Data Broker Regulation: Change on the Horizon?

by Dustin Moores

It is often said that the law lags technology. When it comes to the laws that govern data brokers in Canada, this statement could not be more true. Canada’s federal private sector privacy law has not seen a substantial revision since coming into force in 2001, with only modest amendments to the act having been made in 2004, 2005, and 2015. The proliferation of mobile internet, smartphones, social media, and near-infinite storage and processing power –– all factors that have played pivotal roles in the data broker landscape –– are not reflected in the current legislation.  However, there is hope that significant updates to the law, the Personal Information Protection and Electronic Documents Act (PIPEDA), will finally come on the heels of the European Union’s General Data Protection Regulation (GDPR).

This post primarily discusses PIPEDA as it currently stands, while our next two posts discuss some of the law’s shortcomings with respect to data brokers and what changes we might expect to see in the not-too-distant future.

In Canada, data brokers are subject to private sector privacy legislation at both the federal and provincial levels. These laws govern how the private sector interacts with personal information (separate laws dictate government institutions’ relationship with the personal information of citizens).

At the federal level, PIPEDA applies to organizations who collect, use, and disclose personal information in the course of commercial activities. The Act defines personal information as “information about an identifiable individual” and commercial activity as “any particular transaction, act or conduct or any regular course of conduct that is of a commercial character.” PIPEDA is enforced by the Privacy Commissioner of Canada.

Where a province has enacted privacy laws that are substantially similar to PIPEDA, data brokers are subject to those laws. This is currently the case in B.C., Alberta, and Québec. The provinces of Ontario, New Brunswick, and Newfoundland and Labrador have substantially similar laws to PIPEDA, but only regarding personal health information. In those provinces, brokers who handle personal health information must observe the provincial laws. However, PIPEDA still applies to interprovincial and international data flows and certain federally regulated industries (e.g. banking, telecommunications) –– even when substantially similar provincial laws exist.

Data brokers located outside of Canada do not necessarily escape PIPEDA or its provincial counterparts. Brokers are still subject to those laws where there is a real and substantial link to Canada (e.g. collecting, using, retaining, and disclosing personal information about Canadians).

What does it mean to say that data brokers are subject to these privacy laws? Regarding PIPEDA, it means that data brokers can only collect, use, or disclose personal information for “purposes that a reasonable person would consider are appropriate in the circumstances.” It also means that data brokers must follow the ten principles found in Schedule 1 to PIPEDA. These principles set out obligations and recommendations for how organizations handle personal information. Perhaps chief among these principles is the concept of consent.

PIPEDA is largely a consent-based regime. This means that with limited exceptions, brokers and other organizations must gain a person’s consent before collecting, using, or disclosing their personal information. However, if you are anything like most of us, you probably don’t recall the last time you gave a broker consent to do any of those things. This is because data brokers often gain consent through an intermediary such as a bank, wireless provider, or other service. For instance, when you enter into a wireless contract, you will often either expressly or impliedly consent to the wireless provider sharing information about your credit behaviour with credit bureaus, a form of data broker.

Some criticize PIPEDA for only possessing relatively weak enforcement mechanisms and for being somewhat reactionary. The Privacy Commissioner has no order making powers and is only authorized to receive and investigate complaints. That being said, the Commissioner may compel testimony and documentary evidence, or even enter the premises of an organization after satisfying certain conditions, in the course of an investigation.

In light of recent data breaches, technological advances over the last two decades, and the coming into force of the E.U.’s GDPR, many argue the time is nigh for significant amendments to PIPEDA and the granting of enforcement powers to the Privacy Commissioner. In early 2018, Parliament’s Standing Committee on Access to Information, Privacy and Ethics, released a report in which it recommended 19 changes to PIPEDA, with a particular focus on the integration of “Privacy by Design” principles. Although the subject of data brokers was not directly addressed within the report, the recommended changes to PIPEDA will likely have a significant impact on the data broker industry. Our next two posts look to the law’s current shortcomings, and what we can expect moving forward.