The Office of the Privacy Commissioner of Canada just published the 2018-2019 Annual Report to Parliament on the Privacy Act and the Personal Information Protection and Electronic Documents Act. Unlike other reports, this report’s focus was on privacy law reform. In fact, it was so titled as Privacy Law Reform – A Pathway to Respecting Rights and Restoring Trust in Government and the Digital Economy.
The Annual Report is a must read for everyone concerned about privacy including members of the general public and organizations whose privacy practices and compliance burdens would be significantly affected if some or all of the proposals were accepted and enacted into law.
The report includes the following proposals for reform.
- That privacy be recognized as a fundamental human right.
- The principles underlying PIPEDA should be enlarged from the two existing principles “to implement the fundamental right to privacy of all persons in the commercial context through robust data protection that ensures that the processing of data is lawful, fair, proportional, transparent and accountable, and respects the fundamental rights and freedoms of individuals”.
- PIPEDA should be transformed from a consent based to a consent and a “rights based” law. There would, for example be, a fundamental right to be free from “unjustified surveillance” by commercial entities. Use of technologies that are “incompatible” with “rights-based laws” “should not be permitted”.
- There should be additional exceptions to the consent principle for socially beneficial purposes, but before any such exception could be relied upon several prior conditions would have to be met including that: “it is necessary to use personal information; it is impracticable to obtain consent; pseudonymized data will be used to the extent possible; societal benefits clearly outweigh any privacy incursions; a privacy impact assessment (PIA) was conducted in advance; the organization has notified the OPC in advance; the organization has issued a public notice describing its practices; and individuals retain the right to object.”
- Public authorities including the OPC should have the right to prescribe “subsidiary binding rules” or “binding guidance through a succession of individual orders” giving effect to privacy principles in specific contexts.
- The OPC should be able to unilaterally initiate on demand proactive investigations to ensure “demonstrable accountability”.
- The OPC should have additional enforcement rights for “quick and effective remedies”.
Readers should carefully scrutinize the report and determine whether the proposals, individually or in the aggregate:
- Do not go far enough, strike the right balance, or would go too far in seeking to balance the importance of privacy with other considerations.
- Are both desirable and workable in practice.
- Put insufficient, appropriate, or too much jurisdiction in the OPC. For example, would it be appropriate for a single regulator to have the right to: unilaterally make binding rules (essentially creating new privacy laws or rules binding on specific sectors); compel organizations, on demand, to demonstrate compliance with privacy laws without any evidence of non-compliance; investigate alleged breaches of privacy laws; and make enforcement orders and fine alleged offenders?
The reform of Canada’s privacy laws is also the subject of ISED’s proposals to modernize PIPEDA reflected in Strengthening Privacy for the Digital Age (May 2019). The OPC’s Annual Report is a clear statement from the Commissioner as to how the OPC would like to reshape privacy law in Canada.
These proposals all deserve close scrutiny to ensure that our laws evolve in effective, principled, and workable ways.