Priorities, proactive compliance and PIPEDA – an overview
Remarks to the Canadian Bar Association Privacy and Access Law Section
October 1, 2015
Address by Daniel Therrien
Privacy Commissioner of Canada
(Check against delivery)
I am sure you all know my colleague Patricia Kosseim, the OPC’s senior general counsel and I would like to introduce you to a new member of her team, Julia Barss, our director of legal services. We would all be pleased to answer any questions you might have at the end of my presentation.
You have been quite specific about what you would like me to talk about here today and so these are the issues I will address: our new strategic priorities, our proactive compliance work and how we plan to implement changes to PIPEDA under Bill S-4.
Before I jump in, I would just like to say a word about the relationship between the OPC and the Canadian Bar Association (CBA).
Over the years, we have shared a similar position on a number of issues.
On Bill C-51, we expressed many of the same concerns about expanded information sharing powers under the new Security of Canada Information Sharing Act and the lack of independent oversight.
On Privacy Act reform, the CBA championed our call for the power to decline to investigate in certain circumstances in order to streamline the complaints process and make it more efficient.
And with respect to our recent priority setting exercise, the CBA participated graciously in our stakeholder discussions, providing helpful advice on our approach and insights into some of the specific issues up for debate.
My leadership style is one that favours collaboration and consultation, and I am looking forward to a close and fruitful relationship with the CBA in the future as we move forward on our priorities and other matters of mutual interest.
As members of the privacy law community, I also understand that you have generally enjoyed frank and open discussions with my predecessors.
This open relationship is one I would like to maintain.
Your clients are the ones on the ground trying to implement the guidance we produce and comply with the legislation we enforce.
You are well positioned to remind us of the practical realities businesses face and I value the feedback you can provide from your unique vantage point.
On that note, let us delve into the privacy priorities. The goal of this exercise was to identify the key privacy issues that are most significantly affecting Canadians in order to increase the overall control they have over their personal information.
Following extensive discussion with public and private sector stakeholders, academia, civil society organizations, consumer groups and the public, we decided to adopt four priorities, in addition to five strategies to implement them.
As some of you were part of those discussions, some of this might be familiar.
The first priority identified is the economics of personal information, which refers to the commoditization of personal information and the new business models being developed around the use of big data, the Internet of things and mobile technologies.
The second is government surveillance. As you know, I have taken a firm position on Bill C-51, the recently-passed Anti-terrorism Act, and will be closely monitoring its implementation.
Our third area of focus is reputation and privacy, which refers to the reputational harm that may result from the pervasiveness and persistence of personal information online.
Finally, we will concentrate on the body as information, a reference to the mounting privacy concerns related to highly sensitive health, genetic and biometric information that is being used by organizations and governments in all sorts of new ways.
Our plan is to focus our activities around five cross-cutting strategies:
- Exploring innovative and technological ways to protect privacy;
- Enhancing accountability and promoting good privacy governance;
- Taking into consideration the fact that privacy knows no borders;
- Enhancing our public education role; and
- Paying special attention to vulnerable groups.
Let me now describe some of the activities we will undertake under our priorities exercise.
Economics of Personal Information
One important activity has to do with the consent model which largely falls under our economics of personal information priority.
We intend to examine the practical challenges associated with the consent model, many of which were identified during our discussions with stakeholders and the public.
Individuals we spoke with expressed concern about not having enough control over their online information.
Some felt the power relationship between individuals and organizations was skewed in favour of industry, that consent is often meaningless and that more regulation is needed.
Some stakeholders questioned the efficacy and suitability of PIPEDA’s consent model in the context of big data, the Internet of Things, and the mobile environment.
We, of course, heard concerns about poorly written privacy policies.
We also heard that it is increasingly difficult to identify specific purposes for the collection of personal information at the time it is being collected.
While some argued organizations should not collect personal information where no specific use exists, others expressed concern that this approach could impede innovation.
In the short term – that is next spring – we will produce a discussion paper outlining the various challenges associated with the current consent model.
We will explore potential solutions, such as industry codes and other forms of self-regulation; greater accountability, which some suggest would place responsibility more on those who are able to assess risk; and enhanced regulation, including the definition of no-go zones where personal information should always be protected.
We will consider solutions that seek to minimize risk, legislative options, educational opportunities and technical or other practical ways to improve upon the current consent model.
We will also try to clarify the roles of individuals, organizations, regulators and legislators and we will open all this to debate with stakeholders.
I certainly look forward to your input at this stage.
In the medium term, we will identify what improvements could be made to enhance the current model, we will apply the solutions that are within our jurisdiction and, where appropriate, we will recommend legislative changes.
On government surveillance, much of our effort will be spent monitoring the implementation of Bill C-51, recognizing that we are in the middle of a federal election and that things could change depending on the outcome on October 19th.
Before Bill C-51 was introduced, I, along with provincial privacy commissioners, asked that an evidence-based approach be followed before new legislation extending the powers of national security agencies is adopted.
Once Bill C-51 was tabled, I raised concerns about the breadth of the new authorities and the lack of oversight.
Now that Bill C-51 is law, we will use our review and investigative powers, under s.37 of the Privacy Act, to examine the collection, use and disclosure practices of departments and agencies involved in surveillance activities.
Our goal will be two-fold: First, to ensure that these activities are conducted in a lawful manner. But also to inform the public as to how these new provisions will be used, whether the personal information of law-abiding citizens is at risk as feared, and to recommend legislative change if required, this time based on real evidence of the utility and proportionality of the new law.
Our work on government surveillance will also include efforts to increase transparency reporting. More on that when I address S-4 later in this presentation.
Reputation and privacy
Our third priority, reputation and privacy, will focus on the permanence of personal information on the Internet and the not always pretty digital trails people leave behind or become saddled with as a result of somebody else’s actions or attributions.
A key short-term initiative is to produce a discussion paper that will look at the challenges and risks to reputation in the online environment, reputation management and what recourse may be available to individuals, including an exploration of the right to be forgotten.
The document will include discussion questions for stakeholders, including those who raised concerns on this subject during our earlier discussions, to guide views on the right to be forgotten in a Canadian context as well as other new and innovative ways to protect and enhance reputational privacy.
In the end, we hope to develop a policy position on potential recourse mechanisms. We also hope to be able to contribute to possible technological solutions such as privacy by obscurity, anonymization or automatic deletion options.
The body as information
Finally, I will touch on our plans with respect to the body as information.
With the advent of wearable computers, tracking devices and smart technology, personal information has become more intimately sensitive than ever.
Individuals who purchase such devices should be well informed about what information is being collected, how it is being used and they should be able to choose upfront whether that data is disclosed and for what purposes.
A key task in the short term is to conduct an environmental scan of current and emerging health applications and digital health technologies, such as fitness apps and heart rate monitors.
We plan to test some of these new products in our own technology lab to better understand their privacy implications.
This initiative will support our medium term objective of developing guidelines for Canadian digital health technology companies, app developers and others on how to build privacy protections into new products and services while avoiding certain “no-go” zones.
Proactive work and PIPEDA
With respect to proactive compliance work and PIPEDA, I think it is important to reiterate that the role of the Office of the Privacy Commissioner of Canada is not simply a reactive one.
A good bit of our work is spent investigating complaints to our Office, but under PIPEDA, we also have a strong education and research mandate.
The purpose of much of our proactive work is to uncover systemic problems and to follow up with organizations and industry associations to provide guidance with the aim of fixing or mitigating those problems.
While it is true that these activities could result in formal investigations where necessary, more often they serve to open a dialogue with organizations that are generally quite receptive to our efforts.
We have found that through education and outreach, we can effect change without the need for costly and time-consuming formal investigations.
On that note, I would like to talk briefly about three proactive activities: the Privacy Sweep, our OBA research project and our address harvesting initiative.
As many of you know, the Privacy Sweep has become an annual initiative in which data protection authorities from around the world choose a theme and together assess privacy communications and controls related to that theme. This year’s theme was children’s privacy with respect to mobile applications and websites.
We found that the majority of websites and mobile applications assessed were collecting personal information from children and sharing it with third parties and that too many developers were collecting particularly sensitive personal information, such as photos, videos and the location of children, and often allowing it to be posted publicly.
There were many instances of children being redirected to other sites with varied privacy protection practices, often via an ad or contest icon that sometimes appeared to be part of the original site.
We also saw some innovative protective controls, such as pre-set usernames and avatars, moderated message/chat functions and parental dashboards; and we were encouraged to see that a number of quite popular sites targeted at children did not collect any personal information – thus demonstrating that it can be done.
As we have in the past, we will be writing to developers to share our concerns with the hope that they will make privacy-positive changes.
While too soon to report on the outcomes for this year as much of our Sweep follow-up work is ongoing, I can tell you that last year we issued 46 letters to the developers behind many of the mobile applications we swept.
The majority of the developers we wrote to responded favourably and our efforts ultimately resulted in commitments to make changes to the online privacy practices and communications of more than 130 apps.
Again, without the need for any formal investigations.
OBA research project
Another proactive initiative was our OBA research project released in June. It looked at online behavioural advertising by 46 popular, free websites frequented by Canadians and subject to PIPEDA.
It came roughly four years after our Office issued guidance for organizations involved in OBA and was, in some ways, an assessment of how those guidelines were being followed in practice.
I am pleased to report that we found many examples of good privacy practices related to online behavioural advertising.
For instance, the vast majority – more than 96 percent – of the targeted ads we saw provided some notice of OBA in the form of an icon, and opt-out options.
But we found there is still room for improvement.
In many instances, the procedures for opting out were overly complicated.
We were particularly disappointed to find sensitive information being used to target ads.
For example, our research found that online searches on sensitive topics such as pregnancy tests, divorce lawyers, depression and bankruptcy could lead to related ads appearing on the user’s computer screen.
These sensitive targeted ads were not accompanied by an option to provide opt-in consent as set out in our guidelines.
We shared our findings with advertising organizations generally, and more specifically, with the three identified as having used sensitive information without appropriate consent.
I am pleased to note that advertising associations have said they are taking the report seriously, they are finding the results useful and they are using them to help shape their future work.
We are, of course, continuing to follow up with these and other advertising organizations to ensure improvements are being made and I am hopeful that we will, again, see positive change.
Now I know some of you have asked specifically about our address harvesting project.
This project is an effort to get a lay of the land. We wanted to get a better sense of the work of data brokers, their marketplace, what products and services are being offered and the privacy issues involved.
Among other things, we wanted to know what personal information is being collected, used and disclosed by these companies – whether in their own right, on behalf of their clients or from e-mail list providers. We also wanted to know how email address lists are organized, how consent is obtained from the individuals on these lists and what connection certain companies have to Canada.
We are now following up with some questions for the organizations, and we are hopeful that we will be able to work with them to improve privacy practices.
Going forward, we will look at the results of this research and determine what steps may be necessary in terms of outreach or possible enforcement.
The Digital Privacy Act
One last area I would like to touch on is the Digital Privacy Act which ushered in a series of changes to PIPEDA after becoming law in June.
As you know, we welcomed many of the changes in the legislation.
A welcome change not yet in force, of course, is mandatory breach reporting and notification in relation to certain breaches of security safeguards. Like you, we at the OPC anxiously await the regulations.
Although we will be providing input based on our experience under the voluntary regime and the experience of other data protection authorities that operate under mandatory breach reporting rules, Industry Canada is responsible for drafting the regulations.
We are told these are in a holding pattern until after the election and the appointment of a Minister of Industry.
Until the new provisions related to breaches of security safeguards come into force, breach notification and reporting will remain voluntary. In the meantime, we urge organizations to report breaches to our Office and to notify affected customers where appropriate in accordance with our breach notification guidelines.
A few words on a new provision that allows my Office to enter into compliance agreements. This new tool provides us with another mechanism to ensure companies comply with the Act.
While voluntary, these are enforceable agreements, and we are hopeful that they will go a long way towards effecting compliance with PIPEDA without having to go to court.
I can tell you that we have not entered into any compliance agreements with companies just yet. However, we are keeping our eyes open for potential candidate cases.
I do remain concerned about two new paragraphs, 7(3)(d.1) and (d.2), that were introduced in the Digital Privacy Act. These provisions would allow any organization to disclose personal information to any other organization without consent in certain circumstances. Previously, organizations could only make such disclosures to a designated investigative body.
I remain concerned that these changes could lead to excessive disclosures.
I made my views known during my appearance before Committee where I proposed various amendments, including a requirement that organizations issue transparency reports documenting any disclosures.
These provisions are now law, but we expect them to be applied in a privacy sensitive way.
One final note on transparency, Industry Canada recently issued transparency reporting guidelines for companies, such as telecommunications service providers, that are frequently asked, if not ordered, to provide customer information to law enforcement agencies.
For years my Office has called for organizations to make public statistics on such requests and the need for transparency became even more evident in the wake of the Supreme Court of Canada’s landmark decision in the Spencer case.
Some telecommunication companies, though not all, had already begun issuing transparency reports before the guidelines came out.
I believe these guidelines will encourage others to do so, and more consistently. This will help Canadians better understand how often, and in what circumstances businesses turn over such information and I am pleased that we were able to work behind the scenes with Industry Canada to make these guidelines happen.
Canada needs a consistent reporting structure and standardized nomenclature for the various categories of personal information and disclosures to government. While legal obligations and regulations could impose such requirements, the reporting regime advanced by Industry Canada is a good first step and we expect to see widespread adoption and compliance.
We have also asked federal government departments to begin issuing their own transparency reports about requests they make to private sector organizations for customer information and remain hopeful that they will heed this call as well.
I hope this overview of our privacy priority initiatives, our proactive compliance activities and our next steps with respect to the implementation of the Digital Privacy Act has helped answer some of your questions.
I am sure you have many more questions, so without further ado, I would like to open up the floor.
- Date modified: