The Honourable Navdeep Bains, P.C., M.P. extends his gratitude for report of the Standing Committee on Access to Information, Privacy and Ethics titled, Privacy by Design: Review of the Personal Information Protection and Electronic Documents Act. His response encompasses the following summary.
He shows his appreciation for the OPC and other witnesses that supported this study and states that the recommendations provide valuable guidance. The Government of Canada agrees that changes are required to ensure that the use of personal information in a commercial context has clear rules to support the expectations of Canadians.
A critical step was made with the announcement of new regulations under the PIPEDA on April 18, 2018, to assure Canadians that they will be informed about risks with the distribution of their personal information. The next step is to engage Canadians in conversations about data and digital issues on a national level.
Consent under the PIPEDA
The Government agrees that consent should remain a core element of the PIPEDA, as it provides individuals with control over how their personal information is shared. Maintaining a progressive view on consent additionally ensure that the internationally recognized standards align with those of Canada. However, there is work to be done to ensure that consent remains meaningful under the PIPEDA, as it can be enhanced in a variety of ways. Furthermore, the Government is committed to maintaining the principles-based approach to the PIPEDA, as it has been noted as a source of the Act’s strength.
In response to recent incident involving unintended uses of personal information from social media, the Government acknowledges the need to closely consider redefining “publicly available” information for the purpose of the PIPEDA. The amendments to the PIPEDA’s consent requirements resulted in consent only be considered valid if the individual can understand the consequences providing that consent. This was aimed to prohibit deceptive collection of a child’s personal information, however it presents unique challenges as it involves the definition of a minor, which is within provincial jurisdiction.
Online Reputation and Respect for Privacy
The Government acknowledges public concerns about the accumulation of personal information online and agrees that it poses a risk to privacy protection. Furthermore, the Government acknowledges the work by the OPC in this area and that there are legitimate concerns about the impacts of this position on other rights. Therefore, the OPC has called for further study to provide an appropriate balance between these competing rights.
Public commentary on the divergent views of these matters results in the need for providing further certainty on how the PIPEDA applied within various contexts is necessary to ensure a “level playing field”. The Government agrees that the appropriate destruction of information after it is no longer needed provides unintended future uses that can lead to harm on their reputation.
Enforcement Powers of the Privacy Commissioner
In agreeance with the Committee, the Government states that the time has come to closely examine how the PIPEDA’s enforcement model can be improved to ensure that the objectives are met of supporting innovation and growth of the digital economy, while providing robust protections for personal privacy. Similar recommendations were made by the Senate Standing Committee on Transport and Communications.
In order to determine an optimal model for compliance and enforcement, the Government must assess all options that can strengthen the compliance and enforcement regime of the Act. As part of this assessment, the Government must look at other models of compliance and enforcement to consider potential impacts on the mandate of the OPC, the principles of fundamental justice, and the countervailing risks with increased powers. Options for change must also be assessed, including those regarding consent.
Impact of the European Union (EU) General Data Protection Regulation (GDPR)
The Government supports the following: (1) Canada’s Adequacy Status (ref. recommendations 17-19) and acknowledges that data flows are a significant enabler in a growing digital economy. In discussion with trade partners, including the EU nations and institutions, the key is to work towards harmonization of different frameworks to ensure data protection is levels all jurisdictions. Officials are using a cross-government approach and working closely with the European Commission to understand the requirements for maintaining Canada’s adequacy standing under the EU GDPR.
The Committee’s study has made a significant contribution to this work by providing the government with recommendations to ensure effectiveness of the PIPDEA of international developments.
New Rights to Align with the GDPR
In recognition of the importance of interoperability of privacy regimes, in the GDPR the EU has added concept of “essential equivalence” to examine the adequacy of non-member regimes. Therefore, it is not clear that the PIPEDA’s requirements must reflect each of the GDPR’s right and protections in order to maintain its adequacy standing.
Moving forward, the Government will engage Canadians in a conversation on making Canada more data-savvy, focusing on how companies can use personal information to innovate and compete while protecting privacy. This is a value that Canadians hold dear.
Once again, thank you to the Committee on behalf of the Government for the careful examination of these important issues.