The privacy law regime in Canada affects any organization whose business involves dealing with the personal information of Canadians. Canada’s main private sector privacy legislation is the federal Personal Information Protection and Electronic Documents Act (PIPEDA). PIPEDA applies to private sector enterprises in connection with commercial activity within a province of Canada, except in Alberta, British Columbia and Quebec, where substantially similar provincial privacy legislation is in place. PIPEDA applies as well to cross-border collections, uses and disclosures of personal information in connection with commercial activity. Personal information data transfers across Canadian provincial and territorial boundaries within the country itself and across Canada’s national border are equally covered by PIPEDA. PIPEDA is enforced by the Office of the Privacy Commissioner of Canada (OPC).
On March 21, 2017, senior representatives of the OPC met with privacy practitioners in Toronto to provide updates on policy, legal, compliance and enforcement activities of the OPC. The information disseminated at this annual meeting is important to all businesses collecting personal information of Canadians for two reasons:
- The information highlights what the OPC believes to be its most significant actions from the prior year; and
- The information signals the policy and enforcement priorities of the OPC for the current year.
This alert summarizes three of the significant topics addressed by the OPC of concern to businesses whose operations involve the collection, use or disclosure of personal information of Canadians.
Policy update – the consent conundrum
Canada’s privacy regime is underpinned by the concept of consent. In order to collect, use or disclose personal information in Canada, one needs to obtain the consent of the individual or, alternatively, base the activity on a statutory exemption to the consent requirement.
In 2016, the OPC published a discussion paper on the problems with and possible solutions to the concept of consent in today’s digital economy – an economy in which no one has the time or inclination to read (let alone understand) lengthy online privacy policies.
The OPC put forth four possible solutions for discussion by stakeholders:
- Enhancing informed consent through more user-friendly ways of explaining information management practices and of expressing privacy preferences;
- Alternative solutions that might introduce certain limited permissible uses without consent or certain prohibited uses;
- Stronger accountability mechanisms for organizations to demonstrate compliance with their current legal obligations;
- New accountability mechanisms that introduce broader notions of fairness and ethics in the assessment of permissible uses as a supplement to, or substitute for, traditional informed consent; and
- Strengthening regulatory oversight to ensure that proposed solutions are effective in protecting privacy.
The OPC has published on its website 51 formal representations by businesses, industry associations and consumers’ groups on these issues. Consultation is now closed.
The OPC has advised that it is now formulating its formal policy position on the future of the consent model in Canada and will release its policy position in mid-2017. This OPC Position Paper will be a must-read for organizations that collect, use or disclose Canadian personal information in the course of their business activities. It is anticipated that the Position Paper will put in place important guideposts for businesses, especially those operating in the e-commerce space.
Enforcement update – extra-territorial application of PIPEDA
In 2015, the OPC investigated a complaint against a foreign-based organization that was copying and republishing Canadian administrative and judicial decisions on its website. In 2016, the OPC published findings that the collection, use and disclosure of personal information of Canadians by the organization was not for “an appropriate purpose”, as defined and required by PIPEDA.
After the OPC published its findings, the complainant brought an application to the Federal Court of Canada for remedies, which included enjoining the business from continuing its republication activities and damages. The application was granted.
For present purposes, it is not the particular facts of the case that are worthy of note but the nature and reach of the Court’s decision. The Federal Court found that PIPEDA has extra-territorial application to a foreign-based organization. While this is not the first extra-territorial application of PIPEDA, Canadian courts have been traditionally hesitant to impose injunctive relief against a foreign organization. In this case, the Federal Court specifically ordered the foreign organization to remove its republications and refrain from further republications, in addition to $5000 in damages. Further, the evidence in this case revealed that the foreign jurisdiction’s privacy protection official had also found the organization to be in violation of its local laws. Accordingly, it was likely that the complainant would have cooperation from the foreign authorities to enforce the Canadian judgment in the foreign jurisdiction.
This extra-territorial imposition of injunctive relief to vindicate Canadian privacy rights has reinforced the OPC’s powers to regulate the privacy of Canadians world-wide. It is anticipated that 2017 will bring further such extra-territorial enforcement actions, and organizations who deal with Canadian personal information, even if they have no physical presence in Canada, should take notice.
Compliance update – flexible use of compliance agreements
The use of compliance agreements to bring an end to investigations and guide the ongoing behaviour of organizations is not new in regulated industries in Canada, but 2016 saw the OPC use this tool for the first time. The OPC has even appointed a dedicated individual within its organization to specifically monitor performance of organizations subject to such agreements.
In addition to bringing an end to protracted proceedings, the OPC views compliance agreements as a valuable tool for organizations. Such agreements are said to demonstrate an organization’s commitment to Canadian privacy values, which might be a competitive advantage in facilitating public trust, and may in fact signal to complainants that bringing court proceedings against an organization is not worth the effort. That is, if an organization continues to abide by the compliance agreement, one might query whether a court would find it necessary to make an award in favour of an individual complainant.
The OPC has signaled to the market that it will apply compliance agreements flexibly, even in circumstances where an investigation has not yet taken place. We can expect many organizations to take advantage of this important tool to avoid or end investigations and to stave off court proceedings.