Within a generation we have seen an explosion of innovation, bringing enormous benefit, but also new challenges. The digital revolution has transformed how we conduct science, make decisions, and interact with each other. In a survey prepared for the Office of the Privacy Commissioner of Canada, most Canadians reported that they are concerned about how their online personal information could be used by organizations.
This concern is not surprising considering the sheer amount of information that is harvested from every device, website, application, and cup of coffee we make. Unless you are a diehard video nut who still holds onto their 12-year-old dumb plasma TV, most people have a Smart TV and are completely unaware of the information it harvests. This blog will provide an overview of Canada’s current privacy legislation and provide some resources regarding its future overhaul.
There are two laws that govern privacy in Canada:. the Privacy Act, which covers how the federal government handles personal information and the Personal Information Protection and Electronic Documents Act (PIPEDA), which covers how businesses handle personal information. It is important to note that Alberta, British Columbia, and Quebec have their own private sector privacy laws, however, they are substantially similar to PIPEDA. Ontario, New Brunswick, Newfoundland and Labrador, and Nova Scotia have additional health-related privacy laws that are substantially similar to PIPEDA.
PIPEDA outlines 10 fair information principles that businesses must follow to protect personal information. The ten principles are:
- Identity Purposes
- Limiting Collection
- Limiting Use, Disclosure and Retention of Personal Information
- Individual Access
- Challenge Compliance
On the surface the principles provide common sense guidance on a business’ compliance responsibilities. However, interpreting the law itself is problematic, so much so that legal experts have commented on the lack of clarity in the legislation. Teresa Scassa provides a great overview of some of the challenges with PIPEDA in its current state. In the legislation’s 20-year history, despite some cases going to federal court, no fines have been issued against businesses that have failed to comply with the legislation. Currently, if a business makes reasonable attempts to secure personal information in alignment with the ten principles, they will likely not face any major liabilities under the current legislation (based on my non-legal professional interpretation).
In 2015, PIPEDA was amended to clarify that consent is valid only if it is reasonable to expect that an individual “would understand the nature, purpose, and consequences of the collection, use or disclosure of the personal information to which they are consenting.” This appears to push the onus onto organizations to ensure they have communicated their practices effectively. Yet this has proven to be wishful thinking: the statute lacks the enforcement mechanisms that might make a real difference in encouraging meaningful legal compliance.
On May 25th, 2018, the European Union passed the General Data Protection Regulation (GDPR), a modern piece of legislation that sets guidelines for the collection and processing of personal information, with the strong emphasis on asking for permission and giving the user control over their data. Roughly 275 million euros worth of fines have been issued with the largest going to Google at 50 million euros. With the potential for large fines there is an entire cottage industry providing compliance and advisory services.
Both the Privacy Act and PIPEDA are under review and the Government is soliciting feedback from Canadians. A survey can be found at the link here. A week prior to this blog’s publication, on February 14th, a live consultation was performed and interested Canadians can see the results here. With efforts to modernize the laws, the core areas of discussion are:
- Enhanced consent
- Form of consent
- Simplified privacy policies
- Technological solutions
- Privacy by design and privacy by default
- No-go zones
- Legitimate interests
Privacy is likely to remain a hot topic for the foreseeable future. Currently it seems that new legislation could be some years away from becoming law, it would be prudent to spend resources exploring some of the touch points in your organization that would be impacted by legislation like the GDPR. A little investment now will pay dividends in the future, as the initial groundwork will have been laid down.