Recently, I asked four Canadian experts what they thought the Canadian government could learn from the GDPR when considering policy options for the future of the Personal Information Protection and Electronic Documents Act. There was broad consensus that the government should not be obsessed about maintaining Canada’s “adequacy” status under the GDPR’s essential equivalency rules. Certainly, Canada should look to the international stage. However, Canada should take a more organic approach based on its own values and its global trading relationships.
The experts I spoke with also saw concepts in the GDPR that were naturally complimentary to PIPEDA. Concepts like “accountability” and “privacy by design” could, and perhaps, should be given prominence in legislative amendments to PIPEDA. Although the federal government has signaled that consent will remain a central component of PIPEDA, the experts I spoke with would caution the government in placing outdated reliance on consent or making consent overly prescriptive. Canada could learn from the other bases of processing included in the GDPR such as “legitimate business interests” and “performance of a contract."
Should we care about adequacy?
Canada’s adequacy status facilitates the transfer of personal data from the European Economic Area to Canada in a broad set of commercial circumstances. In the government’s response to the House of Commons Standing Committee on Access to Information, Privacy and Ethics on the modernization of PIPEDA, the government stated that it is “working closely with the European Commission to understand the requirements for maintaining Canada’s adequacy standing under the EU GDPR.”
Chantal Bernier, the former Interim Privacy Commissioner of Canada and counsel at Dentons Canada LLP, has said that the “adequacy” ruling is a competitive advantage for Canada. On the other hand, there is no hard evidence that Canada’s experience being “adequate” under the former Data Protection Directive had any material advantage for Canada. Moreover, Canada's largest trading partner in the EU is the U.K.. The United Kingdom will be leaving the EU in March 2019.
So, should Canada care about adequacy?
Imran Ahmad, a partner at Miller Thomson LLP and the leader of that firm’s Cybersecurity and Privacy law practice, believes that Canada has no choice but to look to the GDPR. Ahmad believes that developments such as the GDPR and the new California Consumer Privacy Act of 2018 demonstrate that there is an emerging global consensus. Ahmad agrees that Canada should develop its own path forward, but he says, “We need to think it through longer than the next three or four years." He argues that “we shouldn’t do the minimum,” or we will be revising the law again.
“Adequacy, but not at all costs,” is Karen Burke’s message. Burke is the chief privacy officer at Bank of Montreal. She agrees that Canada will need to look to the GDPR, but cautions against simply importing GDPR concepts to Canada.
David Elder, chair of the Communications Group at Stikeman Elliott LLP, agrees, noting that “PIPEDA already covers a lot of what is in the GDPR, but in a more flexible way.”
Kirsten Thompson, National Lead of the Transformative Technologies and Data Strategy group for Dentons Canada LLP, says that the government should be clear on its objective. She argues that we should assess amendments to PIPEDA based on whether they keep the law “modern, adaptable and realistic” rather than on whether the law is the same as the GDPR. She says she “is hopeful that the government will take a more thoughtful approach so that PIPEDA is integrated in the world but responsive to the needs and interests of individual Canadians and also to Canadian businesses.”
In fact, there is a question on whether the GDPR is materially better than PIPEDA. Neither Burke nor Elder are convinced at this point that individuals are materially better protected under the GDPR than in Canada under PIPEDA in their day-to-day interactions with organizations. The GDPR cannot be ignored and minimizing friction in data transfers is a worthwhile government objective. However, the government should look at substantive outcomes for individual Canadians and businesses, rather than whether PIPEDA contains formally equivalent data subject rights.
Building a three-legged stool
If there is an organizing principle to PIPEDA, it might be the “appropriate purposes” principle in Subsection 5(3) of PIPEDA. This principle states that an “organization may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances.” The government could enhance PIPEDA through adding two more legs to the stool, accountability and privacy by design, right at the outset of PIPEDA in order to develop broader organizing themes.
The GDPR’s accountability principle places emphasis on demonstrable compliance; that is, the accountability of an organization collecting and using personal information to demonstrate compliance with the GDPR through a mature compliance program. The focus on demonstrable compliance is not surprising to Thompson. She says there is an “increasing focus on evidence in the world of compliance.” Part of this is the ability to use technology to track the organization’s compliance activities.
PIPEDA already contains an accountability principle. In 2012, the Alberta and British Columbia Information and Privacy Commissioners, together with the Office of the Privacy Commissioner of Canada, drew greater attention to the “accountability” principle with their joint publication of “Getting Accountability Right with a Privacy Management Program.” One thing the government could consider is to place greater emphasis on accountability by bringing it forward into the body of the statute and placing more emphasis on accountability as an organizing principle and duty under PIPEDA.
Burke says one of the things about the GDPR that has been helpful is to bring the accountability principle right up front.
“It has made people mindful of the accountability point and made people think about creating an infrastructure,” she says.
In a way, accountability is foundational for developing a well structured, privacy-protective set of institutional processes. However, Thompson cautions that accountability must be accompanied by clear regulatory guidance. She says that “businesses may think that they are being accountable, but, in the absence of a clear standard, they may not know what to do.” Similarly, without clarity, regulators may find it difficult to take enforcement action fairly and consistently against organizations.
Related to the accountability principle is “privacy by design." Elder says that “enshrining privacy by design into law is a good thing.” Features of privacy by design can be found within PIPEDA, but the central concepts are not explicit. As Elder noted, it's "hard to quarrel with" making privacy by design a central concept within Canadian privacy law. A principle of privacy by design would fit naturally with the principles of appropriateness and accountability.
A major concern of the privacy experts I spoke with is the potential for privacy laws to become too prescriptive and too dense to be accessible to non-specialists. With each successive amendment to PIPEDA, there is further danger of the government tampering with what made PIPEDA special.
One of the great strengths of PIPEDA is its accessibility. It is based on an industry code of conduct that was developed by stakeholder groups. Schedule 1 to PIPEDA contains the principles governing the collection, use, retention and disclosure of personal information. The schedule was originally a code of conduct developed by the Canadian Standards Association through a committee with representatives from government, consumer groups, unions and business groups. As a result, it is written in plain language rather than legalese.
“I love that about PIPEDA,” says Burke. “I can read it to clients and everyone can understand it.”
By contrast, the GDPR is densely drafted, requiring 173 recitals to expand and clarify the body of the regulation. Some of the provisions are very specific, such as those around obtaining consent. This approach may be unnecessarily complicated, particularly if the principle of appropriate purposes was twinned with a principle of privacy by design. An overemphasis on explicit consent with separate positive actions for collection and use of different types of data may only serve to breed consumer resentment that outweighs any substantive benefits.
Elder says that the Canadian approach to consent “has generally served us very well."
However, all agree that Canada might learn from some of the other legal bases for processing. For example, the Office of the Privacy Commissioner recently published commentary on “no-go” zones where organizations cannot rely on consent. “Why aren’t there ‘go-go’ zones?" asks Elder. Why are we inundating consumers with information about innocuous uses of data, such as the collection of contact information to send the consumer something they wanted. Burke notes we are "causing consumers more work, concern and agitation than is really required. Everyone knows when you purchase a car you are going to have certain checks. We are smacking people over the head and making people worry about ordinary things.”
Consent may not be the best basis for processing when dealing with innocuous uses that clearly meet the principles of appropriateness, privacy by design and accountability. Thompson says that consent is “ill-suited to the realities of commercial enterprises and the increasingly connected world in which consumers live.”
Ahmad argues that the Canadian government could learn from the GDPR and introduce legal bases for processing such as the performance of a contract in order to address the problem of putting too much weight on consent which only results in ever-lengthening privacy notices. Burke agrees, noting that the government must not lose sight of the costs of compliance for small- and medium-sized enterprises. Having complex rules relating to consent and then having to track that consent and keep records for innocuous data uses is overly burdensome for a very large sector of the Canadian economy.
Finally, Ahmad warns that we also cannot lose sight of our trading relationships. Canada is a relatively small economy and it's important not to raise the compliance costs to the point that it is not worthwhile for companies to do business with Canada. Ahmad says, “We need to keep the law flexible,” with the ability to the scale compliance burden to the size of the business.
Consultations are only beginning
The government has not set a firm timeline for amending PIPEDA. The good news is that it doesn’t seem like it is going to rush into making changes. Assuming Canada wishes to maintain its adequacy designation, the government noted that it does not believe it is necessary to adopt each of the data subject rights under the GDPR but instead focus on an overall assessment of essential equivalency.
Moreover, the government has not committed itself to any single approach. Instead, it has signaled that it will “engage Canadians in a conversation on how to make Canada a more data-savvy society.”
The government has indicated it is interested on how the law can facilitate private-sector innovation through the collection, use and sharing of personal information, while still being committed to protecting privacy as a value.
If you want to comment on this post, you need to login.