Lacking bite

Lacking bite

“We find ourselves unable to keep pace with the challenges of an increasingly complex digital environment, in no small part because Canada’s privacy laws are not adapted to the realities of the 21st century.”

That’s Daniel Therrien, Canada’s federal privacy commissioner, in a May 2018 letter to a select committee of the country’s House of Commons. In that letter, Therrien laid out serious difficulties that his agency, the Office of the Privacy Commissioner of Canada (OPC), has encountered in attempting to enforce Canada’s federal privacy law, the Personal Information Protection and Electronic Documents Act, known as PIPEDA.

“At present, we know our powers are not strong enough and enhancing them, to have a better understanding of our environment, is a good starting point,” he wrote.

The sentiment won’t be anything new to data privacy enforcement authorities around the world. All eyes are currently on Europe, where the GDPR has boosted member state authorities’ ability to impose eye-watering fines, following decades of authorities only being able to deliver slaps to the wrist. Brazil has already followed suit, with its legislature having approved GDPR-style legislation that set up the country’s first overall data protection regime and enforcer in August 2018. The previous month, India’s government received a GDPR-influenced draft bill that would set up the country’s first data protection framework.

In his letter, Therrien pointed to the GDPR’s 4% of turnover maximum fines, as well as the US Federal Trade Commission’s track record in extracting multimillion-dollar penalties through settlements. Given the global trend towards handing greater enforcement and penalty powers to countries’ regulators, Canada starts to look like the odd one out. The office’s setup, and the framework it enforces, arguably looks outdated and ill-suited to respond to an increasingly data-driven economy.

The ombudsman

PIPEDA is nearly 20 years old. The country’s provinces can also pass their own privacy legislation, taking matters there outside PIPEDA’s jurisdiction if Canada’s government deems them to be substantially similar to the federal rules. So far, Alberta, British Columbia and Quebec have received that stamp of approval for their general legislation; New Brunswick, Newfoundland and Labrador, Nova Scotia, and Ontario healthcare privacy legislation have also been deemed similar to PIPEDA.

PIPEDA itself, observers agree, is a broadly sensible and flexible piece of legislation that sets data privacy and security principles similar to what can be seen in the EU. The law regulates the collection and processing of personal information, mostly based on the concept that individuals must provide consent to all collection, use or disclosure of their data “except where inappropriate”. While the law is more consent-focused than the GDPR, it is more open to principles such as implied consent as a basis for processing data that would probably fall foul of Europe’s more hard-line take on the concept.

The federal privacy landscape has changed in recent years, indicating a will to stick to international developments. The country’s first federal mandatory breach notification regime will kick in from November 2018, after Alberta took the lead in implementing a mandatory regime in 2010. It will provide a roadmap for the commissioner’s investigations, not only by setting up mandatory notification to the OPC of all breaches that create a “real risk of significant harm”, but also by forcing organisations subject to PIPEDA to retain records of all security incidents – no matter how trivial – for two years. Those records will be disclosable not only to the OPC, but potentially to plaintiff-side litigators in Canada and abroad looking to put together arguments about companies’ security policies. Observers agree that the notification and record-keeping requirements have already pushed companies to set up or re-examine their security arrangements in a bid to stay compliant with the new regime.

And the breach notification rules also create new monetary risks: companies that fail to report notifiable breaches, or fail to maintain appropriate records, are exposed to fines of up to C$100,000 ($76,000).

But the extent to which the OPC’s enforcement actions actually act as a deterrent against misconduct or breaches of PIPEDA remains unclear. The breach notification regime is now one of two parts of PIPEDA, which actually leaves companies liable for fines in cases of non-compliance; the other, carrying identical penalties, is for obstructing its investigations.

The OPC’s ability to make any kind of a direct dent on non-compliant companies is limited. While it can compel evidence and summon witnesses, it needs to approach Canada’s Federal Court should it need to get a binding order against a defendant that refuses to comply or settle. By contrast, the provincial commissioners in Alberta, British Columbia and Quebec can issue mandatory orders without needing to go to court.

The federal office’s maximum available fine may also not be much of a deterrent. In his May 2018 letter to Canada’s parliament, commissioner Therrien also argued that his office needs more funds, pointing as an example to the UK Information Commissioner’s Office’s planned growth from 370 staff in 2017 to 700 in 2021. Therrien said the OPC has asked for a “modest” 30% boost to its funding – a C$8 million (US$6 million) increase – to help issue more policy guidance, educate Canadians and help its “overwhelmed” investigative resources. More realistically, he said, a 90% increase proportionate to what the UK Information Commissioner’s Office received might be needed. “The former would allow us to undertake a limited number of proactive promotion and compliance activities and reduce but not eliminate our backlogs of complaints,” Therrien wrote.

Recent investigations

“There’s a paucity of resources, and the office does not have sufficient order-making powers,” says Lisa Lifshitz, a partner at Torkin Manes in Toronto. “Generally speaking, we don’t have fines, with very rare exceptions. I think that’s a concern.

“Higher fines would raise companies’ exposure to privacy law and increase general knowledge about privacy,” Lifshitz believes. “That was one of the impacts of the GDPR: it created an opportunity for dialogue, for discussion.”

Observers are quick to point out that the office’s oversight of PIPEDA and Canadian private sector privacy is not as a law enforcer. The commissioner is deemed an ombudsman, with the office’s guidance to potential complainants saying he “takes a cooperative and conciliatory approach to investigating complaints whenever possible and encourages resolution through voluntary cooperation”.

In 2009, the OPC under Jennifer Stoddart commissioned academics Lorne Sossin and France Houle to review the office’s powers. Two years later, they found that the ombudsman model was broadly successful, but nonetheless recommended that the OPC should receive some order-making powers, directed towards the SME sector in which “compliance appears to be the lowest, and where all available data from provincial enforcement suggests that only the threat of penalties that affect the bottom line can lead to a change in business behaviour, and ultimately, in business culture”. Canada’s government did not act on the recommendations.

Some believe there is a risk that granting the commissioner stronger enforcement powers could affect what has, for many companies, become a productive relationship. Observers note the difference between reporting potential issues or starting conversations with traditional law enforcers – which almost inevitably creates the risk that approaching them could lead to dire consequences – with the lesser potential for harm that comes from being able to talk openly to the privacy commissioner’s officials.

Éloïse Gratton, a partner at Borden Ladner Gervais in Montreal, believes that companies operating in Canada “like the current [ombudsman] approach because they like being able to have a free conversation with the regulator about all sorts of issues. There are no fines or penalties at the end of the day, so companies have been motivated to be very transparent in reporting breaches, even when they are not mandatory.”

Blake Cassels & Graydon partner Wendy Mee also believes companies “don’t fear” approaching the office.

“It does open up this ability to speak more openly, and I think the office have been effective in using that type of [ombudsman] model,” she says. “I hope that, in any event, were they to receive broader powers, that they would not only have a hardline enforcement approach, and would retain the ombudsman model.”

And Fasken Martineau DuMoulin Toronto partner John Beardwood says: “We have a regulator who is supposed to have an ombudsman role, and structured as such, who now wants to be in a position to also have enforcement powers. But you either have to structure agencies like enforcers, or like ombudsmen.” Beardwood, who believes that the office does not need additional powers, says any granting of such powers would have to come alongside stronger defence rights.

“As [the office’s] decisions are currently non-binding, the procedural protections regarding the exercise of the commissioner’s powers in PIPEDA in connection with conducting an investigation is relatively light,” he says, adding that if the OPC had the power to issue binding orders, “procedural protections would need to be beefed up . . . It would entirely change the structure of how PIPEDA works.”

Beardwood points to the commissioner’s ability to publish the names of wrongdoers to make an example of them. “I think that’s enough,” he says. “People already worry about being targeted by the privacy commissioner.”

But others disagree that reputational harm alone is a sufficient deterrent.

“I definitely think the possibility of having fines, or order-making powers, would encourage compliance more than the existing regime does,” says Blakes partner Mee, who believes many companies seek to comply as it’s the right thing to do. “A lot of organisations put in good efforts to comply with privacy legislation. But when push comes to shove, and they’re trying to balance all sorts of different obligations, they might look at privacy law and think about what the consequences would actually be if they didn’t comply with its requirements. There are maybe some reputational issues – which aren’t insignificant because companies don’t want to be publicly shamed. But otherwise, there’s not really a lot.”

An OPC spokesperson told GDR that the regulator has previously noted that it does not have “a specific amount in mind” for any maximum fines, “but the amount would have to be sufficient so as to incentivise companies to comply with the law as opposed to merely being the cost of doing business . . . Canada needs powers comparable to those in other jurisdictions in terms of order-making powers and fines in order to have meaningful impact on privacy protection and continue to enjoy the trade partnerships we have forged with Europe and others.”

The outlook

The House of Commons’ Standing Committee on Access to Information, Privacy and Ethics (ETHI) also believes that the current enforcement framework needs changing. In a report adopted in February 2018, the committee backed calls for Canada’s privacy commissioner to receive “enforcement powers, including the power to make orders and impose fines for non-compliance”, as well as “broad audit powers, including the ability to choose which complaints to investigate”.

The committee also made a slew of further recommendations, including ensuring that consent remains the core part of PIPEDA, albeit with possible clarifications; ensuring that measures could be implemented to improve algorithmic transparency; making privacy by design a central principle of the legislation; and introducing rights to data portability, erasure and de-indexing.

The committee also explicitly pointed to the risk that Canada may risk losing its adequacy status with the EU’s data protection regime, urging the federal government to work with Europe to figure out what adequacy means post-GDPR. The EU considered PIPEDA adequate in 2001, allowing transfers of personal data from the bloc into Canada without the need for binding corporate rules, model clauses or certification by EU national data protection authorities.

But the GDPR goes into more detail about exactly what is needed for non-EU countries to be deemed adequate, compared to the old regime; the European Commission now needs to look at the “existence and effective functioning of one or more independent supervisory authorities . . . with responsibility for ensuring and enforcing compliance with the data protection rules, including adequate enforcement powers”. EU data protection enforcers can now impose enormous fines; will the European Commission consider that PIPEDA provides for adequate enforcement powers? With the commission set to review the matter before 2020, it’s is now a live issue for Canada’s government.

Canada’s Innovation, Science and Economic Development (ISED) Minister Navdeep Bains responded to the ETHI committee’s advice by saying the federal government “shares the committee’s view that changes are required to our privacy regime to ensure that rules for the use of personal information in a commercial context are clear and enforceable and will support the level of privacy protection that Canadians expect”. Bains said the government agrees that “the time has come to closely examine how . . . PIPEDA’s enforcement model can be improved”, and will “assess the viability of all options” to strengthen the legislation’s compliance and enforcement regime. Bains said the government will look at alternative models and consider their potential effects on several issues – including the effect on “open dialogue between businesses and the OPC”.

Bains also said Canada’s government is working with trade partners to discuss international data transfers and the inter­operability of different data privacy regimes; and is in talks with the European Commission to understand what it would need to maintain its PIPEDA adequacy decision. He also noted the ETHI recommendations on introducing GDPR-like data subject rights – like portability and an explicit right to be forgotten – into the federal Canadian regime. Bains said it is unclear that PIPEDA needs to mirror the GDPR’s rights and protections to maintain its adequacy status, as the GDPR mandates only “essential equivalence” to its own regime rather than an exact match (though he promised to consult on the possibility of nonetheless incorporating those rights into PIPEDA). Several observers say the potential killer of any adequacy decision would probably not be Canada’s differing approach to data subject rights: at the end of the day, while details may differ on the approach towards these rights, the EU could simply think the rights mean little if the OPC cannot meaningfully enforce them.

In a statement to GDR, Canada’s innovation ministry noted a government consultation launched in June 2018 on digital innovation. A report from the consultation is set to be published in autumn. “As noted by Minister Bains, this report will guide any legislative or policy changes that the government may make,” an ISED spokesperson said.

Torkin Manes partner Lifshitz believes there will have to be reform.

“I’m holding my breath and waiting for the first opportunity for a European citizen to show the current Canadian framework is inadequate under the GDPR,” she says. “There are serious concerns that the current framework is insufficient, compared to the current protections in the EU. That’s going to be the real impetus for reform.” Whatever happens, observers agree that they would like to see more guidance that companies can use to stay on the right side of the line – though one says some hard precedent through enforcement and case law would be even more useful.

But John Beardwood notes that while the Liberal Party-led federal government could be helpful to the privacy commissioner, the party “[walks] a tightrope between being pro-industry and anti-business. Granting any sort of order-making powers to the privacy commissioner is likely to be considered anti-business. I’m not sure what side of the fence they would want to be on right now – and it’s not that pressing an issue.”