Change in the Air? ETHI’s PIPEDA Recommendations and More

by Dustin Moores

As mentioned in our two previous posts, PIPEDA, Canada’s private sector privacy law, is sorely out of date. Despite being subject to mandatory review every five years, the law has not seen a substantial revision in its near-twenty year existence. Thankfully, it now seems that real change is on the horizon. High profile data breaches and increased public awareness of privacy issues are helping put pressure on our politicians to bring about much-needed reform.

In February 2018, the Standing Committee on Access to Information, Privacy and Ethics (ETHI) published its review of PIPEDA, Canada’s private sector privacy legislation. The review makes several encouraging recommendations likely to affect the data broker industry.

But before we get into the recommendations, let’s look at some of the privacy challenges associated with data brokers.

The first set of challenges involve concerns around consumer awareness, consent, and control. Too often, ordinary people are simply not aware that their data are being collected, used, and disclosed by data brokers. Consent mechanisms are hidden in long privacy policies or implied through the consumer’s relationship with a company. Finally, when the consumer becomes aware their data is being used by brokers and wants to correct errors or revoke their consent, there are no clear paths to do so. It is difficult for the consumer to challenge assumptions made about them or to have the broker correct, or delete, their data.

The second area involves what types of information brokers should be able to collect or the kinds of inferences they should be allowed to make about people. Inferences such as those about race, religion, political alignment, or health information may discriminate against vulnerable groups.

Finally, there are security concerns. While companies will need to inform consumers of data breaches as of November 2018, the sheer volume of recent breaches suggests that companies can also do a better job of safeguarding personal information.

In general, the ETHI committee’s recommendations can be grouped into three categories: those that expand the rights of individuals, those that impose obligations on organizations, and those that bestow powers upon the Privacy Commissioner.

The first set of recommendations focus on improving consent mechanisms and control over one’s data. The Committee advocates for adopting opt-in consent as the default “for any use of personal information for secondary purposes, and with a view to implementing a default opt-in system regardless of purpose.” As Professor Michael Geist notes, opt-in consent helps ensure that consent is truly informed compared to the current model which allows businesses to “presume they can use their customers’ personal information” unless the customer informs them otherwise. Furthermore, the Committee recommends that consent, as the core element of the privacy regime, “be enhanced and clarified by additional means, when possible or necessary.” This is meant to address issues such as the fact that one’s consent is often acquired through “lengthy and vague legal texts offered on a ‘take it or leave it’ basis.” Providing consumers with the means to choose which information is collected and how it may be used and disclosed would make consent more meaningful.

The Committee also recommends the government “consider implementing measures to improve algorithmic transparency.” Algorithmic transparency means informing individuals about how their personal information is used to make automated decisions about them – another measure addressing informed consent. In evidence given during ETHI’s review, professors Valerie Steeves and Ian Kerr both raised concerns about algorithm use leading to discriminatory outcomes, speaking to limits on the acceptable use of algorithms.

Another recommendation relevant to data brokers deals with the right to erasure. The ETHI committee states that it believes “in general, individuals should have the right to have their personal information removed when they end a business relationship with a service provider or when the information was collected, used or disclosed contrary to PIPEDA.” A related recommendation deals with strengthening and clarifying organizations’ obligation to destroy personal information once it is no longer needed.

One of the Committee’s central recommendations is that PIPEDA be amended to make privacy by design a central principle within the Act. Privacy by design “seeks to protect personal information by implementing measures proactively and preventively.” It is a user-centric approach that places individuals’ privacy interests first. This would impose obligations on businesses to consider privacy implications at every stage of product or service design.

One common criticism of PIPEDA is that it gives the Privacy Commissioner only limited enforcement tools. The Committee recommends that the Act be amended to give the Privacy Commissioner enforcement powers, “including the power to make orders and impose fines for non-compliance.”

The ETHI committee’s recommendations are encouraging. They would provide individuals with more rights regarding their personal information, they would make businesses more accountable, and they would give the Privacy Commissioner the tools needed to enforce individual rights and companies’ obligations.

When it comes to data brokers, however, additional measures may be warranted. To address concerns particular to that industry, one could argue for the creation of a data broker licensing regime. Considering the volume and sensitivity of the information brokers possess, perhaps only those who can demonstrate they handle information responsibly ought to be allowed to do so. Licensing may look to factors such as a broker’s data security practices; their acquiring of valid consent for the collection, use, and disclosure of personal information; and the adoption of practices that eliminate discrimination (both intentional and accidental) against vulnerable groups.

Finally, we must not allow our privacy laws to fall so far behind technology again. In an era of rapid technological change, the laws regulating technology-centric industries must keep up. Recent events such as the Equifax breach, U.S. election interference, and privacy lapses at Facebook, have exposed that there are real consequences when privacy is not adequately protected. Thankfully, Canada seems to have been spared the worst privacy fallouts as of late. But unless we are careful, the future may not be so forgiving.