable to constitutional challenges, though, as impermissibly interfering in an area that is within provincial jurisdiction. Privacy by design could become a less constitutionally controversial method by which the federal government could require organizations to design online products and services to minimize data collection from children, to pseudonymize that data, and to delete it when it is no longer required.

If the committee does recommend legislating privacy by design and Canada’s federal government obliged, this would be a home-coming for this Canadian-made principle.

Order-making powers as a companion to privacy by design?

A recommendation that the OPC receive order-making powers seems very likely at this point. Currently, the OPC can make recommendations to an organization following an investigation or enter into a compliance agreement. The authority to enter into binding compliance agreements is relatively new. However, it is not yet clear what would motivate an organization to enter into a compliance agreement without the OPC having order-making powers. Currently, if an organization refuses to enter into a compliance agreement or abide by recommendations, the OPC would have to go to Federal Court. The OPC is not given deference before the Federal Court and would have to convince the Federal Court to come to the same conclusion as the OPC. This creates significant litigation risk for the OPC.

Many privacy advocates argued that the OPC requires order-making powers, as did former federal Privacy Commissioner Jennifer Stoddart in her testimony. For his part, Buttarelli commented that the Canadian “ombudsman approach seems to be much less effective” than the approach in Europe where most data protection authorities will likely have direct order-making powers. In Commissioner Therrien’s final appearance before the Committee, the Liberal Member of Parliament Nathaniel Erskine-Smith asked Therrien directly whether providing greater enforcement powers, particularly the power to make orders, would be “getting a head of international practice.” Therrien was succinct in his response: “It is not at all getting ahead. We are behind, so it would be more consistent with what is becoming the norm.”

If PIPEDA is amended to require privacy by design and to provide the OPC with order-making powers, the OPC’s effectiveness in addressing systemic issues would be radically enhanced. Once armed with a legislative requirement to implement privacy by design, the OPC could investigate if it had a reason to believe that an organization was not implementing privacy as the default in its design of services. This may prove to be a more flexible basis to investigate systemic issues. The OPC could then directly order remediation.

A recommendation to give the OPC order-making powers would be contrary to the counsel of the Canadian Bar Association and most lawyers in private practice representing commercial organizations subject to PIPEDA. The CBA’s written submissions cautioned that conferring order-making powers on the OPC could result in a violation of the principles of fundamental justice. The OPC would be the investigator, the advocate and the decision-maker. Even if the OPC could be restructured to ensure separation of activities, the CBA argued this new power could have a “chilling effect” on open and cooperative dialogue. Instead, the CBA recommended that the prudent approach would be to wait for more experience with the new power to enter into binding compliance agreements.

Next Steps

As is customary, the committee has requested that the federal government table a comprehensive response to the report. The Liberal government has shown itself willing to grant the information commissioner order-making power. However, it also charged the Standing Committee on Industry, Science and Technology with a review of Canada’s Anti-Spam Legislation, which quickly escalated out of control by what has been perceived by businesses to be disproportionately aggressive activity by the regulator. Order-making is not, therefore, an inevitable outcome.

photo credit: Ian Muttoo Happy Canada Day! via photopin (license)