The Office of the Privacy Commissioner of Canada released its annual report Thursday. It reports on that office’s work for the time period between April 1, 2016, to March 31, 2017, and it covers work concluded under both the Privacy Act and the Personal Information Protection and Electronic Documents Act.
While there are several take-aways within the weighty document, some of the more noteworthy items to note for the Canadian privacy professional are:
- Commissioner Daniel Therrien is now making an explicit request that the law be changed to provide him with order-making powers and the power to levy administrative monetary penalties. Citing other jurisdictions as examples, the OPC is now saying that these added enforcement tools are necessary to restore the public’s confidence in Canada’s privacy regime. Not surprisingly, business representatives had made submissions to the OPC to the effect that such powers were not necessary but, in the end, with 92 percent of Canadians expressing concern about their privacy rights being inadequately protected, the OPC says it is now time to move away from the ombuds model.
- The annual report, as well as investigatory findings, contains the full report on the OPC’s study on the role of consent in our private sector privacy law. There are a number of things that will come about from this study, the least of which is the request for order-making powers mentioned above. However, we will also see a fair amount more guidance from that office with promises to provide advice on at least 30 topics ranging from big data to smart homes, connected cars and biometrics.
- The consent report also examines the problems associated with long, complicated and confusing privacy statements. To this end, the OPC is promising to release further guidance on online consent that will specify four key elements that must be highlighted in privacy notices and explained in a user-friendly way. The four elements are:
- What personal information is being collected?
- Who is it being shared with?
- For what purpose is information being collected, used or shared (including an explanation of purposes that are not integral to the service)?
- What is the risk of harm to the individual, if any?
The first three elements have arguably always been necessary already. What is new, and what will require a lot of new drafting, is the last bullet.
With respect to obtaining consent from younger people, the OPC has taken the occasion to make their position more prescriptive than ever. They state: “Our position in all but exceptional cases is that consent for the collection, use and disclosure of personal information of children under 13 must be obtained from parents or guardians. For youth aged 13–18, consent can only be considered meaningful if organizations have adapted their consent processes to take into account the level of maturity of their users.”
Another area where the OPC is now prepared to provide concrete examples is with respect to so-called “no-go” zones. These are practices where personal information is collected, used or disclosed in a way where it will always be deemed to be unreasonable — regardless of whether or not the organization has some form of consent. The OPC stated: “We will draft and consult on new guidance that will explicitly describe some instances where collection, use or disclosure of personal information is prohibited. Examples include: situations that are known or likely to cause significant harm to an individual, profiling individuals in a way that leads to unfair, unethical or discriminatory treatment, or publishing personal information with the intended purpose of charging individuals to pay for its removal.”
Order-making powers and the power to levy administrative penalties are not the only tools the OPC is asking for from Parliament. In addition, the OPC wants to be able to proactively require organizations to demonstrate accountability. The “compliance reviews” would be required of any organization based simply on the OPC requesting one. In other words, the threshold now used for Commissioner-initiated complaints would not need to be met before the OPC came looking for evidence of compliance.
On the public sector side of things, the OPC once again called for the modernization of the Privacy Act. There are too many recommendations to note here, but some of the more noteworthy ones include:
- Amending the Privacy Act to make it clear that information can only be collected by the government when it is necessary to do so for a legitimate operating program or activity (as it currently stands, the government can collect so long as the personal information relates to a program or activity).
- Amending the Privacy Act to include a legal requirement to conduct privacy impact assessments.
Time will tell if Parliament and the government respond to this annual report. However, and the annual report is silent on this, not modernizing Canada’s privacy laws with some of the recommendations being made could leave Canada’s status as an adequate country in doubt. Of course, this adequacy concept comes from the EU and if Canada does lose this standing, trade and information flow with Europe will be severely restricted.
If you want to comment on this post, you need to login.