Privacy Commissioner of Canada argues for rights-based privacy laws in Annual Report

The Privacy Commissioner of Canada, Daniel Therrien (the “Commissioner”), tabled his 2018-2019 Annual Report in Parliament on December 10, 2019 (the “Report”). In the Report, the Commissioner provides a review of his office’s activity under both the Privacy Act[1] and the Personal Information Protection and Electronic Documents Act (“PIPEDA”),[2] as well as a summary of privacy-related court cases and parliamentary activity. The Commissioner also recommends various privacy law reforms, including making consent more meaningful, requiring organizations and government institutions to demonstrate their accountability, and requiring a necessity and proportionality standard for collecting personal information.

In this note, we focus on one aspect of the Report: the Commissioner’s argument that federal privacy laws should explicitly recognize privacy as a human right and give greater priority to individual privacy rights.

Part of the reason for the Commissioner’s recommended reforms is his belief that Canadian privacy laws have not kept pace with technology and the new digital reality. In particular, he notes that technological changes have resulted in business models that rely on personal information, and in businesses and government institutions collecting information without fully understanding the associated risks. A rights-based approach would bring Canadian privacy laws closer to the European Union’s General Data Protection Regulation (“GDPR”), which the Commissioner cites with general approval as an example of rights-based legislation.

The Commissioner proposes that Parliament enact rights-based privacy legislation which includes the following parts:

1. Define the right to privacy broadly (e.g., “freedom from surveillance, without justification”) and recognize the quasi-constitutional nature of privacy laws.

The Commissioner argues that a rights-based approach to privacy should recognize the quasi-constitutional status of a right to privacy. This recognition along with a broad definition of privacy would form the basis for a set of laws whose purpose is to protect the freedom of individuals to live and develop in a modern society without fear of unjustified surveillance by state or commercial entities.

In the Commissioner’s view, this is consistent with the Supreme Court of Canada’s recent privacy-related decisions that recognize the fundamental importance of privacy in a free and democratic society. For example, in R. v. Spencer, the Court recognized the concept of privacy as anonymity, which ostensibly facilitates the freedom to act while preserving freedom from identification and surveillance.[3] In R. v. Jones,[4] the Court affirmed that personal privacy is important to individual dignity, autonomy, and personal growth, and stated that protecting personal privacy is critical to a free and healthy democracy. Most recently, the Court in R. v. Jarvis held that an expectation of privacy is not necessarily unreasonable because an individual is in a public place.[5] The Commissioner argues that these cases and changes in the laws of other jurisdictions show that federal privacy law has fallen behind in protecting the privacy rights of Canadians.

2. Draft the law by including specific rights and obligations.

The Commissioner notes that current federal privacy laws are primarily data protection statutes as opposed to laws that protect the privacy rights of individuals. The Commissioner suggests that privacy laws should remain technology-neutral and maintain a set of principles so that the laws can endure over time in the face of technological change. However, he argues that although PIPEDA contains important principles like consent, access, and transparency, principles alone are not sufficient to adequately protect individual privacy rights. Therefore, the Commissioner argues for the addition of specific rights and obligations. He does not specify how individual privacy rights should interact with privacy principles, although this may be partly addressed through a division of enforcement between the Commissioner and individuals (as discussed below). In the Commissioner’s view, rights-based laws would increase trust in both government and the digital practices of companies. They would also encourage responsible innovation, which may help both the private and public sectors maintain competitiveness internationally as privacy laws continue to evolve in other jurisdictions.

As an example of an individual privacy right, the Commissioner apparently supports in general terms “the right to be forgotten”, which has been recognized in the EU. In the Draft Position on Online Reputation, the Commissioner argues in support of the right for individuals to ask search engines to de-index web pages or to have information taken down at the source in some circumstances (e.g., when the pages contain inaccurate, incomplete, or outdated information).[6] Other examples of individual privacy rights include data portability and algorithmic transparency or explanation.

3. Increase enforcement mechanisms.

The Commissioner argues that his office needs significantly greater powers in order to increase compliance by organizations. Under PIPEDA, the Commissioner cannot issue orders against organizations and must bring an action in Federal Court, and only in respect of complaints that the Commissioner did not initiate.[7] In the Commissioner’s view, this allows companies to stall and ignore any recommendations and findings of the Commissioner until the issue is litigated in Federal Court. Therefore, his argument is that additional enforcement powers would enable quick and effective remedies to ensure greater compliance. The new powers would include the ability to conduct proactive inspections, and to issue binding orders and fines (subject to judicial review). In addition, the Commissioner proposes giving a public authority (the Commissioner or another public body) the power to issue binding guidance under PIPEDA. This would help translate some of the existing principles into practical requirements that would be easier to enforce. The Commissioner also argues that individuals should have an independent right of action in court for violation of their privacy rights. It is not entirely clear from the Report whether a right of action would also include non-compliance with privacy laws in general. It is possible that under such a scheme, non-compliance that does not violate an individual privacy right would be left to the Commissioner to enforce.

The potential impact of the proposed reforms

While these are only proposed reforms, it is important to consider their potential impact should some of them eventually become law.[8] In particular, the recommended enforcement mechanisms could present the most significant change for industry and government, and in turn the protection of the privacy of individuals. As mentioned, giving the Commissioner the power to issue orders and fines would significantly decrease the time between a violation and a consequence for organizations. Additionally, under PIPEDA, an individual is only able to pursue an action in Federal Court after they receive a Commissioner’s report (or notification that the investigation of the complaint has been discontinued – the Commissioner must produce a report within one year after a complaint is filed).[9] Allowing individuals to pursue court actions without Commissioner involvement for violation of privacy rights theoretically increases liability exposure for industry and government. This is particularly true if class proceedings are expressly permitted.

There is no mention in the Report as to whether class actions should be part of an independent right of action. However, given the Commissioner’s views on the importance of enforcement mechanisms and consequences for privacy violations, it is probable that he would support the right to class proceedings. A recent class proceeding in Ontario suggests that an independent right of action may lead to class actions regardless of whether legislation expressly permits them. In that case, a class action was brought in Federal Court (after the representative plaintiff received a report from the Commissioner) claiming damages for, among other things, breaches of PIPEDA.[10] The defendants argued that the Federal Court did not have jurisdiction to certify a class proceeding under PIPEDA, and that the statute only allowed for individual actions.[11] The parties ultimately settled, leaving these issues unresolved. The Ontario Superior Court of Justice certified the class and approved the settlement agreement on the basis of breach of contract. The contract contained a standard form privacy section which stated that the defendants would “act as required or authorized by law” in the collection, use, and disclosure of Class Members’ personal information, and this implicitly included complying with PIPEDA.[12] It is possible, although this is an emerging area of law, that an independent right of action could lead to class actions through breach of contract.

The Commissioner’s disagreement with the federal government

It remains to be seen whether Parliament will adopt any of the Commissioner’s recommendations, particularly the enforcement mechanisms. It is important to note that some of the recommendations conflict with the federal government’s Digital Charter and associated proposals. The Commissioner objects to the proposed limited order-making powers that would be granted to his office as well as the proposed requirement that he refer matters to the Attorney General for further investigation (i.e., the Commissioner would have to convince the Attorney General to eventually bring an action in court). The Commissioner argues that this is inefficient and would result in delays in the enforcement of rights. The Commissioner uses his office’s recent investigation of Facebook in respect of the Cambridge Analytica scandal as an example of a company ignoring recommendations, thereby forcing the Commissioner to pursue an action in Federal Court (i.e., delaying the outcome until a court comes to the same conclusion as the Commissioner). As mentioned above, the Commissioner asserts that he needs the power to issue orders and fines directly to companies in order to increase compliance.

Regardless of the extent to which the federal government and the Commissioner disagree on how privacy laws should change, the status quo may not be sustainable. As the Commissioner noted in his 2017-2018 Annual Report, Canada’s “adequacy status” with the European Union, which allows data to flow freely between the EU and Canada, may necessitate legislative changes now that the GDPR is in force. Decisions regarding whether a country’s privacy laws protect European citizens sufficiently in comparison to EU laws (i.e., adequacy status) must be reviewed by the European Commission at least every four years.[13]

___________________

[1] R.S.C. 1985, c P-21.

[2] S.C. 2000, c. 5.

[3] 2014 SCC 43.

[4] 2017 SCC 60.

[5] 2019 SCC 10.

[6] In the Draft Position on Online Reputation, the Commissioner argues that these two rights already exist under PIPEDA as it is currently constructed. However, this is a source of ongoing debate. Of note, the Commissioner brought a reference to the Federal Court seeking clarity in respect of whether PIPEDA applies to Google’s search engine service. This issue is related to a complaint that was made to the Commissioner against Google requesting certain web pages be de-indexed from search results of the complainant’s name. However, this reference is unlikely to resolve the issue of whether the right to request Google to de-index exists under PIPEDA at all. In the Report, the Commissioner argues that Parliament should consider the right to be forgotten and other privacy rights rather than wait for these issues to work their way through the courts.

[7] PIPEDA, supra note 1, s. 15.

[8] Although beyond the scope of this note, significant privacy law reforms could also affect constitutional privacy rights under section 8 of the Charter.

[9] PIPEDA, supra note 1, ss. 13–14.

[10] Haikola v. The Personal Insurance Company, 2019 ONSC 5982.

[11] Ibid at para 17.

[12] Ibid at paras 56–58.

[13] Regulation (EU) 2016/679 (April 27, 2016), Art. 45 “Transfers on the basis of an adequacy decision”.

Authors

Subscribe

Stay Connected

Get the latest posts from this blog

Please enter a valid email address