In the first half of 2017, the House of Commons’ Standing Committee on Access to Information, Privacy and Ethics (ETHI) undertook a study of Canada’s private sector privacy legislation PIPEDA.
PIPEDA, or The Personal Information Protection and Electronic Documents Act, was enacted in 2001 and has not been significantly overhauled since it was introduced. Indeed, the most significant amendment to PIPEDA was passed in 2015 but has yet to come into force: the requirement for organizations to notify individuals and report to the Office of the Privacy Commissioner of Canada (OPC) breaches of personal information that pose a real risk of significant harm to individuals. The enabling regulations regarding mandatory breach reporting are not expected to be introduced until late 2017 or 2018.
Despite not having implemented all the 2015 amendments, Parliament is once again reviewing PIPEDA. In the spring of 2017, the House of Commons ETHI Committee received written submissions and oral deputations by several experts in Canadian privacy law. Many of the submissions focused on the opportunities and challenges of new technology: the concept of meaningful consent to the handling of personal information in the digital age, protection of minors and other vulnerable groups on the internet, and whether PIPEDA must be amended to be considered equivalent to the privacy protections offered by the forthcoming European Union General Data Protection Regulation.
In my appearance before the ETHI Committee, I highlighted two issues most in need of review in order to balance individuals’ rights to control their personal information with their expectations that the companies they do business with will serve their needs in innovative and cost effective ways.
1. Compliance Rulings
The most significant reform that could be made to PIPEDA in the current review is to permit organizations to request, and to empower the OPC to issue, advance compliance rulings before a new initiative is launched. This framework would allow organizations to voluntarily submit a new initiative that affects personal information—be it a new product, use of a new technology or a new service structure—and receive the OPC’s feedback on whether the design will comply with PIPEDA before launching the project and risking customer and regulatory dissatisfaction.
This authorization would require legislative amendment. The OPC’s powers as currently framed in PIPEDA are related to the conduct of investigations, audits, or compliance agreements where an organization may have contravened the Act. The power to issue advance rulings should not hinge on any grounds to believe the organization is in violation of its obligations—it must be proactive.
The power to issue advance compliance rulings would have four significant impacts:
- Better protect Canadians. The OPC and businesses would use resources to proactively protect Canadians rather than to investigate or penalize a compliance failure. Just as an ounce of prevention is worth a pound of cure, resources are better spent ensuring privacy law compliance before any individual’s personal information is put at risk and before significant resources are used to launch a new business initiative.
- Help more organizations. Through assessing new private sector initiatives, the OPC would gain better insight into new developments affecting personal information in the Canadian economy broadly, and more specifically in certain industries. This would allow the OPC to provide more practical, current and relevant guidance to organizations in various industries and share lessons learned with other organizations and individuals to promote privacy awareness.
- Increase certainty and reduce costs. An advance compliance ruling would lend organizations the Commissioner’s expertise in designing appropriate personal information protections in new initiatives. This would provide the company more certainty around compliance requirements and a fresh perspective on privacy implications without stifling innovation in the Canadian marketplace. Importantly, an advance compliance ruling would allow an organization to tweak a new project to mitigate privacy compliance risk before it launched.
- Improve risk assessment. The advance ruling option would encourage businesses to implement internal privacy impact assessment mechanisms, which would have a positive impact on compliance across organizations, beyond any one initiative submitted for review. In the public sector, the Treasury Board Secretariat requires government institutions subject to the Privacy Act to conduct Privacy Impact Assessments (PIAs) to measure the potential impact of a new initiative on an individual’s privacy rights. In order to seek an advance ruling, the OPC could require an organization to submit its internal privacy impact assessment of the initiative. This would further the spread of PIAs as standard practice in the private sector, leading to more consistent protection for an individual’s privacy rights and more consistent risk assessment and mitigation within organizations.
Importantly, if PIPEDA is amended to permit advance compliance rulings, the process should not be mandatory or binding for either party. The intent is to encourage voluntary dialogue between industry and the OPC to further the proactive protection of personal information.
2. Anonymization of Personal Information
The second area where PIPEDA reform would have a significant effect is to establish a threshold for when information becomes “anonymous,” such that it is no longer defined as personal information at law.
One of the essential features of PIPEDA is that it is technology neutral. As technology develops, new forms of information are being created, such as meta data and the results of data analytics. It is often challenging for organizations to determine whether the data they are creating or handling is personal information as defined in the Act. Canadian courts have previously considered a “serious possibility” that the individual could be identified as line between personal and anonymous information. The UK information commissioner has considered whether identification of an individual is “likely.” Certainty would be improved if PIPEDA, or the regulations to PIPEDA, codified the threshold for identifiable information and provided more detailed guidance on what steps may be taken to anonymize information such that it is no longer considered personal. This would not be a novel concept internationally—the US Health Information Portability and Accountability Act provides guidance on two means by which personal information may be de-identified.
The need for an anonymization threshold is linked to the need for advance compliance rulings. If the OPC is given the authority to provide advance compliance rulings, organizations could test their assessments of whether information is so unlikely to be associated with an individual that it is taken outside the scope of PIPEDA before finalizing program designs. If they are wrong, safeguards can be put in place before any information is at risk. This is consistent with the OPC’s mandate to protect and promote privacy rights, and could significantly mitigate a company’s risk and liability in using data analytics and other technologies to gain insights based on aggregate information.
In addition, a standard for de-identified information is relevant to the right to have personal information destroyed. PIPEDA contemplates that information should be destroyed, erased, or made anonymous when no longer required. The Act also contemplates an organization may be required to delete or amend personal information upon request. As technology develops and the storage of information continues to become more de-centralized and, in some cases, intentionally immutable, it is often impossible to permanently destroy all copies of all records that may contain personal information, especially where the definition of personal information may change with the context of who has access to it and what other information may be available at the time. In those cases, the ability to make personal information anonymous as an alternative to destruction is particularly important.
The value of this existing legislative framework is that it is technology neutral. An individual’s privacy rights can be protected even where the technology used to store personal information does not permit permanent deletion by employing anonymization techniques. However, when navigating the sea of technological and legal mechanisms for de-identifying personal information, organizations and regulators would benefit from a statutory threshold governing when data is no longer personal information at law and concrete parameters for converting such data.
Complex issues like activism and technology are bidding for your organization’s attention. Understanding them can help you stay focused in this active market.