Canada’s Personal Information Protection and Electronic Documents Act went into effect in 2000. On Oct. 4, the International Technology Association of Canada and Information Technology Industry Council published a paper suggesting changes to PIPEDA that would include greater privacy and transparency rights for Canadian citizens. These changes have been proposed, no doubt, due to the wave of privacy and security breaches that have occurred recently. Here is what the proposed changes to the law entail.

Enhancing individual control

The first of the proposed changes is an emphasis on individual control. It outlines the current PIPEDA model that allows a company to obtain consent from a customer before acquiring their information. However, that approach, like the agreements and terms of service no one reads, has become obsolete and dated. Therefore, a new approach is needed.

This new approach needs to take into account human behavior. It’s unrealistic to think that a single person can or will read a 50-page document before clicking “agree.” Also, it’s almost impossible that customers know which organizations are tracking their data. They don’t even know the purpose for which it is happening.

Organizations and companies have also implemented the utilization of personal information that doesn’t harm individuals in any way. These practices are not generally subject to revocable consent. That needs to be recognized. This will provide great transparency to customers and give them better control over their information.

Consent needs to be recognized as one of many legal bases for processing personal information. This approach should model itself after the EU General Data Protection Regulation, which went into force in May 2018.

Adding exceptions for business practices

In the interests of bettering innovation and encouraging business, certain exceptions should be added to consent. For example, deidentified data could be excluded from the definition of personal information. This could be deemed a standard business practice within the new authority for processing information.

This won’t diminish privacy protections and will encourage businesses all the same. Additional legislation can be crafted to address harms or risks. This would achieve a lot of the key objectives of modernizing PIPEDA. These would include:

• Facilitating more meaningful control to individuals through consent requirements.
• Aligning PIPEDA with international privacy policies.
• Enabling responsible innovation.
• Reducing regulatory burdens and compliance costs on businesses.

Transparency

PIPEDA should emphasize that businesses communicate with customers to let them make more informed choices. They should be made to disclose crucial information that would otherwise influence the choice of customers to buy their products. However, businesses should be allowed to choose how they do this. Hence, they would demonstrate compliance, yet still, market their products the way they want to.

Data mobility

Individuals should be given the right to have their data moved from and to any organization in a standard digital format. However, this should be done in a way that is consistent with PIPEDA’s original standards.

Any provisions that address data mobility should be very specifically defined so that they apply when feasible. An individual should be allowed to access their data when they choose to transfer it to another organization. This should be the standard until authentication, security and technical problems are sorted out on an international scale.

Other points outlined include:

• The exclusion of third-party information where it would adversely affect the rights of third parties.
• Exclusion of deidentified data.
• Exclusion of call-notes and complaints.
• Avoiding rules that are not neutral to the technology and business sector.
• Taking into account the barriers to data mobility rules when it comes to startups and small businesses.

Online reputation

Much like the GDPR, the modernization of PIPEDA should include a provision that removes personal information completely. Citizens should be informed their data can be deleted upon their request,  especially minors. Minors should face very few exceptions.

All individuals should be provided with the explicit right to request the deletion of information about them. However, some exceptions should be made. A key point here is to require companies to communicate changes to other companies if any data is to be changed.

This would ensure that different companies would have similar or identical records that don’t conflict with each other. This would allow for the same information to be accessed and deleted for the individual. Also, all data should have clear retention periods defined.

The paper also recognizes that this would introduce compliance challenges for companies, as well as create interoperability challenges. It would entail great complexity and inflexibility if there was a blanket right to the deletion of all information, as well.

The focus should be on information that is online and accessible to others, where continued availability negatively impacts a citizen. Any exemptions should be categorized specifically where organizations have legitimate reasons to keep the data. In this case, hiding the data from public view rather than erasing it would be sufficient.

These changes would not only help the individual take greater control of their data, but also help businesses innovate. These restrictions and challenges would help businesses work in a more restrictive environment so that they’d be forced to innovate. However, this innovation would entail better security greater freedom and privacy protections for the citizens of Canada. 

Photo by James Beheshti on Unsplash