With 10 years of experience as Privacy Commissioner of Canada behind her, and her term reaching its end, Jennifer Stoddart has released a report titled "The Case for Reforming the Personal Information Protection and Electronic Documents Act" which describes how to modernize Canada's private-sector privacy legislation to ensure it is able to meet the current and future challenges of the digital age and protect Canadians’ right to privacy.
The Personal Information Protection and Electronic Documents Act (PIPEDA) came into force in stages between January 1, 2001 and January 1, 2004. The purpose of PIPEDA is to balance individuals’ privacy rights with the need of organizations to collect, use or disclose personal information for reasonable and appropriate purposes. It set the ground rules for the management of personal information in the private sector while organizations conduct electronic commerce and compete in the global digital economy.
However, when PIPEDA was enacted, social media as we know it (e.g., Facebook, Twitter, Google+, YouTube, blogging, etc.) was in its infancy. At that time, there were instant messaging, online discussion forums, dating sites, “newsgroups” where users post articles or other material of interest, and group sites such as Google and Yahoo! Groups, which were the precursors of social networking.
In addition, cellphones were not “smart” as they are now. They were not, as the report says, “ubiquitous, nor were they used to surf the web, play games, or reveal location.”
In a speech at the International Association of Privacy Professionals’ Canada Privacy Symposium 2013, Stoddart said:
The world of privacy has changed, and Canada’s laws need to keep up.…
Personal information has been called the oil of the digital economy, and as companies drill for more data, the risks to privacy are growing exponentially. They have grown into data giants, quasi-monopolies that have the ability to glean deep personal insights.”
The 2000s saw huge developments in the ways people communicate and share information: social networking and social media, smartphones and mobility, and the Web 2.0 have become increasingly popular among Canadian Internet users. These technologies and applications allow users to communicate, share, request, store and access personal information online in ways not previously imagined. However, privacy laws have not kept up with the changes, and using PIPEDA to enforce privacy law in this realm is raising complex new challenges.
One such challenge is “big data.” To illustrate, the report indicates:
Many people live much of their lives online. According to some estimates, Canadians lead the world in Internet use, averaging 43.5 hours a month, twice the world average.
When we browse online, conduct searches, communicate with our friends or download music, we create data trails that reveal a great deal about who we are—our interests, our habits, our opinions—and in many cases even where we are.
We now live in what is being called the era of ‘big data.’ According to IBM, we are globally creating 2.5 quintillion bytes daily (which is approximately equivalent to 57.5 billion 32 GB iPads). Ninety percent of the data that exists in the world today has been created in the last two years.
Personal information is central to the global digital economy. Some organizations that amass vast amounts of Canadians’ personal information have grown into data giants, quasi-monopolies that have the ability to glean deep insight into the interests, habits and opinions of individual Internet users. Some of the largest companies boast customers or users in the hundreds of millions." (Emphasis added)
The goal of having such large amounts of personal information on so many users is to turn a profit from their services. The unfortunate consequence is that several organizations are playing fast and loose with personal information, and the office of the commissioner has no enforcement power to ensure compliance. According to Stoddart, “security lapses are leaving personal information vulnerable to loss or theft.”
The goal of the law has been to encourage compliance (through negotiations and mediations) but not make it mandatory. The office of the commissioner has no order-making power to enforce the law. In addition, PIPEDA has no mandatory data breach notification requirements which would inform the commissioner’s office when a breach occurred so that it could investigate and address data protection issues.
The commissioner is not asking that specific technologies be expressly included in the law; she wants PIPEDA to remain technology-neutral and principles-based. But she is calling for amendments to PIPEDA that would include stronger enforcement powers, mandatory data breach reporting, teeth behind accountability and increased transparency measures, as follows:
- Stronger enforcement powers. Institute statutory damages administered by the Federal Court, give the commissioner the power to make orders or impose administrative monetary penalties, or implement a combination of the above
- Reporting requirements. Require organizations to report breaches of personal information to the commissioner and to notify affected individuals, where warranted, so that appropriate mitigating measures can be taken in a timely manner
- Disclosure requirements. Require organizations to publicly report on the number of disclosures they make to law enforcement agencies under paragraph 7(3)(c.1), without knowledge or consent, and without judicial warrant, in order to shed light on the frequency and use of this extraordinary exception
- Enhance accountability. Modify the accountability principle in Schedule 1 to include a requirement for organizations to demonstrate accountability upon request, to incorporate the concept of “enforceable agreements,” and to make certain accountability provisions subject to review by the Federal Court
These recommendations are realistic and have been implemented already under similar privacy legislation in Quebec, Alberta and British Columbia.
Stoddart's term as privacy commissioner is ending in December, so she likely won’t be in the same position to advocate for her recommendations. There can be no doubt that private organizations are using personal information today in a multitude of ways not envisioned by the authors of PIPEDA. These uses of personal information are often obscure to the subjects of the information, and many organizations have made only cursory efforts to make their practices more transparent. At the same time, individual interest in maintaining privacy has increased, and users are seeking greater accountability among organizations that collect and use their personal information.
To continue to achieve the aims of PIPEDA, then, the Act could use updating to compel organizations to comply and give the privacy commissioner greater authority. For the moment, we can hope that the government is listening.