Skip to content Skip to main menu Skip to utility menu
Privacy by Design: Recommendations to Update PIPEDA and Improve the Privacy of Canadians

Privacy by Design: Recommendations to Update PIPEDA and Improve the Privacy of Canadians

March 2, 2018

The House of Commons Standing Committee on Access to Information, Privacy and Ethics (ETHI) this week tabled the results of its study of the Personal Information Protection and Electronic Documents Act (PIPEDA). The report—Towards Privacy by Design: Review of the Personal Information Protection and Electronic Documents Act—makes 19 recommendations to update the act and to take measures to the protection of Canadians’ privacy in their relation with private sector organizations.

Recommendations

Recommendation 1 on the principle of consent:
That consent remain the core element of the privacy regime, but that it be enhanced and clarified by additional means, when possible or necessary.

Recommendation 2 on opt-in consent by default:
That the Government of Canada propose amendments to the Personal Information Protection and Electronic Documents Act to explicitly provide for opt-in consent as the default for any use of personal information for secondary purposes, and with a view to implementing a default opt-in system regardless of purpose.

Recommendation 3 on algorithmic transparency:
That the Government of Canada consider implementing measures to improve algorithmic transparency.

Recommendation 4 on the revocation of consent:
That the Government of Canada study the issue of revocation of consent in order to clarify the form of revocation required and its legal and practical implications.

Recommendation 5 on the Regulations Specifying Publicly Available Information:
That the Government of Canada modernize the Regulations Specifying Publicly Available Information in order to take into account situations in which individuals post personal information on a public website and in order to make the Regulations technology-neutral.

Recommendation 6 on legitimate business interests:
That the Government of Canada consider amending the Personal Information Protection and Electronic Documents Act in order to clarify the terms under which personal information can be used to satisfy legitimate business interests.

Recommendation 7 on depersonalized data:
That the Government of Canada examine the best ways of protecting depersonalized data.

Recommendation 8 on financial crimes:
a) That paragraph 7(3)(d.2) of the Personal Information Protection and Electronic Documents Act be amended to replace the term “fraud” with “financial crime.”

b) That the definition of “financial crime” in the Act include:

  • fraud;
  • criminal activity and any predicate offence related to money laundering and terrorist financing;
  • all criminal offences committed against financial service providers, their customers or their employees;
  • the contravention of laws of foreign jurisdictions, including those relating to money laundering and terrorist financing.

Recommendation 9 on specific rules of consent for minors:
That the Government of Canada consider implementing specific rules of consent for minors, as well as regulations governing the collection, use and disclosure of minors’ personal information.

Recommendation 10 on data portability:
That the Government of Canada amend the Personal Information Protection and Electronic Documents Act to provide for a right to data portability.

Recommendation 11 on the right to erasure:
That the Government of Canada consider including in the Personal Information Protection and Electronic Documents Act a framework for a right to erasure based on the model developed by the European Union that would, at a minimum, include a right for young people to have information posted online either by themselves or through an organization taken down.

Recommendation 12 on the right to de-indexing:
That the Government of Canada consider including a framework for the right to de-indexing in the Personal Information Protection and Electronic Documents Act and that this right be expressly recognized in the case of personal information posted online by individuals when they were minors.

Recommendation 13 on the destruction of personal information:
That the Government of Canada consider amending the Personal Information Protection and Electronic Documents Act to strengthen and clarify organizations’ obligations with respect to the destruction of personal information.

Recommendation 14 on privacy by design:
That the Personal Information Protection and Electronic Documents Act be amended to make privacy by design a central principle and to include the seven foundational principles of this concept, where possible.

Recommendation 15 on the Privacy Commissioner’s enforcement powers:
That the Personal Information Protection and Electronic Documents Act be amended to give the Privacy Commissioner enforcement powers, including the power to make orders and impose fines for non-compliance.

Recommendation 16 on the Privacy Commissioner’s audit powers:
That the Personal Information Protection and Electronic Documents Act be amended to give the Privacy Commissioner broad audit powers, including the ability to choose which complaints to investigate.

Recommendation 17 on the criteria to determine the adequacy status of the Personal Information Protection and Electronic Documents Act under the General Data Protection Regulation:
That the Government of Canada work with its European Union counterparts to determine what would constitute adequacy status for the Personal Information Protection and Electronic Documents Act in the context of the new General Data Protection Regulation.

Recommendation 18 on legislative amendments required to maintain the adequacy status:
a) That the Government of Canada determine what, if any, changes to the Personal Information Protection and Electronic Documents Act will be required in order to maintain its adequacy status under the General Data Protection Regulation; and

b) That, if it is determined that the changes required to maintain adequacy status are not in the Canadian interest, the Government of Canada create mechanisms to allow for the seamless transfer of data between Canada and the European Union.

Recommendation 19 on the collaboration with provinces and territories:
That the Government of Canada work with the provinces and territories to make sure that all relevant jurisdictions are aware of what would be required for adequacy status to be granted by the European Union.

Standing Committee on Access to Information, Privacy and Ethics Publishes Report on the Personal Information Protection and Electronic Documents Act

Ottawa, February 28, 2018 – Today, Bob Zimmer, MP and Chair of the House of Commons Standing Committee on Access to Information, Privacy and Ethics, tabled in the House of Commons a report entitled “Towards Privacy by Design: Review of the Personal Information Protection and Electronic Documents Act“.

The Committee’s report makes 19 recommendations to update the Personal Information Protection and Electronic Documents Act (PIPEDA) and to take other measures to improve the protection of Canadians’ privacy in their relation with private sector organizations. One key recommendation is to make privacy by design a central tenet of PIPEDA and to include the seven foundational principles of this concept in the Act.

The Committee also recommends amending PIPEDA to provide the Privacy Commissioner with enforcement powers – such as the power to make orders and impose fines for non-compliance – as well as broad audit powers, including the ability to choose which complaints to investigate.

The other recommendations of the Committee ask the Government of Canada to:

  • ensure that consent remains the core element of the privacy regime, while enhancing and clarifying it by additional means, when possible or necessary;
  • propose amendments to PIPEDA to explicitly provide for opt-in consent as the default for any use of personal information for secondary purposes, with a view to also implementing a default opt-in system regardless of purpose;
  • consider implementing measures to improve algorithmic transparency;
  • study the issue of revocation of consent in order to clarify the form of revocation required and its legal and practical implications;
  • modernize the Regulations Specifying Publicly Available Information in order to take into account situations in which individuals post personal information on a public website and in order to make the Regulations technology-neutral;
  • consider amending PIPEDA in order to clarify the terms under which personal information can be used to satisfy legitimate business interests;
  • examine the best ways of protecting depersonalized data;
  • consider implementing specific rules of consent for minors, as well as regulations governing the collection, use and disclosure of minors’ personal information;
  • amend PIPEDA to provide for a right to data portability;
  • consider including in PIPEDA a framework for a right to erasure based on the model developed by the European Union (EU) that would, at a minimum, include a right for young people to have information posted online, either by themselves or through an organization, taken down;
  • consider including a framework for the right to de-indexing in PIPEDA and that this right be expressly recognized in the case of personal information posted online by individuals when they were minors;
  • consider amending PIPEDA to strengthen and clarify organizations’ obligations with respect to the destruction of personal information;
  • work with its EU counterparts to determine what would constitute adequacy status for PIPEDA in the context of the new General Data Protection Regulation(GDPR);
  • determine what, if any, changes to PIPEDA will be required in order to maintain its adequacy status under the GDPR; and, if it is determined that the changes required to maintain adequacy status are not in the Canadian interest, create mechanisms to allow for the seamless transfer of data between Canada and the EU;
  • work with the provinces and territories to make sure that all relevant jurisdictions are aware of what would be required for adequacy status to be granted by the EU; and
  • amend PIPEDA to replace the term “fraud” with “financial crime” (and propose a definition for that term).

“This Committee has listened to a variety of witnesses from a large cross-section of Canadians with regards to protecting their privacy. We are deeply concerned with the rights and protections of all Canadians and I believe that the report tabled today highlights the concerns that we have for the future and the necessary updates to the Personal Information Protection and Electronic Documents Act” said Bob Zimmer, Chair of the Committee.

“Our laws should empower Canadian consumers to control their own personal information, and empower the Privacy Commissioner to better protect that information. Privacy should be the default in commercial relationships, Canadians should have the right to easily move their own personal information between competing businesses, and the Commissioner should have the ability to make orders and issue fines” said Nathaniel Erskine-Smith, Vice-Chair of the Committee.

“I am happy to sign on to this report with my colleagues, and believe that it contains excellent ideas for protecting Canadians’ privacy” said Charlie Angus, Vice-Chair of the Committee.

The Committee held 16 public meetings as part of this study and heard from 68 witnesses, including privacy experts and representatives from the government and private sector organizations. The Committee also received 12 briefs on this topic. The witness testimony heard by the Committee and the briefs submitted are available on the Parliament of Canada’s website: (ourcommons.ca/Committees/en/ETHI).

The Standing Committee on Access to Information, Privacy and Ethics has 11 members. It is chaired by Bob Zimmer (Prince George–Peace River–Northern Rockies), with vice-chairs Nathaniel Erskine-Smith (Beaches–East York) and Charlie Angus (Timmins–James Bay). The other members are Frank Baylis (Pierrefonds–Dollard), Mona Fortier (Ottawa–Vanier), Jacques Gourde (Lévis–Lotbinière), the Honourable Peter Kent (Thornhill), Joyce Murray (Vancouver Quadra, Parliamentary Secretary – non-voting member), Michel Picard (Montarville), Raj Saini (Kitchener Centre), and Anita Vandenbeld (Ottawa West–Nepean).

(Via House of Commons Standing Committee on Access to Information, Privacy and Ethics)

Share

Leave a comment