Barry Sookman
  • Bio & expertise
    • Bio
    • Technology & Internet Lawyer
    • Copyright and Intellectual Property Lawyer and Litigator
    • Privacy & CASL
    • Government Relations
    • Rankings
  • Books & Articles
  • Speeches & Media
  • Terms
    • Privacy Policy
This site is about technology, copyright, and privacy Law
Barry Sookman
Barry Sookman
  • Bio & expertise
    • Bio
    • Technology & Internet Lawyer
    • Copyright and Intellectual Property Lawyer and Litigator
    • Privacy & CASL
    • Government Relations
    • Rankings
  • Books & Articles
  • Speeches & Media
  • Terms
    • Privacy Policy
Subscribe
  • Privacy

PIPEDA by the numbers: lessons for privacy law reform in Canada?

  • October 12, 2020
  • Barry Sookman
Total
0
Shares
0
0
0

The Federal Privacy Commissioner (OPC) just released the 2019-2020 Annual Report to Parliament on the Privacy Act and Personal Information Protection and Electronic Documents Act (PIPEDA). In the report the OPC repeated the plea for reform of PIPEDA arguing that PIPEDA “is outdated and does not sufficiently deal with the digital environment to ensure appropriate regulation of new technologies.” The report also proposed major new remedial powers for the OPC. Interestingly, however, statistical data in the Annual Report illustrates how well PIPEDA appears to be working despite the lack of these remedial powers.

As privacy lawyers in Canada know, when PIPEDA was first enacted two decades ago, the Privacy Commissioner was constituted as an agent (or officer) of Parliament. Unlike data commissioner authorities in the EU, the OPC functions as a watchdog and ombudsman, reports directly the Parliament  (rather than to a specific minister or government) and helps to resolve privacy complaints. The OPC is not empowered to adjudicate complaints or breaches of PIPEDA. The OPC  is an investigative, but not an adjudicative, body. As the OPC itself explained its powers “The Commissioner focuses on resolving complaints through negotiation and persuasion, using mediation and conciliation if appropriate.”

The OPC is not empowered to make orders, award damages or levy fines based on its investigations. The OPC has the power to investigate complaints from the public or to initiate its own complaints where the “Commissioner is satisfied that there are reasonable grounds to investigate a matter”. In the course of investigations it also has certain powers to compel the production of evidence. The Commissioner also has the right to conduct audits where he “has reasonable grounds to believe that the organization has contravened” certain PIPEDA provisions. Following the investigation of a complaint, the OPC may make certain types of findings (as detailed below). While the Commissioner has no right to issue fines or impose administrative monetary penalties (AMPs) or to make compliance orders, PIPEDA does allow for applications to the Federal Court which has the power, in addition to other remedies, to order an organization to correct its practices, to publish a notice of any action taken or proposed to be taken to correct its practices, or award damages to the complainant. As the Commissioner is not an adjudicator, findings made by the OPC cannot be appealed as such to a court and these findings are not entitled to any weight on applications to the Federal Court as are decisions of administrative tribunals. See, for example, Englander v. Telus Communications, 2004 FCA 387, Johnson v. Bell Canada, 2008 FC 1086, Bertucci v. Royal Bank of Canada, 2016 FC 332.

PIPEDA’s design was no accident. Its structure was the result of broad consultations with stakeholders. This structure is reflected in the dual goals of PIPEDA which is to recognize “the right of privacy of individuals with respect to their personal information and the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances”. It is reflected in the Model Code which is reproduced in Schedule 1. It is also reflected in role envisioned for the OPC which by design did not give the OPC powers to impose fines or make compliance orders. Instead, it was given a mandate to investigate complaints and to try and resolve them amicably, acting as an ombudsman. PIPEDA also gave the OPC the extremely potent “name and shame” deterrent power, something that animates and activates PIPEDA compliance and results in many complaints being resolved voluntarily by organizations, whether or not they ever breached PIPEDA.

The Commissioner is seeking to radically reform the role of the OPC. Below is a table from the Annual Report in which the OPC seeks to distinguish the powers of the OPC from differently constituted entities in other countries.

Decisions about whether the OPC should be given all or some of the powers it is asking for may be assessed, at least in part, on evaluations of whether PIPEDA and the role played by the OPC are successful in accomplishing PIPEDA’s goals.

The Annual Report contains a PIPEDA “Report Card”. It shows how well PIPEDA  has fared in addressing complaints, as currently structured.

As noted above, following a complaint the OPC can take different steps to address it, as summarized below from the Annual Report.

The OPC’s statistical data shows that approximately only 2% of complaints were found to be “well founded” and the other 98% were resolved early, discontinued, resolved after an investigation, settled, found to be not well founded, or found to be well founded and resolved or conditionally resolved, without the need for any further action by the OPC. While the report compared the powers of the OPC with those of data protection authorities in other jurisdictions, it did not provide any data that would show whether PIPEDA and the OPC fared better or worse than the laws and data protection authorities in other jurisdictions in promoting the privacy rights of their respective residents.

The 2019-2020 statistical analysis by the OPC is not an anomaly. The 2017-2018 Annual Report had a very similar ratio with also approximately only 2% of complaints found to be “well-founded”. The 2018-2019 Annual Report did not contain this statistical analysis.

There seems little doubt that PIPEDA is going to be amended, and, it is likely to be amended very soon. Quebec’s Bill 64 is also likely to result in changes to Quebec’s provincial privacy law. (There were many submissions commenting on the significant changes being proposed in the Bill. You can read the briefs on the Quebec Government website.) Ontario and BC are also in the consultation processes to update their privacy laws.

Technological changes have raised challenges not envisioned when PIPEDA and other laws were enacted which justify some principled recalibration. The Commissioner rightly points out that developments since PIPEDA became law have created uncertainties and gaps and divergences from international privacy laws such as the GDPR. The fact that the COVID-19 Alert App was assessed by the OPC using principles that are not yet part of our law further highlights current regulatory uncertainties. But, finding the right balance that promotes privacy and innovation and consistency among federal,  provincial, and foreign laws will be a challenge, especially in times of flux when amended or overlapping privacy laws and regulatory enforcement regimes can have significant inadvertent consequences. Further, it is questionable whether an agent (or officer) of Parliament is properly constituted to make biding orders or impose fines directly on organizations. Clearly, these are all issues worthy of serious consultation and study. The Annual Report raises the question whether research is also needed to assess the true benefits of strong remedial powers of privacy commissioners in promoting the objectives of privacy laws.

Related

Total
0
Shares
0
0
0
0
Related Topics
  • OPC annual report
  • OPC remedial powers
  • PIPEDA
  • privacy reform in Canada

Subscribe

Subscribe now to our newsletter

You May Also Like
Minister Champagne and AIDA
View Post
  • AI Regulation
  • AIDA
  • artificial inteliigence
  • CPPA

Government proposals to amend CPPA and AIDA: the good, the bad, and the challenges ahead Part 1

  • Barry Sookman
  • October 15, 2023
Google search engines and privacy
View Post
  • AI Regulation
  • artificial inteliigence
  • Charter of Rights
  • CPPA
  • PIPEDA
  • Privacy

Legality of search engines and AI systems under PIPEDA and CPPA: Google v Privacy Commissioner

  • Barry Sookman
  • October 8, 2023
Digital Charter Implementation Act and CPPA
View Post
  • CPPA
  • Privacy

CPPA: problems and criticisms – automated decision making

  • Barry Sookman
  • December 18, 2022
Digital Charter Implementation Act and CPPA
View Post
  • CPPA
  • PIPEDA
  • Privacy

CPPA: problems and criticisms – anonymization and pseudonymization of personal information

  • Barry Sookman
  • December 5, 2022

Leave a ReplyCancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe

Subscribe now to our newsletter

Barry Sookman
This site is about technology, copyright, and privacy Law

Input your search keywords and press Enter.

We may be using cookies to give you the best experience on our website.

 

Barry Sookman
Powered by  GDPR Cookie Compliance
Privacy Overview

This website may use cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.

Strictly Necessary Cookies

Strictly Necessary Cookie should be enabled at all times so that we can save your preferences for cookie settings.

If you disable this cookie, we will not be able to save your preferences. This means that every time you visit this website you will need to enable or disable cookies again.