Submission to the OPC’s Consultation on Consent under PIPEDA (IAB Canada)
Interactive Advertising Bureau of Canada
Note: This submission was contributed by the author to the Office of the Privacy Commissioner of Canada’s Consultation on Consent under PIPEDA.
Disclaimer: The opinions expressed in this document are those of the author(s) and do not necessarily reflect those of the Office of the Privacy Commissioner of Canada.
There is an increasingly active discourse and growing recognition in the Canadian privacy arena of the legal and practical challenges posed by a statutory consent requirement in the evolving data environment (as well articulated in the OPC’s Consent and Privacy Discussion Paper). Despite these challenges, PIPEDA’s framework continues to work as an elegant and effective model for organizations to respectfully treat personal information in the course of developing and offering highly innovative and valuable services, products, and features.
The lasting success of PIPEDA in this regard—and the reason why PIPEDA can continue to help foster innovation—is largely grounded within the following key features of its statutory framework: (i) PIPEDA balances the interests of individuals and organizations; (ii) PIPEDA’s rules are drafted in principles-based, technologically neutral fashion; and (iii) PIPEDA’s accountability model.
PIPEDA’s current consent requirement is—and can continue to be—a legally viable and practical means of authority under PIPEDA for organizations to collect, use, and disclose personal information in today’s data environment. In many technological contexts (including for “Big Data” processing), the consent principles can continue to serve as an authority for the processing of personal information by using a flexible, pragmatic, and common sense approach to the application of the Act.
The Discussion Paper sets out a number of possible solutions to the challenges that the data environment poses for PIPEDA’s consent requirement. Most of these can be accommodated and operationalized under PIPEDA’s current legislative framework (with no statutory amendment), but ideally with the assistance of guidance issued by your Office and provincial privacy regulatory authorities.
Certain of the challenges considered in the Discussion Paper can also be addressed by surgically amending PIPEDA to expand the circumstances in which organizations would have the authority under the Act to collect, use, or disclose personal information without consent, including in particular the addition of an exception to consent for “legitimate interests” (as discussed in the Discussion Paper). With careful drafting, and informed stakeholder input, exceptions to consent for the processing of personal information can be crafted in a manner fully consistent with the spirit and intent of the Act.
A summary of our comments on various other solutions set out in the Discussion Paper includes the following:
- There is no need to establish “no go zones” or “proceed with caution zones” for certain types of personal information processing, as PIPEDA’s existing holistic framework serves to protect privacy interests in all circumstances where such a zone may be contemplated.
- The processing of de-identified data is now commonly used as a means for organizations to leverage the potential of their data holdings for innovation in a manner that safeguards and otherwise respects the privacy interests of individuals. De-identification of personal information can serve to materially limit (if not virtually eliminate) the risk and impact to an individual. There is no need under PIPEDA (or otherwise) to impose an additional requirement for consent for the collection, use, and disclosure of de-identified data, and a consent requirement for the processing of non-identifiable data would have unnecessary, and potentially severe, adverse consequences for innovation.
- An assessment process that considers the ethical impact of data processing activities can serve to enhance an organization’s privacy management program and compliance with its accountability obligations under PIPEDA, including by providing a framework for establishing that the purpose and nature of a personal information processing activity is reasonable, legitimate, and appropriate.
- PIPEDA currently provides the OPC with a suite of powers to enforce compliance with the Act. By actively using these enforcement powers, the OPC has been successful in carrying out its statutory mandate under PIPEDA and is now highly respected across the global privacy arena. The OPC does not require additional powers to oversee compliance or enforce any of the proposed solutions set out in the Discussion Paper.
Note: As this submission was provided by an entity not subject to the Official Languages Act, the full document is only available in the language provided.
The lnteractive Advertising Bureau of Canada (“IAB Canada”) welcomes the opportunity to respond to the call for submissions to your Office regarding the viability of the consent model under the Personal Information Protection and Electronic Documents Act (“PIPEDA”).
IAB Canada fully supports the efforts of your Office to consider how PIPEDA’s consent (and other) requirements can be improved to enable organizations to provide innovative forms of value in the emerging data environment while, at the same time, respecting the privacy interests of individuals.
We believe that an informed, structured multi-stakeholder dialogue is critically important to practically address the challenges raised by your Office in Consent and privacy: A discussion paper exploring potential enhancements to consent under the Personal Information Protection and Electronic Documents ActFootnote 1 (the “Discussion Paper”), and we welcome—and look forward to actively participating in—the consultation process initiated by your Office.
This submission consists of the following:
- Background information about IAB Canada;
- A comment on how PIPEDA’s current framework is well-suited for innovation in the evolving data environment;
- A comment on the viability of PIPEDA’s current consent requirement; and
- Comments on various potential solutions set out in the Discussion Paper.
1. IAB Canada - Background
IAB Canada is a not-for-profit association exclusively dedicated to the development and promotion of the rapidly growing digital marketing and advertising sector in Canada.
IAB Canada represents over 250 of Canada's most well-known and respected stakeholders in the digital advertising and marketing sector, including advertisers, agencies, media companies, digital publishers, social media platforms, ad networks, data companies, mobile and video game marketers and developers, measurement companies, service providers, educational institutions, and government associations operating within the space. Our members include numerous small and medium sized enterprises.
Companies in the digital advertising and marketing sector offer a wide range of highly innovative products and services, including valuable service offerings to individual Canadians. This sector is intensely competitive, and the long-term success of our members is fundamentally predicated on their ability to continually design, develop, offer, and improve valuable digital products and services.
Our members are “data companies”. The products and services offered by our members inherently require the processing of data, and often this data includes personal information. Our members recognize that their long-term success as commercial enterprises requires the respectful treatment of personal information in their custody and control, which includes complying with PIPEDA and other applicable privacy legislation. It is for this reason that we are welcoming the OPC’s consultation effort to consider how PIPEDA can be improved in a manner that addresses the interests of stakeholders across the innovative Canadian data arena, including the individuals who benefit from our members’ digital product and service offerings, as well as the companies involved in the development and provision of such products and services.
2. PIPEDA’s Framework is Well-Suited for Innovation
While it is clear (as well articulated in the Discussion Paper) that there are certain challenges in applying PIPEDA’s consent (and other fair information practice) principles in the emerging data environment, it is equally clear that overall PIPEDA’s framework has worked—and continues to work—as an elegant and effective model for organizations to respectfully treat personal information in the course of developing and offering highly innovative and valuable services, products, and features.
In our view, the lasting success of PIPEDA in this regard—and the reason why PIPEDA can continue to help foster innovation—is largely grounded within the following key features of its statutory framework:
(i) PIPEDA balances the interests of individuals and organizations;
(ii) PIPEDA’s rules are drafted in principles-based, technologically neutral fashion; and
(iii) PIPEDA’s accountability model.
A brief description of each of these features of PIPEDA is set out below.
(i) Balancing of Interests
Canadians benefit from the value offered by the vast array of innovative service and product offerings, and the increasingly tailored and personalized nature of such offerings. This is particularly the case in the online and mobile space, where the availability of an explosive volume of products, services, and features has been fueled by stunning innovation and the economic model of the digital advertising and marketing ecosystem.
In the course of the design, development, offering, and marketing and advertising of these products and services, organizations often need to collect, use, analyze, and share certain personal information. Simply put, the processing of personal information has become an inherent part of innovation and the exchange of value. At the same time, to maintain and enhance the trust of individuals in today’s data environment, it is important for organizations to be respectful of the personal information in their custody and control.
PIPEDA’s statutory framework expressly recognizes the balancing of interests that is required for innovation in today’s digital economy. The statute sets out rules for organizations to protect the privacy of individuals, but it does so with an express recognition of the increasing need for organizations to process personal information in a rapidly evolving data environment. This balance is struck in the Purpose section of PIPEDA, which provides:
- The purpose of this Part is to establish, in an era in which technology increasingly facilitates the circulation and exchange of information, rules to govern the collection, use and disclosure of personal information in a manner that recognizes the right of privacy of individuals with respect to their personal information and the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances.
While PIPEDA came into force in 2001, the balance of interests within PIPEDA’s Purpose section continues to be wholly relevant today, and provides a helpful prism through which the Act’s consent and other requirements must be interpreted and applied. As stated by the Federal Court of Appeal,Footnote 2
“There are … two competing interests within the purpose of the PIPED Act: an individual’s right to privacy on the one hand, and the commercial need for access to personal information on the other. However, there is also an express recognition, by the use of the words “reasonable purpose,” “appropriate” and “in the circumstances” (repeated in subsection 5(3)), that the right of privacy is not absolute.”
. . .
“All of this to say that, even though Part 1 and Schedule 1 of the Act purport to protect the right of privacy, they also purport to facilitate the collection, use and disclosure of personal information by the private sector. In interpreting this legislation, the Court must strike a balance between two competing interests. . . [F]lexibility, common sense and pragmatism will best guide the Court.”
(ii) Principles Based Framework
One of the main reasons PIPEDA remains effective today is because it was drafted in a technologically neutral and sectoral-agnostic fashion.
PIPEDA's consent and other rules are mainly set out in plain language as broad principles, and therefore can be applied to any new technology, new application, or new ecosystem that involves the processing of personal information, including the digital advertising and marketing ecosystem.
It is precisely because PIPEDA does not focus on any particular type of technology or sector that it is so well-suited to address the seemingly novel privacy considerations that may be raised by new technological developments.
It is important that PIPEDA remains drafted in a technologically neutral manner, and without regard to industry sector or particular activity, or type of data element. Given the increasingly rapid pace of technological innovation, any statutory requirement that is drafted to focus on a certain data element, technology, process, or ecosystem risks being obsolete, out-of-date, soon after it comes into force.
(iii) Accountability Framework
PIPEDA is often referred to as a “consent-based” statute, and (as stated in the Discussion Paper) the consent requirement is broadly considered to be the “cornerstone” of the Act.
In practice, however, the most powerful feature of PIPEDA is its accountability model. Under PIPEDA’s accountability principle, organizations are responsible for personal information in their custody and control,Footnote 3 and organizations must implement policies and procedures designed to ensure compliance with the Act’s rules that govern the entire life cycle of the organization’s personal information processing.Footnote 4
Compliance with PIPEDA’s accountability principle and, more broadly, the respectful treatment of personal information requires organizations to implement privacy management programs that address the full life cycle of their personal information processing. As stated by your Office, privacy management programs help “promote trust and confidence on the part of consumers, and thereby enhance competitive and reputational advantages for organizations.”Footnote 5
PIPEDA’s accountability model is elegant and effective. The accountability principle holds organizations responsible for their personal information practices, and does so in a non-prescriptive manner that affords organizations the flexibility to tailor, adapt, and refine their privacy programs in a practical manner that is suitable to the industry sector, size of the organization, the nature of a given organization’s personal information practices, and an organization’s evolving commercial needs. Moreover, to bolster their efforts to comply with the accountability principle, organizations can choose to participate in self-regulatory regimes (such as the Digital Advertising Alliance of Canada’s self-regulatory program for online behavioural advertising, as discussed in more detail below), agree to adhere to codes of conduct, and/or align or supplement their privacy programs with industry standards or evolving approaches to the assessment of data practices (such as ethical assessments, as discussed below).
For the purposes of this consultation, it is important to frame PIPEDA’s consent requirement as being just one part of an organization’s broader obligations under the Act’s accountability principle. Under PIPEDA, an organization may not collect, use, or disclose personal information in the course of its commercial activities unless it has the authority under the Act to do so. The authority to collect, use, or disclose personal information may be obtained via consent,Footnote 6 or a prescribed exception to consent.Footnote 7 Practically, the substantive focus of privacy management programs (and an organization’s focus on the respectful treatment of data) relates mostly to an organization’s personal information practices after authority for personal information processing (whether consent or otherwise) has been obtained.Footnote 8
Viewed through this practical lens, and especially given the array of challenges to consent (as articulated in the Discussion Paper), it may be more accurate – and more helpful in the long-term—to consider the concept of “accountability” (not consent), as being the “cornerstone” of the Act.
3. The Viability of PIPEDA’s Consent Requirement
There is an increasingly active discourse and growing recognition in the global privacy arena of the legal and practical challenges posed by a statutory consent requirement in the evolving data environment. These challenges are well articulated in the Discussion Paper. However, despite these challenges, it is important to highlight that in many contexts, PIPEDA’s current consent requirement is—and can continue to be—a legally viable and practical means of authority under PIPEDA for organizations to collect, use, and disclose personal information in today’s data environment.
As noted above, the core elements of PIPEDA’s consent requirement—as contained in Principle 4.3 of Schedule 1 to PIPEDA and the new Section 6.1 of the Act—are set out in a principle based, technologically neutral fashion. In many technological contexts, the consent principles, in their current form, can continue to serve as an authority for the processing of personal information by using a flexible, pragmatic, and common sense approach.Footnote 9
Viability of Implied Consent for Online Behavioural Advertising
A prime example of the viability of PIPEDA’s current consent requirement within a complex data ecosystem is in the context of the collection and use of personal information for the purposes of online behavioural advertising. Your Office has published Guidelines on Privacy and Online Behavioural AdvertisingFootnote 10 (“OBA Guidance”) which provides that (among other things) organizations would be permitted under PIPEDA to process personal information for online behavioural advertising purposes with the implied consent of individuals, provided certain conditions are satisfied.Footnote 11 The OBA Guidance draws upon and incorporates earlier guidance issued by the OPC, in which your Office sets out the conditions for a valid implied (opt-out) consent under PIPEDA.Footnote 12
Based in large part on the OBA Guidance, the Digital Advertising Alliance of Canada, a not-for-profit organization and consortium comprised of IAB Canada and 7 other leading national advertising and marketing trade associations, developed and launched AdChoices, the Canadian Self-Regulatory Program for Online Behavioural Advertising. The AdChoices program is designed to provide consumers with transparency and control over interest-based ads, and is used by participating organizations in Canada to help them comply with PIPEDA’s consent and other requirements.
The AdChoices program requires participating organizations to adhere to the Canadian Self-Regulatory Principles of Online Behavioural Advertising, which were drafted expressly to align with PIPEDA’s consent, notice, and accountability principles, and the OBA Guidance. Dozens of key players in the online advertising ecoysystemFootnote 13 have signed up for the DAAC’s AdChoices program, all with a view of helping enhance their respective compliance with PIPEDA and, overall, to enhance the trust of all stakeholders in the Canadian digital advertising arena.
Viability of Consent for Big Data Processing: Principle 4.3.3
PIPEDA’s consent requirements also establish a helpful framework for the processing of personal information that may be involved in the data analytics or “Big Data” context.
The concept of data analytics is not new. Data analysis is an inherent part of research and development. But the concept of Big Data processing typically refers to new analytical methods applied to large, unstructured data sets, and is a critical part of many companies’ innovation processes, including in the digital advertising and marketing sector. The insights derived from “Big Data” analytics now being conducted by companies are leading to a profound and unprecedented level of benefits and improvements in process efficiency and convenience, and an array of new product and service offerings and features.
PIPEDA’s consent provisions helpfully contemplate circumstances where organizations must process personal information in connection with providing a product or service offering, such as the case where data analytics is being conducted for research and development or required as part of the product and service offering.
Principle 4.3.3 of PIPEDA’s consent principle provides as follows:
An organization shall not, as a condition of the supply of a product or service, require an individual to consent to the collection, use or disclosure of information beyond that required to fulfill the explicitly specified, and legitimate purposes.
This consent provision embodies PIPEDA’s balancing of interests by expressly recognizing that certain types of personal information processing—such as the case with data analytics—may be inherently required for the provision of a product or service, while at the same time ensuring that privacy interests of individuals are respected with the inclusion of specific conditions that must be satisfied.
Specifically, under Principle 4.3.3, organizations can require an individual to consent—within the terms and conditions for the provision of the product or service—to the certain types of data processing (such as data analytics) provided that (i) the organization complies with the transparency and data minimization requirements contained within the provision (both of which requirements are consistent with other PIPEDA requirementsFootnote 14), and (ii) the collection, use and disclosure in question is done for “legitimate purposes”.
Notably, the phrase “legitimate purposes” is not defined in the statute, though presumably it is informed by Section 5(3) of PIPEDA, which provides that organizations may only collect, use and disclose personal information for a purpose that a reasonable person would consider appropriate, and by the balancing of interests within Section 3 of PIPEDA. Without question, as a general proposition, a reasonable person would consider it to be an entirely appropriate and legitimate purpose for companies to engage in data analytics. And organizations could bolster their ability to maintain that particular types of Big Data processing of personal information are “reasonable”, “legitimate,” and “appropriate” (and their ability to rely on Principle 4.3.3.) by conducting such activities within their privacy management programs, including conducting appropriate assessments of the particular data practices involved.
4. Comments on various potential solutions set out in the Discussion Paper
Solutions within Current Legislative Model
The Discussion Paper sets out a number of possible solutions to the challenges that the data environment poses for PIPEDA’s consent requirement. As discussed above, we are of the view that PIPEDA’s current consent requirement is—and can continue to be—a legally viable and practical means of authority under PIPEDA for organizations to collect, use, and disclose personal information in today’s data environment.
Notably, no amendments to PIPEDA are required in order to “enhance” consent (or otherwise address challenges) through various solutions proposed in the Discussion Paper, such as the suggested approaches to transparency,Footnote 15 consent management,Footnote 16 and de-identification of personal information,Footnote 17 and the means to enhance privacy governance (i.e. incorporating “privacy by design” principles,Footnote 18 adopting or adhering to codes of conduct or self-regulatory programs,Footnote 19 and the use of ethical frameworks to help assess the impact of data processingFootnote 20).
All of the above listed solutions can be accommodated and operationalized under PIPEDA’s current legislative framework, ideally with the assistance of guidance issued by your Office and provincial privacy regulatory authorities. By way of example, with respect to transparency, we refer to the guidance documents issued by your Office setting out suggested evolving industry approaches for enhancing the effectiveness of notice under PIPEDA in the online and app contexts.Footnote 21 Regulatory guidance is most valuable when it is developed collaboratively and informed with multi-stakeholder input.
While PIPEDA’s framework remains viable, it is critically important to ensure that PIPEDA—in the long-term—is able to address the challenges to the consent model articulated in the Discussion Paper, as these challenges may become more acute with increasingly complex data ecosystems. PIPEDA will impede innovation if companies do not have certainty regarding the legal viability of the authority under PIPEDA to process personal information. And any lack of certainty will erode trust among stakeholders within the broader privacy arena.
Certain of the challenges considered in the Discussion Paper can be addressed by surgically amending PIPEDA to expand the circumstances in which organizations would have the authority under the Act to collect, use, or disclose personal information without consent. This can be achieved in a manner fully consistent with the spirit and intent of the Act. Indeed, the privacy interests of individuals are not adversely impacted when an organization relies upon one of the suite of current exceptions to consent provisions under PIPEDA (or other provincial private sector privacy statutes). The current statutory exceptions to consent consist of a list of circumstances where the process of obtaining consent of an individual is impractical, unnecessary, or otherwise not appropriate. To rely on an exception to consent, organizations still have to comply with the technical parameters of the particular exception to consent provision.Footnote 22 Moreover, when an organization collects, uses, or discloses personal information in reliance upon an exception to consent authority, the organization still must comply with PIPEDA’s other requirements that serve to regulate that organization’s personal information processing.Footnote 23
The following is a brief list of amendments to PIPEDA that, if appropriately drafted, could address the range of challenges raised in the Discussion Paper in a manner that balances the interests of all stakeholders:Footnote 24
- Exception for Legitimate Interests – IAB Canada agrees with the Discussion Paper statement that broadening the permissible grounds under PIPEDA to include legitimate business interests (subject to a balancing test) is a helpful solution to address the challenges to PIPEDA’s consent model, especially in highly complex ecosystems such as the Internet of Things. Such an exception could be informed by guidance issued by your Office that would address the meaning of scope of the phrase “legitimate business interests”, the key elements of the “balancing test” that would ensure privacy interests are appropriately addressed, and the practical steps for organizations to consider to help ensure their privacy management programs govern the scope of personal information processing in reliance upon the exception. Incorporating ethical assessments (as outlined in the Discussion Paper) into a privacy management program may be one means for an organization to maintain that a given type of personal information falls within the scope of the legitimate interests of the organization, and in a manner that appropriately balances and addresses privacy interests.
- Exception for Analytics and Research – Section 7(2)(c) of PIPEDA currently permits organizations in the private sector to use data for statistical, and scholarly study or research, where it is impracticable to obtain consent and the organization informs the OPC.Footnote 25 On its face, organizations may be able to rely upon this exception to consent in its current form for authority for certain types of data analytic activities. To provide more legal certainty, it would be helpful to expand this provision to expressly contemplate data analytics processing. Moreover, as a practical benefit to all stakeholders, the current requirement to proactively notify the OPC of the use of personal information in question could be replaced with another mechanism, such as the organization notifying the OPC that it has established a privacy management program consistent with the OPC’s publicly stated expectations, which applies to the type or class of data analytics in question.
- Publicly Available Information – PIPEDA contains exceptions to consent for the collection, use, and disclosure of certain prescribed classes of publicly available information.Footnote 26 The regulations specifying the classes of publicly available information came into force in 2001, and have remained unamended. The wording in some of the prescribed classes of publicly available information is dated and is becoming less relevant.Footnote 27 Through a structured, multi-stakeholder dialogue, these provisions could be appropriately updated and expanded to take into account the realities and reasonable expectations of individuals and the legitimate interests of organizations, with respect to the evolving types of publicly available information within the current data environment.
Additional Comments on Proposed Solutions in Discussion Paper
This section sets out additional comments on various other solutions proposed in the Discussion Paper.
No-Go Zones Not Required
We recommend strongly against any amendment to PIPEDA that would establish “no go zones” (i.e. a complete prohibition on certain types of personal information processing), or any so-called “proceed with caution zones” (i.e. additional substantive or procedural requirements as a pre-condition to certain personal information processing). Statutory amendments to PIPEDA of this nature are not required. PIPEDA’s existing holistic framework serves to protect privacy interests in all circumstances where a “no go” or “proceed with caution” zone may be contemplated. And practically, given the increasingly rapid pace of technological innovation, any statutory requirement that is drafted focusing on a certain data element, technology, process, or ecosystem risks being obsolete, out-of-date, and may have unintended adverse consequences, soon after it comes into force.
The Discussion Paper considers the de-identification of personal information as a potential solution to the challenges within the next data environment, and raises the question as to whether consent should be required for the collection, use and disclosure of de-identified data.
The process of de-identifying or obfuscating data is widely used by organizations to help safeguard the personal information in their custody and control. PIPEDA does not require an organization to obtain consent in order to implement these, or other safeguarding or risk mitigating measures. Moreover, once personal information is de-identified, it may practically be non-identifiable, thus rendering the data outside the scope of PIPEDA (including PIPEDA’s consent requirements).
The processing of de-identified data is now commonly used as a means for organizations to leverage the potential of their data holdings for innovation in a manner that respects the privacy interests of individuals. De-identification of personal information can serve to materially limit (if not virtually eliminate) the risk and impact to an individual. There is no need to impose an additional requirement for consent for the collection, use, and disclosure of de-identified data, and a consent requirement for the processing of de-identified data would have unnecessary, and potentially severe, adverse consequences for innovation.
To remove any legal uncertainty regarding the authority under PIPEDA to process de-identified data, and consistent with the legislative approach under provincial health privacy statutes, Footnote 28 we recommend that PIPEDA be amended to clarify and expressly authorize organizations to de-identify personal information without the necessity of consent. And consistent with the approach taken in the Ontario health privacy arena, stakeholders would be best served with guidance to assist organizations with the continually evolving industry standards for effective de-identification processes.Footnote 29
The Discussion Paper includes an excellent discussion about the potential role of ethical assessments to balance the legitimate needs of organizations with the privacy interests of individuals.
An assessment process that considers the ethical impact of data processing activities can be a helpful part of an organization’s efforts to respectfully treat data in their custody and control, specifically by providing an organization with a framework for establishing that the purpose and nature of a personal information processing activity is “reasonable”, “legitimate” and “appropriate”.
Notably, the type of ethical assessment process described in the Discussion Paper, in particular the framework being developed by the Information Accountability Foundation (IAF), is broader in scope than the typical privacy impact assessment process. For instance, the IAF framework involves a consideration of data (including personal information), so aspects of this type of process assess data in aggregate, non-identifiable form and, therefore, are outside the scope of PIPEDA. But to the extent an ethical assessment process can be used to consider and appropriately mitigate the impact of a personal information practice, such a process could presumably supplement (or be woven into) the organization’s privacy impact assessment process. In this regard, ethical assessment processes would serve to enhance an organization’s privacy management program and compliance with its accountability obligations under PIPEDA.
No Necessity for Additional OPC Enforcement Powers
PIPEDA currently provides the OPC with a suite of powers to enforce compliance with the Act. These include the power to investigate complaints,Footnote 30 self-initiate an investigation,Footnote 31 commence an audit,Footnote 32 compel production of information,Footnote 33 summon witnesses,Footnote 34 enter premises,Footnote 35 publicly name organizations,Footnote 36 enter into compliance agreements,Footnote 37 and issue fines with respect to contraventions of the pending security breach notification requirements.Footnote 38 The OPC also has discretion to enter into information sharing arrangements with its foreign counterparts for, among other things, enforcement purposes.Footnote 39
Given PIPEDA’s balancing of interests framework, a remarkable feature of PIPEDA’s enforcement regime is that the statute does not include an express rights for organizations to challenge the OPC’s exercise of its enforcement powers. For instance, organizations have no express right under the statue to refer a subject matter of complaint to the Federal Court, nor is there a process within PIPEDA for organizations to challenge a determination by the OPC that a given incident gives rise to a “real risk of significant harm” to affected individuals,Footnote 40 or a fine levied by the OPC in connection therewith.Footnote 41
In any event, the OPC does not require additional powers to oversee compliance or enforce any of the proposed solutions set out in the Discussion Paper. There do not appear to be compelling examples illustrating precisely why the existing arsenal of OPC powers is insufficient. On the contrary, to date, the OPC has have been remarkably successful in carrying out its statutory mandate under PIPEDA. The OPC has been highly respected in the international privacy arena for years, and as a direct result of the OPC's enforcement activities, Canada is now regarded as one of the leading jurisdictions globally, exploring privacy issues associated with new technologies.
It is critically important to meaningfully preserve PIPEDA’s “balancing of interests” framework. Any enhancement of OPC enforcement power needs to be thoughtfully considered through this lens, and requires a thorough, multi-stakeholder consultation.
Thank you again for opportunity to respond to the Discussion Paper. IAB Canada looks forward to participating in the forthcoming consultation.
Submitted on behalf of IAB Canada by:
- Date modified: