Data Privacy and PIPEDA - 2018 in Review
December 13, 2018
It has been a tumultuous year in the world of data protection and privacy and, given that it affects the legal rights and obligations of consumers and businesses alike, it may be worth reviewing where 2018 took us and what that means for the future. For well over a decade, there has been a gold rush on mining the personal information of just about anyone and everyone. In “Manhattan for beads” type arrangements consumers have been willing to forgo privacy and provide all forms of personal data in trade for technology-based products and services. It was well understood and predicted that this would happen, and it happened because, over time, both technologists and the business community began to understand the true value of data, and the information derived from it. They also had ever more powerful technical means to collect, analyze and store that data. The consumer, in general, had neither the understanding nor the means to evaluate the broad consequences or the overall outcomes of their individual actions. Fast forward to 2018, and the data rights and personal privacy boat has finally started to right itself. The desire for privacy and personal data protection is starting to gain significant momentum. News regarding the use of data in election interference, Facebook’s Cambridge Analytica scandal, governments’ investigations into the practices of social media companies, the increase in data breaches and the implementation of the GDPR (General Data Protection Regulation) in Europe have all contributed to growing public awareness and concern related to data and privacy. The reality, however, is that the constant and accelerating pace of technology and the inherent value of data will always present a challenge to those attempting to adopt and evolve legislation to protect that data and the privacy of the individual. In Canada, there are three core pieces of legislation that focus on general data privacy and its protections: Several jurisdictions have enacted provincial legislation that has been deemed similar to PIPEDA and that governs specific data and privacy matters in those provincial jurisdiction. 1. The Personal Information Protection and Electronic Documents Act (“PIPEDA”) This is the federal legislation that sets the rules for how private sector organizations collect, use and disclose personal information in the course of commercial business. 2. The Privacy Act This is the federal legislation that governs how federal government institutions collect, use and disclose personal information of individuals and federal employees. 3. Provincial Legislation Several jurisdictions have enacted provincial legislation that has been deemed similar to PIPEDA and that governs specific data and privacy matters in those provincial jurisdictions. As well, the Office of the Privacy Commissioner of Canada (OPC) provides information and advice regarding the protection of personal information and has some rule setting and enforcement capability. Timeline - 2018 in Review
- Late February 2018 - The Standing Committee on Access to Information, Privacy and Ethics (ETHI) undertakes a review of PIPEDA and tables a report entitled “Privacy by Design”. The report called for a significant update to PIPEDA and made 19 recommendations that focused on a broad range of key topics including the strengthening of consent rules for the use of personal data, the right to withdraw consent and the “right to be forgotten”.
- Mid-March 2018 - The Privacy Commissioner opens a Facebook investigation regarding alleged unauthorized access and use of Facebook user profiles.
- Mid-April 2018 - The government announces regulations that would implement mandatory data breach reporting under PIPEDA. These rules mandate the reporting by organizations of any security breach posing “real risk of significant harm” to the OPC and the associated notification to the affected individuals.
- Late May 2018 - The Privacy Commissioner issues two guidance documents focused on helping organizations understand how to obtain meaningful consent and giving them an overview of inappropriate data practices.
- Late May 2018 - On May 25 the GDPR comes into effect in Europe. These regulations, even though they are European regulations, cast a wide net. In Canada they apply to any organization that offers goods and services to EU residents. These new regulations affect Canadians in two broad and significant ways. The first is the need for compliance and synchronization with these regulations. This includes the transference of data, consent obligations, data portability, the right to erasure, data breach reporting and handling of employee data. The second is that it sets a new important standard in the world for privacy and data protection that creates impetus and incentive for other countries to consider and possibly adopt.
- Mid-June 2018 - The government provides an official response to the ETHI committee report of the PIPEDA review. The response is generally supportive on some issues and agrees that changes to PIPEDA are required. However, it remains noncommittal and hesitant on other key issues. The response addresses several specific recommendations made in the review regarding consent, online reputation, enforcement powers of the OPC and the impact of the GDPR.
- Mid-June 2018 - The government launches national consultations on digital and data transformations in Canada. While it is a multifaceted conversation, one important aspect focuses directly on how to ensure that Canadians have trust and confidence in how their data is used.
- September 2018 - The Privacy Commissioner releases the 2017-2018 Annual Report to Parliament on PIPEDA and the Privacy Act. The report focuses on the significant challenges and risks still facing Canadians in regard to privacy and data protection and the work that still needs to be accomplished. It strongly urges action on many fronts.
- Early September 2018 - The Privacy Commissioner, in a news conference, denounces the slow progress of fixing outdated privacy laws in Canada.
- Mid-October 2018 - The OPC seeks a Federal Court determination on the issue of Canadian citizens’ online reputations. Specifically, it pertains to the Google search results returned in response to a person's name.
- Early November 2018 - The mandatory breach notification regulations under PIPEDA (mentioned above) come into effect on November 1, 2018.
Legislators are continually faced with reaching a complex balance between the positive and negative consequences, to the individual and society, of the sharing of personal data and information. Each of the elements listed above is significant in itself in reaching that balance, but the overall trend is becoming clear. The determination of what and how things are done with an individual's data, and who owns that data, belongs in the hands of the individual.
About the Author: Connor is an associate practicing in the Regina office.
About McKercher LLP: McKercher LLP is one of Saskatchewan’s oldest, largest law firms with offices in Saskatoon and Regina. Our deep roots and client-first philosophy have made our firm rank in the top 5 in Saskatchewan by Canadian Lawyer magazine (2017). Integrity, experience and capacity provide innovative solutions for our clients’ diverse legal issues and complex business transactions. This post is for information purposes only and should not be taken as legal opinions on any specific facts or circumstances. Counsel should be consulted concerning your own situation and any specific legal questions you may have.