Last week, the Office of the Privacy Commissioner (the “OPC”) released its 2017-2018 Annual Report (the “Report”). The Commissioner took the opportunity to raise serious concerns around the adequacy of Canadian privacy laws in the face of an increasingly digital world. He has identified several areas where deficiencies exist under the current privacy regime. In his view, these deficiencies need to be immediately addressed so that Canadians can take advantage of a digital world “without fear that their rights will be violated and their personal information will be used against them.”
Need for More Oversight
According to the Commissioner, the “time of self-regulation is over.” He believes that existing federal privacy laws are too permissive and give organizations wide latitude to use personal information in a manner that may not be appropriate.
The Commissioner suggests that, given the opaqueness of certain business models and the complexity of information flows, the OPC be given the power to inspect certain practices of organizations, even where no complaint has been filed. This is, in large part, because the average Canadian does not understand what information is being collected, how and where it is being stored and how it is being used. The concept underlying this approach is “trust but verify.” Simply put, assume organizations are meeting their legal obligations but have the OPC make sure to verify their compliance with privacy laws.
Need for Legislative Reform, Now
Referencing the report issued by the Standing Committee on Access to Information, Privacy and Ethics in February of this year (titled “Toward Privacy by Design: Review of the Personal Information Protection and Electronic Documents Act”), the Commissioner reiterated the need for his office to be granted additional enforcement powers. While the Minister of Innovation, Science and Economic Development has recognized that this is necessary, he has requested that it be part of a broader study on Canada’s digital and data strategy. According to the Commissioner, this approach is not acceptable since the study can take several years to complete – whereas, these enforcement powers are needed now.
The Commissioner emphasizes that the changes required to Canada’s privacy laws cannot “wait several years until known deficiencies in privacy laws are fixed” and that changes should be implemented sooner rather than later. In the interim, the OPC has undertaken a number of initiatives in areas where it already has some control by way of issuing guidance documents. However, the Commissioner conceded in the Report that guidance documents are not binding and that the protection they offer to Canadians is, therefore, limited.
The Commissioner revisited the OPC’s recent organizational restructuring, which was announced in April 2018. The underlying rationale for the changes rests in a greater focus on pro-active compliance. Practically, it means that the OPC will target systemic, chronic or sector-specific privacy issues that are not being addressed under the OPC’s existing complaint system.
While the Commissioner has requested a “modest” increase in budget on an interim basis, he is also seeking a much more significant budget increase going forward in order to implement his pro-active and compliance-driven vision for the OPC.
Broadly speaking, the Commissioner’s “asks” are in line with how sophisticated international regulators currently operate in the areas of privacy and data protection. That said, the Report clearly signals a strong desire by the Commissioner to exercise his existing enforcement powers to the maximum extent permitted by the law while he waits for more substantive legislative changes. It also signals that the OPC intends to be more pro-active and compliance focused going forward. This approach is somewhat of a break from the OPC’s historical modus operandi where it was a complaint-driven organization.
Organizations should review their existing compliance programs and privacy practices in light of the recent guidance documents issued by the OPC (e.g., Guidelines for obtaining meaningful consent, Guidance on inappropriate data practices: Interpretation and application of subsection 5(3), Draft Guidelines on Breach Reporting).