The Federal Privacy Commissioner (OPC) just released the 2019-2020 Annual Report to Parliament on the Privacy Act and Personal Information Protection and Electronic Documents Act (PIPEDA). In the report the OPC repeated the plea for reform of PIPEDA arguing that PIPEDA “is outdated and does not sufficiently deal with the digital environment to ensure appropriate regulation of new technologies.” The report also proposed major new remedial powers for the OPC. Interestingly, however, statistical data in the Annual Report illustrates how well PIPEDA appears to be working despite the lack of these remedial powers.
As privacy lawyers in Canada know, when PIPEDA was first enacted two decades ago, the Privacy Commissioner was constituted as an agent (or officer) of Parliament. Unlike data commissioner authorities in the EU, the OPC functions as a watchdog and ombudsman, reports directly the Parliament (rather than to a specific minister or government) and helps to resolve privacy complaints. The OPC is not empowered to adjudicate complaints or breaches of PIPEDA. The OPC is an investigative, but not an adjudicative, body. As the OPC itself explained its powers “The Commissioner focuses on resolving complaints through negotiation and persuasion, using mediation and conciliation if appropriate.”
The OPC is not empowered to make orders, award damages or levy fines based on its investigations. The OPC has the power to investigate complaints from the public or to initiate its own complaints where the “Commissioner is satisfied that there are reasonable grounds to investigate a matter”. In the course of investigations it also has certain powers to compel the production of evidence. The Commissioner also has the right to conduct audits where he “has reasonable grounds to believe that the organization has contravened” certain PIPEDA provisions. Following the investigation of a complaint, the OPC may make certain types of findings (as detailed below). While the Commissioner has no right to issue fines or impose administrative monetary penalties (AMPs) or to make compliance orders, PIPEDA does allow for applications to the Federal Court which has the power, in addition to other remedies, to order an organization to correct its practices, to publish a notice of any action taken or proposed to be taken to correct its practices, or award damages to the complainant. As the Commissioner is not an adjudicator, findings made by the OPC cannot be appealed as such to a court and these findings are not entitled to any weight on applications to the Federal Court as are decisions of administrative tribunals. See, for example, Englander v. Telus Communications, 2004 FCA 387, Johnson v. Bell Canada, 2008 FC 1086, Bertucci v. Royal Bank of Canada, 2016 FC 332.
PIPEDA’s design was no accident. Its structure was the result of broad consultations with stakeholders. This structure is reflected in the dual goals of PIPEDA which is to recognize “the right of privacy of individuals with respect to their personal information and the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances”. It is reflected in the Model Code which is reproduced in Schedule 1. It is also reflected in role envisioned for the OPC which by design did not give the OPC powers to impose fines or make compliance orders. Instead, it was given a mandate to investigate complaints and to try and resolve them amicably, acting as an ombudsman. PIPEDA also gave the OPC the extremely potent “name and shame” deterrent power, something that animates and activates PIPEDA compliance and results in many complaints being resolved voluntarily by organizations, whether or not they ever breached PIPEDA.
The Commissioner is seeking to radically reform the role of the OPC. Below is a table from the Annual Report in which the OPC seeks to distinguish the powers of the OPC from differently constituted entities in other countries.
Decisions about whether the OPC should be given all or some of the powers it is asking for may be assessed, at least in part, on evaluations of whether PIPEDA and the role played by the OPC are successful in accomplishing PIPEDA’s goals.
The Annual Report contains a PIPEDA “Report Card”. It shows how well PIPEDA has fared in addressing complaints, as currently structured.
As noted above, following a complaint the OPC can take different steps to address it, as summarized below from the Annual Report.
The OPC’s statistical data shows that approximately only 2% of complaints were found to be “well founded” and the other 98% were resolved early, discontinued, resolved after an investigation, settled, found to be not well founded, or found to be well founded and resolved or conditionally resolved, without the need for any further action by the OPC. While the report compared the powers of the OPC with those of data protection authorities in other jurisdictions, it did not provide any data that would show whether PIPEDA and the OPC fared better or worse than the laws and data protection authorities in other jurisdictions in promoting the privacy rights of their respective residents.
The 2019-2020 statistical analysis by the OPC is not an anomaly. The 2017-2018 Annual Report had a very similar ratio with also approximately only 2% of complaints found to be “well-founded”. The 2018-2019 Annual Report did not contain this statistical analysis.
There seems little doubt that PIPEDA is going to be amended, and, it is likely to be amended very soon. Quebec’s Bill 64 is also likely to result in changes to Quebec’s provincial privacy law. (There were many submissions commenting on the significant changes being proposed in the Bill. You can read the briefs on the Quebec Government website.) Ontario and BC are also in the consultation processes to update their privacy laws.
Technological changes have raised challenges not envisioned when PIPEDA and other laws were enacted which justify some principled recalibration. The Commissioner rightly points out that developments since PIPEDA became law have created uncertainties and gaps and divergences from international privacy laws such as the GDPR. The fact that the COVID-19 Alert App was assessed by the OPC using principles that are not yet part of our law further highlights current regulatory uncertainties. But, finding the right balance that promotes privacy and innovation and consistency among federal, provincial, and foreign laws will be a challenge, especially in times of flux when amended or overlapping privacy laws and regulatory enforcement regimes can have significant inadvertent consequences. Further, it is questionable whether an agent (or officer) of Parliament is properly constituted to make biding orders or impose fines directly on organizations. Clearly, these are all issues worthy of serious consultation and study. The Annual Report raises the question whether research is also needed to assess the true benefits of strong remedial powers of privacy commissioners in promoting the objectives of privacy laws.