Statutory Review of the Personal Information Protection and Electronic Documents Act
This page has been archived on the Web
Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
Background Information on the OPC’s Consultation
November 27, 2006
The Privacy Commissioner of Canada (OPC) welcomes the mandatory review of the Personal Information Protection and Electronic Documents Act (PIPEDA). PIPEDA took effect in a limited way as of January 1, 2001. It has been in full effect for almost three years. It has prompted a careful rebalancing of rights and responsibilities by enhancing the privacy underpinnings of a democratic society: the right to control what others can learn about us. Organizations’ awareness of the need to protect privacy has been building and individuals are becoming empowered by new rights at their disposal under PIPEDA.
Parliament responded to many privacy concerns as they related to commercial activities by enacting PIPEDA. PIPEDA was also the vehicle for Canada to provide a level of protection for personal information that would facilitate the flow of personal information from EU member states to Canada. The EU Data Protection Directive, adopted in 1995, introduced a requirement that member states allow transfers of personal information to a third country such as Canada only if the third country ensures an adequate level of protection for that information.
PIPEDA came into force in stages, beginning January 1, 2001. At that time, it covered personal information about customers that was collected, used or disclosed in the course of commercial activities by federal works, undertakings or businesses – organizations such as banks, airlines, and telecommunications companies. The personal information of employees of such federal works, undertakings or businesses was also covered. The Act was extended to cover personal health information for these organizations and activities in 2002.
PIPEDA was fully implemented by January 2004. As of 2004, under the trade and commerce power in section 91 of the Constitution Act, 1867, PIPEDA was extended to cover organizations engaged in commercial activities, including those that for other purposes are regulated by the provinces. PIPEDA therefore covers the retail sector, publishing and insurance companies, the service industry, manufacturers and other commercial activities, such as those in the health sector.
PIPEDA also gives individuals rights such as the right to obtain access and request correction of the personal information these organizations may have collected about them. The first level of oversight of the Act rests with the Privacy Commissioner of Canada, who is authorized to receive and investigate complaints.
PIPEDA was not, and does not pretend to be, the answer to all the privacy issues raised by the interactions of individuals with organizations engaged in commercial activities. Even then there are several instances where it does not apply. For example, PIPEDA does not apply to personal information about employees of organizations that are not federal works, undertakings or businesses.
PIPEDA has brought Canadians outside Quebec a comprehensive suite of informational privacy rights. (Quebec adopted its own private sector privacy legislation in 1994.) It has introduced a corresponding range of obligations for organizations that collect, use and disclose personal information. In the wake of PIPEDA, several provinces have moved to adopt their own laws, which were later declared to be “substantially similar” to the privacy standards in PIPEDA. British Columbia and Alberta did so in 2004, and Ontario (for health information custodians only) in 2005.
PIPEDA is relatively young legislation, and many of its provisions and the powers attached to it – audit and litigation, for example – have not been fully explored. The public has not yet taken advantage of many of the protections afforded under PIPEDA, and has not yet brought many of the larger privacy issues now covered by the Act to the attention of the Office of the Privacy Commissioner of Canada (OPC). Nor has the OPC had the chance yet to “connect all the dots” between individual complaints to address the many systemic issues that are emerging across different organizations and sectors.
That said, PIPEDA appears to be working reasonably well, although gaps have appeared that were not anticipated when it was drafted several years ago. A serious problem has developed concerning the Commissioner’s investigative power to review personal information that is protected by solicitor-client privilege, with the Federal Court of Appeal’s recent decision in the Blood Tribe Footnote 1 case. This decision leaves a gap in the Commissioner’s powers and will potentially allow an opaque veil of secrecy to cover corporate-held documents, with no possibility of independent verification other than through a formal application to court. This completely undermines the two-tier level of protection that was intended through the flexible, accessible and independent ombudsman model of the Privacy Commissioner. We are seeking leave to appeal this decision, but believe this ambiguity in the legislation needs to be clarified through an amendment to PIPEDA as soon as possible.
Some of PIPEDA’s provisions may need to be reconsidered in light of experience, including the experience we have observed with provincial private sector legislation. Several procedural changes and minor “housekeeping” improvements may be required to smooth the operation of the Act. For example, we believe that the exception to the definition of personal information should be expanded to include business contact information, such as employee email addresses, business fax numbers and any future means of transmitting business information.
Besides challenges within the legislation itself, changes in society necessitate rethinking some aspects of PIPEDA. These changes have occurred on many fronts – for example, the expansion in transborder flows of personal information, spyware, illegal data trafficking, increased threats to the security of computer systems and the growing interest of government agencies in personal information held by the private sector.
To be sure, the last few years have also created challenges for organizations covered by PIPEDA as they have moved to implement the privacy principles of PIPEDA. Overall, the information handling practices brought to our attention show Canadian organizations demonstrating a high level of compliance with PIPEDA. Businesses, large and small, have demonstrated goodwill, commitment to community values and openness to change when it comes to protecting privacy.
In July 2006, in preparation for the mandatory review of PIPEDA, the OPC issued a consultation paperFootnote 2 which described several issues that we had identified as warranting consideration during the review. The OPC invited those interested in privacy to comment on the issues and to raise any others that they thought should be considered in the PIPEDA review. Such input has helped inform the OPC’s own thinking on the issues. The OPC’s goal in undertaking a consultation at this time was to help Parliament and the Canadian public ensure that PIPEDA is the most effective vehicle possible for fulfilling Parliament’s stated objective in PIPEDA – recognizing the right of privacy of individuals with respect to their personal information and the need of organizations to collect, use or disclose personal information “for purposes that a reasonable person would consider appropriate in the circumstances.”
We were pleased to receive 63 submissions in reply to the discussion document. Their origins can be broken down as follows:
- 42 submissions from organizations (including law firms, financial institutions, unions, universities, and industry and professional associations from the health, financial, insurance, real estate and other sectors and government agencies);
- 5 submissions from privacy and consumer advocates and privacy commentators; and
- 16 submissions from individuals.
Not all submissions addressed every question posed in the discussion document. Some respondents discussed issues that fell beyond the scope of the questions we posed. An overview of some of these additional issues is included at the end of this document.
We decided that it was important to share the richness of these comments with the Committee by providing a detailed summary. Where appropriate, the OPC’s own position on each of the issues follows the summary of submissions.
Background and a Question from the OPC Discussion Paper on Commissioner’s Powers
In designing PIPEDA, Parliament used an ombudsman model similar to that used for the Privacy Act and the Access to Information Act. Under all three laws, the commissioner responsible has the authority to investigate complaints, make findings and issue non-binding recommendations.
Under PIPEDA, the Commissioner has a limited discretion to initiate a complaint, conduct an audit and publicly disclose information relating to the personal information management practices of an organization. The Commissioner has no power to order an organization to cease or change a practice or release personal information. Nor can the Commissioner award damages. However, if an individual is not satisfied with the Commissioner’s attempt to resolve certain issues, the individual has a right of review by the Federal Court. The Commissioner herself can initiate court action with the consent of the individual, and has done so on occasion where organizations have refused to implement her recommendations.
Some observers may argue that the ombudsman approach, with its lack of order-making powers, makes PIPEDA less effective in protecting the rights of individuals than if the Commissioner had powers of enforcement – for example, the power to order an organization to comply with a particular provision of PIPEDA. They may want PIPEDA to contain order-making powers similar to those in the British Columbia and Alberta data protection legislation. They might also look to the order-making powers granted to the Commission d’accès à l’information du Québec under that province’s Act respecting the protection of personal information in the private sector, the first private sector data protection legislation in Canada.
Others may suggest that the ombudsman model is preferable. They may see this model as being more accessible, informal, practical and flexible in helping parties resolve the issues between them. Supporters of the ombudsman model may also argue that PIPEDA does provide for binding orders through the Federal Court as the next level of enforcement, beyond the Commissioner’s recommendations. Supporters of this approach might also suggest that changing the nature of the Commissioner’s powers would be a complex exercise that would affect other roles of the Office – mediation, education and audit, for example – and would require a reconsideration of the role of the Federal Court under PIPEDA.
Question posed by OPC:
- Is the existing ombudsman model effective or ineffective at protecting the privacy rights of individuals and addressing the legitimate interest in personal information of organizations engaged in commercial activities? In what ways? What, if anything, needs to be changed?
Respondents’ Comments on Commissioner’s Powers
- There was no clear consensus about the appropriate scope of the Commissioner’s powers.
- Most individuals and advocates, which discussed this issue, as well as one organization, favoured order-making powers.
- Most organizations that commented on this issue favoured the existing ombudsman model.
- An information management association and a business association argued in favour of order-making powers for the Commissioner.
- A privacy commentator, an association and an organization supported keeping the ombudsman role until at least the next PIPEDA review.
- An individual who supported the ombudsman role argued that privacy laws, and privacy commissioners, encourage steady improvements in business organizations’ behaviour over the short and longer term.
- An association and two individuals arguing in favour of the ombudsman model questioned whether organizations take their privacy protection seriously when the Commissioner has no enforcement powers or powers to levy fines.
- An organization supporting the ombudsman model argued that it allows an ombudsman to be more courageous and adopt a stronger posture in making recommendations.
- A professional association suggested that a specialized tribunal with order-making power should be part of the oversight model.
- Some commentators wanted the Commissioner to make better use of her existing powers. For example, they cited her audit power and the power to “name names” (some organizations wanted this power used only infrequently). They also called for more extensive public education and more detailed findings.
OPC’s Comments on Commissioner’s Powers
Parliament may wish to consider if order-making power would make our Office more effective in promoting better personal information practices in the private sector. This analysis should also consider potential additions or enhancements to the Commissioner’s current enforcement tool kit.
Any consideration of the Commissioner’s powers must also address the impact of an order-making power on other activities of the Office – mediation, education and auditing, for example. An order-making power would likely also reshape the role of the Federal Court with respect to PIPEDA.
In addition, would an order-making power make determination of privacy rights a more rapid or efficient process? In our view, now is not the best time to move on the order-making power issue. The Office of the Privacy Commissioner has tried to do its job over the last three-and-a- half years in an atmosphere of instability, constant and detailed scrutiny and reduced administrative capacity. We are just emerging from this period, renewed, rehabilitated and having received sufficient resources.
In our view, the administrative consequences of introducing an order-making power at this time would reduce the efficiency of the OPC in carrying out its multi-faceted mandate.
We intend to make greater use of our power to conduct audits and to resort to court action when such action is necessary to encourage recalcitrant companies to respect the fair information practices set out in PIPEDA.
Background and Questions from the OPC Discussion Paper on Consent and the Employee/Employer Relationship
PIPEDA is a “consent-based” statute. Generally, it requires knowledge and consent of the individual affected for the collection, use and disclosure of personal information in the course of commercial activity. Data protection bodies around the world have struggled with the challenges of operating a consent-based regime for the processing of personal information, particularly given the modern realities of global commerce.
PIPEDA protects the personal information of employees in a federal work, undertaking or business. Employers need personal information about their employees for many legitimate business purposes. In a perfect world with no economic coercion, the employer could ask the employee for personal information, and the employee would freely decide whether to give that information. However, given the unequal bargaining power in employment relationships, many employees may not feel in a position to withhold their consent, for fear that doing so may harm their employment or even lead to their dismissal. In such circumstances, some may argue, employees are not freely consenting to an employer’s collection of their personal information, and to infer consent only because they continue to work constitutes a forced and inappropriate stretching of the consent principle that risks “watering down” the principle.
Alberta and B.C., in their Personal Information Protection Act (PIPA), have taken a different approach than PIPEDA to personal employee information. Alberta’s PIPA allows an organization to collect ”personal employee information” without the consent of the employee (or potential employee) under certain conditions, including when the collection is “reasonable for the purposes for which the information is being collected...” Personal employee information in Alberta’s PIPA simply means personal information reasonably required by an organization that is collected, used or disclosed solely for the purposes of establishing, managing or terminating an employment relationship or a volunteer work relationship. B.C.’s PIPA allows the collection of “employee personal information” when, among other circumstances, the collection is “reasonable for the purposes of establishing, managing or terminating an employment relationship...”
Some might argue that the Alberta and B.C. provisions present a more feasible solution for dealing with the specifics of handling personal information in the modern employment context. Critics may counter that such provisions would remove from employees the autonomy to decide for themselves what is a reasonable use of their personal information and instead place the authority to make this decision entirely in the hands of their employers. Even if employees could challenge their employer’s purpose by bringing a complaint, some might see this shift of power as an erosion of one’s most basic and fundamental privacy right – the right to decide for oneself what is done with one’s personal information.
Quebec’s Act Respecting the Protection of Personal Information in the Private Sector does not treat personal information about employees as a distinct category of personal information subject to special provisions. However, the test for collection of personal information about employees without their consent is based on necessity. This involves a consideration of the sensitivity of the personal information and the proportionality test articulated by the Supreme Court of Canada in the OakesFootnote 3 decision.
Another option would be to add a specific provision to section 7 of PIPEDA to deal with consent issues relating to employees. As a general rule, personal information about an employee could be collected only with their consent. However, the provision could set out specific exceptions to the consent rule.
Questions posed by OPC:
- Should PIPEDA be amended to remove the consent requirements in relation to personal employee information? If so, is the “reasonable purpose” test an appropriate alternative?
- Should employee consent issues be addressed by a specific exception in section 7 for the employment relationship, subject to conditions? If so, what should be the conditions?
- Should the collection of some types of employee data be prohibited altogether? If so, what would be the criteria for prohibiting collection?
Respondents’ Comments on Consent and the Employee/Employer Relationship
- Most organizations that commented on this question stated that they liked the approaches taken in the “second generation” Alberta and British Columbia Personal Information Protection Act (PIPA). They supported the “reasonable purpose” approach found in these laws that eliminates the need to obtain employee consent for the collection, use and disclosure of personal information about them.
- A professional association argued that the model set out in the Alberta PIPA adequately protects against abuses, such as wholesale or unnecessary surveillance activities.
- Some commentators stressed the need to harmonize PIPEDA with provincial data protection laws.
- A privacy commentator and an individual argued in support of the Alberta and B.C. models.
- Two individuals argued that a reasonable purpose test is not a substitute for consent.
- Two organizations had not had any difficulty with the current approach under PIPEDA to handling employee information. Another described it “working well.” A fourth organization recommended that employee personal information should be treated in the same manner as customer personal information, so the consent requirements should remain in place.
- A consumer advocacy organization argued that a suitable alternative would be to introduce employment-specific exceptions to consent in section 7.
- A different consumer advocacy organization argued that the Quebec approach to employee consent is the most equitable and least privacy-invasive.
- One individual who favoured removing the consent requirement with respect to employee personal information, stated that the reasonable purpose test does not, on its own, suffice as an alternative. He argued that the test must be supplemented by referring to the dignity of employees.
OPC’s Comments on Consent and the Employee/Employer Relationship
Personal information about employees has been the source of some of the most challenging complaints OPC has encountered over the last five years and, in some cases, we have been forced to stretch PIPEDA to address employment issues. That said, we are not convinced that it would be prudent to adopt the Alberta and B.C. models without careful thought about the implications. Exempting large portions of employees’ personal information from the consent process would take away rights that they currently have under PIPEDA, however unwieldy the Act may be on this issue.
The OPC asks the Committee to consider if, and how, PIPEDA might be amended to deal more appropriately with employee information.
Background and Questions from the OPC Discussion Paper on Collection and Disclosure for Law Enforcement and National Security Purposes
The Public Safety Act, 2002 amended PIPEDA with a provision (section (7(1)(e)) that adds to the number of situations under PIPEDA where an organization can collect personal information without the knowledge or consent of the individual. Parliament enacted this amendment to authorize air carriers and travel agencies to collect personal information for government-run airline passenger screening systems. The amendment means that collection is permitted without knowledge or consent for the purpose of making a disclosure:
- that is required by law;
- to a government institution that has made a request for the information, identified its lawful authority to obtain the information and indicated that it suspects that the information relates to national security, the defence of Canada or the conduct of international affairs; or
- on the initiative of the organization to an investigative body, a government institution or a part of a government institution and the organization suspects that the information relates to national security, the defence of Canada or the conduct of international affairs.
Some may express concern about the broad wording of section 7(1)(e). Any organization subject to PIPEDA, not merely air carriers and travel agencies, now has the authority to collect personal information without knowledge or consent in the situations described in section 7(1)(e). The section does not limit the amount of information that can be collected, the duration of the collection activity or the possible sources of the information. In short, some may argue, the authority granted by the section 7(1)(e) amendment allows organizations to act as agents of the state – also described as “deputizing the private sector” – by collecting information, without consent, for the sole purpose of disclosing it to government and law enforcement agencies.
For example, this amendment to PIPEDA creates the potential for an organization subject to PIPEDA to collect personal information merely because it suspects that the information relates to the conduct of international affairs. The organization need have no legitimate business purpose for the collection of the information. The concerns about section 7(1)(e) may be heightened because the federal Privacy Act offers inadequate protection to personal information once government institutions obtain the information from organizations that have collected it under section 7(1)(e).
Others may argue in contrast that this amendment to PIPEDA is a necessary addition to the tools to address serious law enforcement and national security issues. They may argue that these are legitimate circumstances where personal information should be collected and disclosed without consent.
Questions posed by OPC:
- Is it appropriate for private sector organizations to act as personal information collection agents for the government? Is it appropriate for records to be created solely for the purpose of providing them to government?
- Is the authority to collect personal information without the knowledge or consent of the individual in section 7(1)(e) broader than necessary? If so, how might the provision be amended to limit the authority for organizations subject to PIPEDA to collect information?
Respondents’ Comments on Collection and Disclosure for Law Enforcement and National Security Purposes
- Many respondents had concerns about section 7(1)(e), a provision that adds to the situations where an organization can collect information then subsequently disclose it without the knowledge or consent of the individual.
- One professional association argued that, where there is a reasonable expectation of privacy, any disclosure of personal information to law enforcement must comply with constitutional standards.
- A financial institution, a credit-granting organization, another organization and some consumer advocacy organizations were strongly opposed to deputizing private organizations as agents to collect personal information for the state. One professional association strongly objected to this public policy direction of government, calling it inappropriate and costly.
- An organization argued that PIPEDA does not offer enough guidance to organizations faced with pre-warrant requests for personal information from law enforcement agencies. It continues to insist that law enforcement agencies obtain a warrant.
- An organization argued that PIPEDA should prohibit organizations from collecting information to pass on to government.
- Issues relating to collection and disclosure without consent were of particular concern to privacy and consumer advocates, a privacy commentator and some individuals.
- An association argued that organizations do not want to be collection agents for the government, but acknowledged that the government must have access to certain information for national security purposes. Two other associations did not comment on the appropriateness of these provisions, but stated that their members comply with the laws of Canada and of other countries in which they operate.
OPC’s Comments on Collection and Disclosure for Law Enforcement and National Security Purposes
The broad wording of section 7(1)(e) continues to cause OPC serious concern. The provision applies to any organization subject to PIPEDA and has the undesirable effect of deputizing the private sector to carry out law enforcement activities without the corresponding public accountability. It does not limit the amount of information that can be collected without consent, nor does it place any limits on the possible sources of information.
We asked for its removal at the time that the Public Safety Act, 2002 was being passed. We continue to believe that it should be removed or that it should be made more restrictive.
Background and Questions from the OPC Discussion Paper on Investigative Bodies
PIPEDA permits organizations to disclose personal information, without the knowledge or consent of the individual, to an investigative body. To do so, there must be reasonable grounds to believe that the information relates to a breach of an agreement or a contravention of the laws of Canada, a province or a foreign jurisdiction. PIPEDA also permits investigative bodies to disclose personal information without the individual’s knowledge or consent if the disclosure is reasonable for purposes related to investigating a breach of an agreement or a contravention of the laws of Canada or a province.
The authority for this comes from sections 7(3)(d) and 7(3)(h.2). Section 7(3)(d) would allow an organization to disclose information to an investigative body if the investigative body was investigating a suspected fraud or contravention of a law – for example, the defrauding of a financial institution. Section 7(3)(h.2) allows disclosure by an investigative body without consent if the disclosure is reasonable for purposes related to investigating a breach of an agreement or a contravention of the laws of Canada or a province.
The Act does not define “investigative body.” Each application for the status of investigative body is confirmed by regulation. Two investigative bodies were listed when the Act came into force: the Insurance Crime Prevention Bureau and Bank Crime Prevention and Investigation Office. There are now about 75 investigative bodies. More than 20 Ontario health professional regulatory bodies such as the College of Nurses and the College of Optometrists, and the Law Societies of most provinces and territories, have been designated investigative bodies. These designations occurred on the grounds that the bodies may need to obtain personal information without consent to conduct disciplinary proceedings. Some may argue that the whole application process is cumbersome and that, given the greatly expanding number of designated investigative bodies, it is no longer clear whether this regulatory approach is the most effective. Furthermore, they may argue, bodies such as those regulating health care professionals may already offer adequate oversight of the activities of these investigative bodies.
Supporters of the current designation system may argue that the current scheme for designating investigative bodies, while cumbersome, provides much greater transparency and oversight than would a scheme that, for example, simply defined “investigative body” in PIPEDA and essentially allowed organizations to designate themselves as such unless the designation were successfully challenged. As well, they may argue, Privacy Impact Assessments submitted as part of the application process allow for a more open, transparent and robust approach for designation, even if the process may be lengthy. It also allows for a clear public listing of the organizations designated as investigative bodies.
One reform option might be to attempt to define “investigative body” in PIPEDA. Only bodies satisfying the definition would warrant the limited special status given to such bodies. By defining “investigative bodies” in PIPEDA, the requirement to confirm the status of the body through regulation could be repealed, since there would be a more direct means within PIPEDA to determine whether a body meets the criteria for an investigative body.
Another option might be to adopt the model in the Personal Information Protection Act (PIPA) of both British Columbia and Alberta. The Acts both define the term “investigation” and then allow collection, use and disclosure without consent for the purposes of an investigation. For example, the B.C. PIPA defines “investigation” as an investigation related to:
(a) a breach of an agreement,
(b) a contravention of an enactment of Canada or a province,
(c) a circumstance or conduct that may result in a remedy or relief being available under an enactment, under the common law or in equity,
(d) the prevention of fraud, or
(e) trading in a security as defined in section 1 of the Securities Act if the investigation is conducted by or on behalf of an organization recognized by the British Columbia Securities Commission to be appropriate for carrying out investigations of trading in securities, if it is reasonable to believe that the breach, contravention, circumstance, conduct, fraud or improper trading practice in question may occur or may have occurred.
The B.C. PIPA allows collection without consent if “it is reasonable to expect that the collection with the consent of the individual would compromise the availability or the accuracy of the personal information and the collection is reasonable for an investigation or a proceeding.”
Questions posed by OPC:
- Should provisions in PIPEDA relating to investigative bodies be changed? If so, in what way?
- Whether the provisions are changed or not, can the transparency and accountability relating to the activities of investigative bodies be further enhanced? What measures would accomplish this?
Respondents’ Comments on Investigative Bodies
- There was no clear consensus on the process for designating investigative bodies under PIPEDA.
- Some financial associations, an association and another organization described the current system as cumbersome, lengthy and onerous.
- Most organizations suggested that PIPEDA adopt the definition of “investigation” used in Alberta and employ the general approach of the Alberta and B.C. PIPA. A professional association, an organization and an association added that PIPEDA should adopt the approach found in the B.C. PIPA, namely, that there is no additional consent required for a third-party processor, such as an investigator, to collect, use and disclose personal information on behalf of an organization.
- Another professional association suggested that any changes to the process for defining an investigative body within PIPEDA must not have a negative impact on the self-regulatory requirements of its profession.
- One financial organization did not support changing the current process because the Act already identifies various circumstances in which personal information may be disclosed without consent by organizations that are not investigative bodies and these exceptions should be sufficient for most organizations. Another organization agreed that it is not necessary to change the current process because it provides greater transparency and oversight than a scheme that defines “investigative body” within PIPEDA.
- A credit-granting organization did not support changes to the current approach, but wanted a set of minimum criteria for “designated investigative body” to be listed in the Act.
- Another financial institution supported efforts to simplify the process, but also argued that the existing regulatory approach provides stakeholders with a degree of certainty and predictability when sharing information. It supported including a definition of investigation that would include ”fraud prevention” activities.
- A consumer advocacy organization preferred the transparency and accountability provided by the current approach over the Alberta and B.C. models which, in its view, create a lower threshold for protecting personal information.
- A privacy commentator was not aware of any problems with the current process of designating investigative bodies, and described the current process as transparent and robust.
- Another consumer advocacy organization argued that the current process could be further strengthened by making the criteria upon which organizations are vetted open to public scrutiny. It called for mechanisms for periodic reviews of designations. It also argued that the ultimate sanction for a well-founded complaint against an investigative body should be the removal of its designation either temporarily or permanently.
- An individual argued that allowing bodies to self-designate is not a satisfactory alternative to the current approach. Instead, investigative bodies should be brought directly under the Act, giving the Privacy Commissioner the opportunity to audit these bodies on a regular basis.
OPC’s Comments on Investigative Bodies
The OPC believes that the current approach to designating investigative bodies, though cumbersome, is working adequately and need not be changed at this time.
Background and a Question from the OPC Discussion Paper on Attempted Collection Without Consent
PIPEDA applies to the actual collection, use and disclosure of personal information. However, there appears to be a gap in the law relating to attempts to collect personal information without consent. For example, a 2006 decision of the Federal Court of AppealFootnote 4 concluded that PIPEDA does not expressly prohibit attempts to collect personal information without consent. PIPEDA does not apply, for example, to an attempt to collect information through video or audio surveillance with equipment that failed to work, or to an unsuccessful attempt by a bank employee to obtain information from a customer that the bank had no authority in law to acquire. Based on this reasoning, PIPEDA would not likely apply either to attempts to use or disclose information, when such attempts fail.
Even if, for example, an attempt to collect personal information fails, perhaps the type of collection of personal information that the organization was attempting – through secret surveillance or deceptive practices – should entail consequences under privacy legislation for the organization making the attempt.
There is a precedent in Canadian privacy law for dealing with attempted collection. Section 59(1) of Alberta’s Personal Information Protection Act (PIPA) generally makes it an offence to wilfully attempt to gain or gain access to personal information in contravention of the Act.
Some may argue that including attempted collection in PIPEDA could give the complainant a right to have the Federal Court hear the complaint, make a binding order and even award damages. Section 16 permits the Court to grant a range of remedies, including an order to the organization to correct its practices and publish a notice of any action taken or proposed to be taken to correct its practices. The Court may also award damages to the complainant, including damages for any humiliation that the complainant has suffered.
Question posed by OPC:
- Should PIPEDA be amended to regulate wilful attempts to collect personal information without consent?
Respondents’ Comments on Attempted Collection Without Consent
- There was no clear consensus on this issue.
- An association argued that PIPEDA should apply only to what has happened, and not to what might have happened, even if the failed attempt was made wilfully. Similarly, a financial organization argued that PIPEDA should apply to attempted collection where the attempt actually results in some kind of loss or detriment to the “owner of the personal information”.
- Another financial association saw no need for change in this area. It noted that it was important to recognize that many laws require the collection of information to ensure that the organization knows the customer opening an account, and that organizations should not be penalized for following a regulator’s guidelines or recommended best practices.
- Another financial organization, an organization and an association all argued that attempted collection was important to address, but that PIPEDA was not the right vehicle. They recommended amending the Criminal Code or other penal statute to deter and punish identity theft, “phishing” and similar activities.
- An organization and a credit-granting organization recommended that PIPEDA should be amended to regulate any wilful attempts to collect personal information without consent.
- Privacy advocacy and consumer organizations, a privacy commentator and some individuals argued that attempted collection demonstrates that an organization was about to, or was seeking, to contravene PIPEDA, so attempted collection should be considered a contravention.
OPC’s Comments on Attempted Collection Without Consent
The issue of attempted collection remains an issue of concern for OPC and we would support efforts to close the gap in PIPEDA by addressing “wilful” attempted collection.
Background and Questions from the OPC Discussion Paper on Individual, Family and Public Interest Exceptions to Consent Requirements
This consent principle finds expression in Principle 4.3 of the Schedule to PIPEDA. Principle 4.3 states, in part, that the “knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.” Section 7 of PIPEDA acknowledges the consent principle in Principle 4.3, but identifies several specific situations where information may be collected, used or disclosed without the knowledge or consent of the individual. For example, section 7(3)(e) allows a disclosure without an individual’s knowledge or consent “to a person who needs the information because of an emergency that threatens the life, health or security of an individual and, if the individual whom the information is about is alive, the organization informs that individual in writing without delay of the disclosure.”
Some situations are not covered by this or any other provision, such as disclosures to the family of an injured, ill or deceased individual, or disclosures in the public interest after a major disaster.
Question posed by OPC:
- Are there circumstances beyond those now identified in section 7 of PIPEDA where collection, use or disclosure without knowledge or consent should be permitted for the legitimate benefit of an individual or his or her family or the greater public? If so, what are those circumstances?
Respondents’ Comments on Individual, Family and Public Interest Exceptions to Consent Requirements
- Overall, there was support for some change in this area.
- A financial association wanted an exception for natural disasters and another organization wanted to be able to disclose information to locate owners of unclaimed properties. Both organizations also wanted to be able to disclose if they suspected financial abuse, especially of seniors.
- Another financial organization and a credit-granting organization argued that a specific exemption to the requirement to obtain consent may be necessary to permit the disclosure of the identity of convicted criminals, as well as the names and ages of victims of major disasters. As well, it suggested, disclosures to the family of an injured or deceased individual should be permitted.
- An association suggested the scope of implied consent in PIPEDA should be extended to include beneficiaries – those individuals who could claim a benefit of a product or service for which another individual provided the first individual’s personal information.
- A professional association that argued PIPEDA should adopt the two-part approach of the B.C. PIPA. It also recommended that PIPEDA should address the issue of consent obtained indirectly from an individual through a third party. For example, an organization should be able to rely on an assurance or surrounding circumstances that the third party has the consent of the individual, or that the individual would consent if aware of the circumstances, such as in the example of giving a donation or a gift.
- A consumer advocacy organization was generally in favour of a new, narrowly defined exception to permit disclosure of minimal personal information upon sudden hospitalization to close family members and perhaps, to others, in certain cases, if an individual is hospitalized suddenly. This organization also called for PIPEDA to allow collection, use and disclosure of personal information of the general public after a major disaster.
- A privacy commentator argued that section 7(3)(e), allowing limited disclosure only in an emergency situation, imposes a higher standard for personal information disclosure than the Alberta and B.C. laws. He argued that Alberta’s PIPA has two further exceptions to consent that should be considered for PIPEDA – reasonable disclosure to a surviving spouse, and the disclosure of information necessary to determine the individual’s eligibility to receive an honour, award or similar benefit. He also noted that B.C.’s PIPA allows disclosure without consent in one further circumstance that PIPEDA might also be amended to cover – instances where personal information is collected by observation at a performance, a sports meet or similar event at which the individual voluntarily appears and that is open to the public. He suggested that PIPEDA should include a restriction on the amount of information that may be disclosed, similar to the Alberta PIPA.
OPC’s Comments on Individual, Family and Public Interest Exceptions to Consent Requirements
The OPC believes that some of these submissions have identified legitimate concerns and that the Committee may wish to consider some very limited exceptions in this area such as disclosures to the family of an injured, ill or deceased individual and notification in case of an emergency in a community setting.
Background and Questions from the OPC Discussion Paper on Blanket Consent
PIPEDA is a consent-based statute. It generally requires consent for the collection, use and disclosure of personal information in the course of commercial activity. The prevailing view might be that as long as a consent clause is worded broadly enough, this will technically and legally permit a wide range of future collections, uses and disclosures under the terms of the agreement between the customer and the organization. However, others may argue that truly free and informed consent is more than this; it is more than a one-time, wide-open, blanket signature on a consent form. They may argue that informed consent is a dynamic process that involves keeping individuals actively aware – on an ongoing basis, using understandable language, and in a transparent manner – of what an organization intends to do with their personal information and for what purpose. They may see consent as giving them the opportunity to receive further explanations and to ask questions or challenge assumptions – particularly in relationships of unequal bargaining power.
On the other hand, others may argue that consumers are generally free to determine the extent of the consent they are giving for the collection, use and disclosure of their personal information, and that no changes to PIPEDA are needed to make consent more meaningful. They may also argue that many consumers don’t want to be asked for their consent for every specific type of collection, use and disclosure of their personal information, and that they may become annoyed if too frequently asked to make a choice or fill out another form.
Question posed by OPC:
- Should PIPEDA be amended to deal with “blanket consent?” If so, what should be the nature of those amendments?
Respondents’ Comments on Blanket Consent
- Most organizations did not see a need to amend PIPEDA to deal with the question of blanket consent.
- One organization commented that one-time consent is adequate where the service is regulated and the right to withdraw one’s consent is made clear.
- A consumer advocacy organization commented that the problem of “blanket consent” can and should be addressed through interpretations of PIPEDA by the Privacy Commissioner and the courts. It noted that PIPEDA does not set limits on the time period for which consent is valid, and that this issue could be addressed through a general reasonableness requirement rather than by establishing a set time period.
- A privacy commentator and another individual argued in favour of amending Principle 3 (which deals with consent) of the Schedule. The privacy commentator also suggested that an alternative to amending the Schedule would be to have more guidance from the Commissioner on ongoing marketing and customer relationship activities.
- A professional association argued that blanket consent is a problem. It would like consumers to be offered three options: (a) withholding consent, (b) consenting to the collection of information for a specific purpose, and (c) giving blanket or broad consent.
- Some individuals maintained that every request for personal information should be judged on its merits and justifications.
OPC’s Comments on Blanket Consent
The OPC considers this to be an issue where guidance would be appropriate and it has no specific recommendation for change in this area.
Background and Questions from the OPC Discussion Paper on Disclosure of Personal Information Before Transfer of Businesses
PIPEDA contains no provision to allow an organization to disclose personal information to prospective purchasers or business partners without the consent of the individual affected. They may need to review this information (such as client lists) for their “due diligence” evaluation of whether to proceed with the transaction – perhaps a merger, acquisition or sale of business. Such transactions may range from the relatively modest – the sale of a dental practice, including its patient lists – to very large corporate takeovers.
Other laws, such as Ontario’s Personal Health Information Protection Act, 2004 (PHIPA) and the Alberta and British Columbia Personal Information Protection Act (PIPA) allow disclosures without the individual’s consent, subject to stringent confidentiality agreements. Some may argue that it is appropriate to include a similar provision in PIPEDA. They may conclude that this would both facilitate commercial transactions and protect commercial secrets in a highly competitive environment.
If a sale or merger occurs, some individuals may not want their personal information transferred as part of that sale or merger. Some may argue that individuals should have the opportunity to opt out of the transfer of their personal information where possible. In some cases, however, regulatory requirements oblige retaining personal information for a period of time. Individuals whose personal information is at stake could be made aware of this through proper notification up front.
Questions posed by OPC:
- Should PIPEDA allow an organization in possession of personal information to disclose that information to a prospective purchaser or business partner? If so, what conditions should apply?
- Should PIPEDA be amended to allow the transfer of personal information from an organization to a prospective purchaser or business partner? If so, what restrictions should apply?
Respondents’ Comments on Disclosure of Personal Information Before Transfer of Businesses
- Most organizations believed that an exception to the requirement to obtain consent for the disclosure of personal information should apply where a sale or transfer of a business occurs, and some pointed to Alberta’s PIPA as a good model.
- An association argued that PIPEDA should allow an organization in possession of personal information to disclose that information to a prospective buyer or partner under the same conditions that apply to the outsourcing of information to third parties.
- One organization stated that no exception to consent is needed as typically it is not necessary for an organization to disclose personal information to a prospective purchaser or business partner. It argued that any information that needs to be disclosed can be disclosed in aggregate form or in a way that does not disclose personal information.
- Consumer advocacy groups, some individuals, two financial organizations and an association agreed that PIPEDA should allow an organization to disclose personal information to a prospective purchaser or business partner on condition that the information remain confidential and that the information is destroyed or returned if the transaction does not materialize.
- An individual argued there is no evidence PIPEDA has hampered mergers and acquisitions and that, therefore, the Act should not be amended to allow disclosure of personal information without consent for the purposes of due diligence.
- A privacy commentator and a consumer advocacy group argued that PIPEDA should include a requirement to notify individuals, as in B.C.’s PIPA, to permit individuals to take steps to limit the future use of their personal information where they do not wish to deal with an acquiring company.
- An association argued that customers should be notified in advance that their personal information will be transferred to a purchaser or other transferee. It said PIPEDA should clarify that, in the case of these business transactions, the transferee will be responsible for meeting all the regulatory requirements under PIPEDA, including respecting access rights.
- An individual suggested that if people are allowed to retain control over the disclosure of their personal information for the purposes of due diligence, they should definitely be allowed to opt out of the permanent transfer of their personal information. This commentator also pointed out that individuals may object on political, religious or moral grounds to the new organization, and may wish to sever their ties with it.
OPC’s Comments on Disclosure of Personal Information Before Transfer of Businesses
The OPC believes that the Committee may wish to consider changes to PIPEDA by adopting the approach taken in the “second generation” legislation of Alberta and B.C.
Background and Questions from the OPC Discussion Paper on Work Product
PIPEDA does not use or define the term “work product.” B.C.’s Personal Information Protection Act (PIPA), on the other hand,defines work product in part as “information prepared or collected by an individual or group of individuals as a part of the individual’s or group’s responsibilities or activities related to the individual’s or group’s employment ...” Some may argue that a definition of work product such as that in B.C.’s PIPA would bring greater certainty to the concept of work product and facilitate distinct rules in PIPEDA for applying distinct rules to work product.
Such a definition might also make more clear the distinction between “work product”, “business information”, and “contact information”, and thus allow them each to be treated differently under PIPEDA.
If work product is defined in PIPEDA, the Act can treat it in one of three ways:
- Exclude work product from the definition of “personal information” in PIPEDA. PIPEDA would then not apply to such information at all. An example of this approach is found in B.C.’s PIPA, as described above;
- Consider work product to be personal information (that is, include work product in the definition of personal information), but state that the data protection provisions of PIPEDA do not apply to the information. This is the approach PIPEDA takes, for example, with personal information collected, used or disclosed for journalistic, artistic or literary purposes;
- Include work product in the definition of personal information, but state that the consent requirements found in section 7 of PIPEDA do not apply to work product. Other provisions of PIPEDA would continue to apply to work product. For example, section 3, the “purpose” section, would continue to apply even if the consent provisions did not. Collection, use or disclosure of work product information would still therefore be subject to the test in section 3 that balances the right of privacy of individuals with the need of organizations for that information.
Some may argue that excluding work product from the definition of “personal information” or stating that the data protection provisions of PIPEDA do not apply (the first two approaches described above) may mean that PIPEDA cannot be used to provide oversight of and challenge some forms of surveillance. For example, surveillance of workers through video, audio, or keystroke surveillance of their workplace activities might not fall under PIPEDA if the records of the surveillance are considered to be work product.
Quebec’s Act Respecting the Protection of Personal Information in the Private Sector provides an example of how work product information – in this case personal information on professionals about their professional activities – can be made the subject of provisions tailored to the nature of the information. In 2001, a provision was added to the Act giving an enhanced discretion to grant access to personal information on professionals about their professional activities. In this way, some may argue, the Quebec Act treats work product information as being situated mid-way between personal and non-personal information. The Commission d’accès à l’information may, on written request, grant a person authorization to receive communication of personal information on professionals regarding their professional activities, without the consent of the professionals concerned. This access is subject to the following criteria:
- the professional order concerned must have been consulted beforehand;
- professional secrecy must be respected;
- the professional must be notified periodically of the intended uses and ends contemplated;
- the professional must have an opportunity to opt-out;
- security measures must be in place to ensure confidentiality of information.
The authorizations must be revised annually, and the list of authorized persons is published.
Questions posed by the OPC:
- Should PIPEDA define “work product”?
- If so, how should PIPEDA treat work product?
Respondents’ Comments on Work Product
- There was no consensus on how to deal with “work product” information.
- Four associations, three organizations and a privacy commentator suggested that work product should be defined as it is in the B.C. PIPA. Several associations, one of the organizations and the privacy commentator argued that “work product” should then be excluded from the definition of personal information.
- The privacy commentator argued that, in the B.C. model, work product consists only of information that has been tangibly prepared or collected and that is therefore a resulting product. Video surveillance or other workplace monitoring activities would therefore be excluded from the scope of this definition since such activities do not constitute a “work product,” merely a measuring of work processes.
- An individual argued in favour of including work product in the definition of personal information, but that the consent requirements would not apply to this information.
- An association commented that it did not support including work product in the definition of personal information, and then excluding it from the data protection provisions or consent requirements of PIPEDA, because the provision would be too complex for organizations to apply.
- Two other associations argued that many businesses have interpreted work product to be proprietary, with only personal information contained in the work product falling within the scope of PIPEDA. These associations argued that to define work product as personal information would give PIPEDA a degree of control over workplace operations not contemplated nor intended by the framers of the legislation.
- An organization argued that the definition of work product is highly dependent on the circumstances at hand and that therefore PIPEDA should not attempt to define “work product.” Instead, whether information constitutes “work product” should be established on a case-by-case basis to determine if PIPEDA should apply.
- An association stated that its members had not encountered any issues that lead them to believe a definition of work product would be required and that the general interpretation was sufficient. Another association and an organization argued that the issue of work product has been well discussed and clarified in findings and there is no need to amend PIPEDA.
- An individual argued that workplace privacy is already a nebulous concept, with employers claiming the proprietary right to any information produced by employees during work, and refusing to recognize any legal basis for some measure of private life at work. This individual further argued that the introduction of a notion of work product into PIPEDA would only serve to further erode workplace privacy for federally regulated employees and by extension to those provincial employees not protected by any legislation. This individual argued that the notion of work product under the PIPA is too vague and that personal information is better protected by the current division of information created in the workplace into two categories -- personal, and business-related. This individual concluded that work product should not be defined in PIPEDA, but that if it is defined, the best approach would be to require employers to handle it in a reasonable manner that preserves the dignity of employees.
- No consumer or privacy advocates commented on this issue.
- On the matter of “professional information,” a professional association stated that the definition of personal information should exclude business or professional information.
- Another professional association noted that individuals, such as its own professionals, have legitimate privacy interests in performance data that may be deemed "work product information" and a privacy commentator argued that individual professionals should have a stake in how information about their professional activities is communicated. This professional association and the privacy commentator both expressed support for the legislative scheme found in Quebec which gives individuals the right to opt out of the collection, use and disclosure of professional information.
OPC’s Comments on Work Product
The OPC believes that this is a very complex issue. To date, we have addressed the issue by asking whether or not the information in question is about the individual. If the answer is yes, then the information is protected by the Act. We recognize that an individual in his or her capacity as an employee or as a professional may generate information that is not about the individual.
Excluding work product could weaken the protection provided by the Act since this could result in intrusive workplace monitoring and other abuses. We believe that work product issues should continue to be addressed case-by-case.
Background and Questions from the OPC Discussion Paper on the Duty to Notify
Identity theft can occur electronically on a massive scale if organizations fail to provide adequate security to personal information they have collected. Some may argue that organizations that suffer security breaches (“involuntary disclosures”) or the outright theft of their personal information holdings should be required to mitigate the risk of identity theft to the individuals involved. Mitigation after a security breach could involve notifying the individuals whose information is at stake, credit agencies, relevant government agencies (for example, those that administer benefits such as welfare) and other commercial entities, such as banks.
By the end of 2005, roughly half of U.S. states had passed laws requiring customers to be notified when their personal information is compromised. As well, several bills have been introduced, but none yet passed, at the federal level in that country. These laws typically provide for large fines for failure to notify. For example, legislation in New York State provides for penalties of up to $150,000 for knowingly or recklessly violating the reporting requirements.
Of Canadian data protection laws, Ontario’s Personal Health Information Protection Act is the only one requiring notification after a security breach. The Act requires health information custodians to notify individuals at the first reasonable opportunity if their personal health information is stolen, lost or accessed by unauthorized persons.
Some may argue that PIPEDA should include a similar duty to notify the individuals affected after a security breach. As well, section 7(3) of PIPEDA, dealing with disclosures without consent, could be amended to permit an organization that has suffered a security breach to notify credit bureaus and other relevant organizations or agencies about the breach. Once alerted, credit bureaus could place fraud alerts on the files of the affected individuals. In addition, PIPEDA could be amended to require notifying the Privacy Commissioner of a breach.
Some may argue that laws requiring organizations to notify individuals of security breaches will force those organizations to take security more seriously, to avoid their security failings becoming public knowledge. This in turn may help reduce identity theft and other fraudulent uses of personal information. On the other hand, critics of “notice” laws may argue that it is expensive for organizations to carry out notifications. They may also argue that consumers will start to ignore the notices, particularly if notices are required after any breach, not merely if the breach creates a risk of fraud. If notice laws were to be enacted, those critics might want the laws to require an assessment of risk or severity of the potential harm; this would avoid trivializing the effect of notifications over time by diluting the more important notices amidst a flood of others that may not be necessary or even appropriate. For example, reporting might be required only if the loss or theft creates a reasonable likelihood that the personal information will be used to the detriment of the individual affected, or if the loss affects large numbers of records. In addition, some may argue that conditions should be articulated to guide the implementation of notices in different circumstances to avoid potentially causing more unnecessary harm to the individuals concerned. They may also argue that for notification laws to be truly effective, organizations must take steps after the notification to minimize the risk of further security breaches.
Questions posed by OPC:
- Should organizations that suffer loss or theft of personal information have a legal duty to report the loss or theft? If so, under what conditions, and to whom should they report?
- If there should be a duty to report, what sort of enforcement mechanism, if any, should be introduced to ensure that organizations comply with reporting requirements?
Respondents’ Comments on the Duty to Notify
- There was no consensus on this issue.
- Two consumer advocacy organizations and an individual argued that PIPEDA should require organizations to report the loss or theft of personal information they collect or store, in all instances -- or suspected instances -- of security breaches, even where it is determined that the threat of misuse, abuse or fraud is minimal. One of these consumer advocacy organizations, and a professional association, suggested emulating California’s Security Breach Information Act but a privacy commentator who mentioned the California model did not recommend it because he argued that it does not cover some sensitive personal information.
- Several financial organizations, two associations, two other organizations, a consumer advocacy organization, an individual and a privacy commentator supported the duty to notify if the loss or theft could create a risk of fraud or harm.
- An information management association argued there should be a legally enforceable duty to report the loss or theft of personal information in a timely manner to the individuals concerned and to the Privacy Commissioner. It further argued that, where there is a risk of fraud, organizations should also have to notify relevant third parties, such as credit bureaus.
- An individual suggested that the risk assessment approach would inappropriately shift the emphasis away from the individual’s right to control his or her personal information, and view the handling of personal information as merely another operational matter. This individual argued that PIPEDA should instead move toward the recognition that organizations owe a duty, first and foremost, to the individuals who entrusted them with their personal information.
- Five associations, an organization and two credit-granting organizations argued their members already notify individuals when there is a risk of fraudulent purposes or identity theft so there is no need to address this issue within PIPEDA. One of these associations argued that if a duty to notify is deemed necessary, that a fraud statute or separate statute dealing with identity theft would be a more appropriate vehicle for dealing with this issue.
- Another association suggested that an alternative to legislating a duty to notify would be for the Privacy Commissioner to consult stakeholders and issue guidance in this area.
- A credit-granting organization suggested that high-level data security standards should be established under PIPEDA.
- Yet another association recommended using the existing mechanisms under PIPEDA with respect to enforcement, such as individuals making complaints to the Privacy Commissioner with respect to any perceived failure to meet notification requirements.
- An organization stated it was not aware of any empirical evidence or crime statistics demonstrating that consumer notification has had any preventative effect on identity fraud.
- A financial organization and another organization also recommended that section 7(3) should be amended to permit an organization that has experienced a security breach to notify credit bureaus and other affected organizations of the breach. This organization also commented that such notifications would cause credit bureaus to incur non-recoverable costs for helping third-party organizations remediate their issues and credit bureaus should be able to charge for this service.
- A financial organization argued that the Privacy Commissioner should be notified of any serious breach of security affecting individuals and which has a high likelihood of harm. This financial organization also suggested the Commissioner should be advised of the specific steps taken to rectify the breach.
- An individual argued that organizations should have a duty to notify the individuals affected and the Commissioner, and that the organization should release a copy of the notification to the media through the organization’s normal communication channels.
- A privacy commentator argued the Privacy Commissioner should be notified within five business days after the organization discovers a breach. The Commissioner could then examine and question plans for breach notification to affected individuals and to publicize the breach if doing so were to be deemed in the public interest.
- There were also some comments on fines and penalties. A privacy commentator argued that organizations should be fined for failing to notify the Commissioner of a breach. A consumer advocacy organization argued that PIPEDA should permit civil actions for a failure to notify. This advocacy organization, an individual and an information management association, also argued that all relevant parties need to be advised and, if they are not, PIPEDA should include provisions for heavy fines and severe penalties.
OPC’s Comments on the Duty to Notify
The OPC supports the notion of a duty to notify individuals, but recognizes the difficulty of choosing the appropriate model.
We recognize that a duty to notify does not easily fit into the current PIPEDA model, since there is no straightforward way to penalize organizations that fail to notify individuals about security breaches. PIPEDA would need to be amended.
In addition to adding a duty to notify, or as an alternative, a provision could be added to PIPEDA which would allow an organization that has suffered a security breach to notify credit bureaus about the breach and the individuals affected without the consent of those individuals. This would allow credit bureaus to be more proactive in protecting consumers from identity theft and fraud.
Background and Questions from the OPC Discussion Paper on Transborder Flows of Personal Information
The current business climate often favours the outsourcing of data processing. Some outsourcing results in the transfer of personal information to organizations in Canada that are themselves subject to PIPEDA or substantially similar provincial data protection legislation. Outsourcing may also involve transferring personal information outside Canada, a process described as the transborder flow of personal information.
In the current climate of globalized business and increasingly inquisitive foreign governments, protecting personal information as it flows across borders has assumed even greater urgency.
PIPEDA contains an accountability principle that imposes responsibility on an organization for information that has been transferred to a third party for processing. Principle 4.1.3 of the Schedule to PIPEDA requires the organization to use contractual or other means to provide a comparable level of protection while the information is being processed by a third party. This principle applies to any transfer, whether the receiving company is in Canada or abroad.
The concern about loss of control over personal information of Canadians when it crosses borders has led to discussion about several possible options to enhance respect for this accountability principle. Among the other means to protect personal information are provisions that might be placed in contracts between an organization in Canada subject to PIPEDA and the receiving company, such as provisions:
- allowing the organization to inspect and audit the information management practices of the receiving company processing the data abroad, including security practices and disposal procedures, and how the receiving company will enforce these practices and procedures;
- prohibiting use and disclosure by the receiving company, except as required by the law of the country in which the receiving company is situated;
- ensuring that the enforcement of the contract takes place in a suitable jurisdiction;
- calling for binding arbitration in accordance with international rules of arbitration.
Questions posed by OPC:
- Does the current accountability principle in PIPEDA sufficiently protect personal information when it crosses borders?
- If not, how might PIPEDA better protect that information?
Respondents’ Comments on Transborder Flows of Personal Information
- There was no consensus on whether the current level of protection is sufficient.
- Most organizations were satisfied with the current requirements in the Accountability Principle in PIPEDA as they relate to transborder data flows.
- Two associations argued it was sufficient for organizations to be required to provide notice to individuals that they send personal information outside Canada for processing or storage. They suggested organizations should advise their customers in advance that they do not have the right to opt out of having their personal information processed by a third-party service provider.
- An association and a credit-granting organization argued any restrictions to transborder data flows could hinder Canada’s competitiveness in the global economy.
- Some commentators, including consumer and privacy advocates, would like to see some change in this area.
- An information management association and a professional association argued that organizations involved in transborder flows of data outside Canada should be required to include appropriate safeguards and requirements in all contracts. This association argued that these contracts should include a requirement for a Canadian company to inspect and audit the third party’s information management practices and prohibit the party receiving the information from using or disclosing it except as the law of the foreign jurisdiction requires.
- An individual argued that PIPEDA should be amended to make clear that an organization is responsible for breaches of the Act by the organization’s agents or contractees.
- Two consumer advocacy organizations and a privacy commentator argued that the Privacy Commissioner could establish, under Principle 4.1.3, specific requirements to be included in contracts for outsourcing. One of these consumer advocacy organizations supported all five of the options identified in the discussion paper. In addition to these measures, it recommended emulating the approach in the Quebec’s private sector privacy legislation, which states a business cannot transfer personal information to a third party outside Quebec if it believes the information will not benefit from similar protections afforded under the Quebec law. This consumer advocacy organization also argued that guidance established for the protection of personal information subject to transborder data flows should be incorporated into law.
- Another consumer advocacy organization stated that PIPEDA should be amended to explicitly protect individuals from excessive personal information disclosures and other inappropriate practices. This organization suggested making all exceptions to the general rule of consent subject to a reasonableness requirement. It also argued that the Act should be amended to make it clear that sections 7(3)(c.1) and (d) apply only to Canadian government institutions, not to foreign government institutions. It further proposed PIPEDA could be amended to include an explicit prohibition on disclosures to foreign governments, with significant penalties for non-compliance. As well, this consumer advocacy organization argued PIPEDA could be amended to include an EU-type provision prohibiting disclosures to foreign countries with inadequate data protection regimes.
- However, an individual commented it is unlikely Canada would unilaterally impose personal information protection standards unilaterally on transborder flows which are, by and large destined to the US.
- A privacy commentator also expressed support for expanding the scope of Principle 4.1.3 to make it apply not only to information “transferred to a third party for processing,” but also to collection and use of personal information by a third party on behalf of an organization. The privacy commentator argues that while it can be imputed that “transfer for processing” is intended to cover situations such as data collection outsourcing, the law should clearly state so. He noted that the Alberta PIPA has addressed this point by holding an organization responsible whenever it engages an agent.
- An individual noted that the best hopes of protecting Canadian personal information abroad lie in international cooperation, ultimately resulting in international frameworks such as bilateral and multilateral treaties. This individual also noted that transborder flows serve as another example of why PIPEDA should move away from the notion of blanket consent and towards a requirement of consent prior to first disclosure for a particular purpose. He argued that individuals would then be able to object to a particular purpose while overall allowing the organization the continued use and disclosure of their personal information.
- For a variety of reasons, some commentators did not support transferring custodial responsibilities to third party processors – for example, requiring third-party processors to give individuals access to their personal information.
OPC’s Comments on Transborder Flows of Personal Information
The OPC believes that this issue can best be addressed by additional guidance rather than through changes to PIPEDA, as it is important to retain flexibility. The legislation already contains an Accountability Principle and the Treasury Board has issued guidanceFootnote 5 on contracting out.
The Privacy Commissioner is also chairing a Working Group of the Organization for Economic Co-operation and Development (OECD) Working Party on Information Security and Privacy to address the cross-border challenges to effective enforcement of privacy laws, and headway is being made on this issue.
In addition to our work with the OECD, the OPC is also involved with the Asia-Pacific Economic Cooperation (APEC) countries. The APEC countries commissioned a Data Privacy Subgroup to develop an Information Privacy Framework. The Framework has been adopted by APEC Ministers and the Assistant Commissioner responsible for PIPEDA has participated in several of the privacy initiatives.
Background and Questions from the OPC Discussion Paper on Sharing Information with Other Data Protection Authorities
In general, PIPEDA requires the Commissioner to treat as confidential any information that is obtained in the exercise of the Commissioner’s powers. The Commissioner may publicize the information practices of an organization if the Commissioner considers it in the public interest to do so. As well, the Commissioner may disclose information in the course of a prosecution of certain offences or a hearing or appeal before the Federal Court.
Section 23 of PIPEDA permits the Commissioner to consult with any person whose powers and duties under substantially similar provincial legislation are like those of the Commissioner. The Commissioner can enter agreements with counterparts in provinces with substantially similar legislation to coordinate the activities of their respective offices for handling any complaint in which they are mutually interested. In practice, this means, for example, that the Commissioner can share information and cooperate in investigations of mutual interest with counterparts in Ontario (only with respect to Ontario health information custodians), Alberta, British Columbia and Quebec. However, there is no specific authority for the Commissioner to share information and cooperate in investigations with other provinces.
In addition, complaints do not always fit neatly within Canada’s national borders. Some may argue that the growing importance of transborder data flows – for processing purposes, to facilitate e-commerce, for law enforcement and national security purposes, or simply as a result of people going about their daily lives – highlights the need for information sharing and cooperation in investigations with organizations outside Canada. While PIPEDA allows the Commissioner to share information and cooperate in investigations with certain provincial counterparts, there is no specific authority to do so with other jurisdictions. Canadians might have greater comfort with transborder data flows, for example, if there were a mechanism for the Commissioner to enter arrangements with oversight bodies in other jurisdictions to facilitate the exchange of information, which might in turn lead to more effective enforcement. The Commissioner might also be given the power to assist in investigations and audits in foreign jurisdictions.
Questions posed by OPC:
- Should PIPEDA be amended to explicitly permit the Privacy Commissioner to share information and cooperate in investigations with counterparts in other countries and with provincial counterparts in provinces that do not have “substantially similar” legislation?
- Are there other organizations with which the Commissioner should be able to share information and cooperate?
Respondents’ Comments on Sharing Information with Other Data Protection Authorities
- An association stated that there may be times when it will be mutually beneficial for the Privacy Commissioner and other data protection or privacy authorities to be able to share information and cooperate in investigations, but many safeguards must be put in place before amending PIPEDA to permit this sharing.
- A financial organization, a credit-granting organization, a consumer advocacy organization and a privacy commentator argued that PIPEDA should be amended to permit the OPC to share information and cooperate in the investigations of counterparts in other jurisdictions. This privacy commentator and another consumer advocacy organization pointed out there is an increasing overlap between public sector and private sector activity across Canada and it may be important for the Commissioner to be able to consult with provincial counterparts who oversee public sector laws only, such as health-specific legislation. The privacy commentator noted, however, that where an “interested party” has requested consultation and that interested party is an individual, no consultation process should take place that would involve sharing personally identifiable information without the express consent of the individual.
- An individual encouraged the Privacy Commissioner to take a leading role internationally in working towards some form of global personal information protection framework because such a framework would be a logical extension of the current jurisdictional regimes. This individual argued the Privacy Commissioner should be able to consult “any person” to ensure the protection of personal information, both within and outside of Canada.
- An organization cautioned that the existing system of candid and transparent cooperation could be jeopardized if PIPEDA were amended to allow the Commissioner to share information and cooperate with organizations other than its counterparts in other jurisdictions.
- Another organization said it would be concerned if the Privacy Commissioner would exchange information with counterparts in other countries without a similarly strong privacy regime.
- Two associations argued the OPC does not need a new, specific authority to consult other privacy oversight offices, as long as the Commissioner has the consent of the complainant.
OPC’s Comments on Sharing Information with Other Data Protection Authorities
The OPC would like to have specific authority in this area to give it increased flexibility.
Those who responded to the PIPEDA discussion document raised a wide variety of other issues. The following are among them.
- A professional association recommended adding or revising several definitions (“commercial activity,” “personal information,” “collect,” use,” “disclose,” “identifiable,” and “government institution”).
- A consumer advocacy group argued PIPEDA should distinguish between express, implied, and opt-out consent, and that PIPEDA should use the approach taken in the Alberta and B.C. PIPAs.
- Two associations and an organization wanted “business contact information” to be broadened to include all forms of business communications technology, such as business email, business faxes, and any other future means for transmitting business information. Another association asked that an individual’s business email address be excluded from the definition of personal information.
- A professional association wanted “business or professional information” excluded from the definition.
Personal Information of Minors
- A consumer advocacy group noted that PIPEDA is silent on the treatment of the personal information of minors.
Sharing Information within Corporate Groups
- An organization and an association stated that multiple separate affiliated companies and subsidiary companies all operate as one united under a single management team and operate as one unit under certain regulatory requirements. They argued the requirement not to share information with different parts of the corporate group under the current PIPEDA regime is problematic and should be amended to facilitate sharing among families of companies.
Exceptions Relating to Litigation
- A professional association argued that PIPEDA should be neutral in regard to the litigation process by specifically excluding personal information collected, used or disclosed in relation to litigation. It argued that the current exceptions relating to litigation are too narrow and should, at a minimum, be broadened to ensure that well-established litigation procedures are not impeded.
Separating Knowledge and Consent
- A consumer advocacy organization argued the “knowledge and consent” provision set out in Principle 4.3.2 combines two important concepts that warrant separate attention in the statute: notice and consent. There should be a requirement for notice even where consent is not required, such as in the case of disclosures for the purposes of collecting a debt and disclosures in response to subpoenas. As such, all exceptions in Section 7 should include a notice requirement unless inappropriate or impracticable.
Condition of Service
- An individual, a consumer advocacy organization and a privacy commentator suggested that an individual should not have to consent “beyond that which is necessary to provide the product or service” and that PIPEDA should incorporate the Alberta model relating to consent in this situation.
Right of Access
- Some associations raised concerns about the individual’s right of access. They suggested that PIPEDA should be amended to give organizations the discretion to refuse a request for access if the information was collected as part of an investigation, a real or anticipated legal proceeding or if the request is considered trivial.
- Another association suggested PIPEDA should provide organizations with the discretion to deny access to applicants where the request is abusive.
- Two associations argued that “substantive access” to the information should be sufficient, so that organizations are not compelled to incur substantial costs to comply with an access request where it would not enhance disclosure to the individual.
- An organization argued that organizations should be able to charge more than a nominal fee for providing access. It wanted a fee schedule developed under PIPEDA.
Exhausting Internal Complaint Mechanisms
- An organization proposed amending PIPEDA to require employees and customers to exhaust internal complaint processes before resorting to a complaint to the OPC. This would prevent a complainant using the threat of a complaint as leverage or as a retaliatory mechanism against organizations.
Administering Estates of Deceased Persons
- An individual argued that PIPEDA impedes those administering the estate of a deceased person from obtaining financial information relating to the estate.
No Withdrawal of Consent for Credit Reporting
- An organization argued that an individual should not be able to withdraw consent to the holding of information on a credit file once it reaches a reporting agency, as in the B.C. legislation.
Opting Out of Phone Call Recordings
- An individual wanted consumers to be allowed to opt out of having their phone calls recorded by companies "for quality purposes," arguing that trainees without the requisite security clearance or "need to know" might be given access to the tapes.
Regulate Use of Identification Numbers
- An individual wanted PIPEDA to specifically regulate organizations’ use of the Social Insurance Number and other identification numbers, such as those on drivers’ licences and health cards.
- Some associations would like PIPEDA to be amended to allow an organization attempting to collect on a debt to obtain additional information about the borrower’s current address or the location of goods pledged as security for a loan, and to use all information available to collect an outstanding debt. They supported the approach to this issue taken in the Alberta and B.C. laws.
- Another association suggested the Act be amended to expand “collecting a debt” to also include “enforcing an obligation” owed by the individual. The association argued this change is needed to allow for the enforcement of obligations that may not be classified as debts.
- An association wanted a provision in PIPEDA, similar to that found in the Alberta PIPA, to recognize that organizations must disclose information for protecting against, preventing, detecting or suppressing fraud, market manipulation or unfair trading practices.
- An information management association argued for giving greater powers to the Privacy Commissioner to audit business practices.
Requirement for Information Destruction Policy
- An association recommended requiring organizations to develop an information and document destruction policy to share with employees.
Standing in Complaints
- A consumer advocacy organization recommended that PIPEDA should continue to allow complaints by “watchdogs,” even if they may not have a direct stake in the alleged breach.
- An organization argued that it should have standing and be able to seek recourse independent of its members. Several associations wanted PIPEDA to grant them standing as well.
- An individual argued that proceedings under PIPEDA in Federal Court should be identified by docket number only, not by the complainant’s name. The court file in PIPEDA proceedings should be automatically sealed (with only the parties having access), and all hearings should be in camera unless the complainant consents otherwise.
- Another individual suggested that it would be preferable for the Federal Court to review the Commissioner’s findings, and not hear the complaints de novo, to ease the burden on the judicial system.
- Another individual argued that the proceedings in Federal Court should rely on oral testimony by witnesses because affidavit evidence is difficult for unrepresented lay litigants to draft.
- An individual argued that, where complaints are significant and raise substantial issues, a fund should be established to assist individual complainants with applications to the Federal Court.
- Another individual argued that PIPEDA should prevent costs being awarded against an individual on a PIPEDA application unless the individual proceeded on an unreasonable basis.
Fines and Damages
- A consumer advocacy organization argued that the oversight body for PIPEDA should have the power to order punitive as well as compensatory damages.
- An individual argued that PIPEDA should establish a system of fines to help ensure compliance.
Some consumer advocacy organizations wanted the ability to launch class actions related to violations of PIPEDA.
- Date modified: