Blog Post:

Stronger Privacy Enforcement Powers for Canada’s Privacy Commissioner and a Possible Rule for Canada’s Competition Bureau?

The Office of the Privacy Commissioner of Canada (OPC) is essentially an Ombudsman.   The Commissioner investigates complaints, and makes recommendations.  He has no order-making powers to enforce his orders; he has to make an application to Federal Court.   And he has very limited powers to levy fines.  

There is now a prevailing view that the simple ombudsman powers of the Privacy Commissioner are going to be insufficient in the future.  Several realizations have produced this change in view.  The Commissioner’s powers contrast significantly with the powers granted to European DPAs under the General Data Protection Regulation (GDPR), where DPAs are empowered to levy significant administrative sanctions, including fines up to 20 million euros or 4% of annual turnover.  There is concern that Canada’s continued adequacy status could be jeopardized unless essentially equivalent powers are given to the OPC. 

The powers of the federal Commissioner also stand in contrast to those of some provincial commissioners, including those that administer provincial laws governing the private sector in Quebec, B.C. and Alberta.  For example, the BC Information and Privacy Commissioner under the B.C. Personal Information Protection Act (PIPA) can (among other things):  require an organization to stop collecting, using or disclosing personal information in contravention of this Act, or confirm a decision of an organization to collect, use or disclose personal information and…require an organization to destroy personal information collected in contravention of this Act. [1]

The inadequacy of the OPC’s powers was brought into graphic relief in the aftermath of the joint investigation into Facebook by the federal and the BC commissioners into the breach of personal data on 600,000 Canadians to Cambridge Analytica.  The Facebook investigation found that the company had committed serious contraventions of Canadian privacy laws and failed to take responsibility for protecting the personal information of Canadians.  There were major shortcomings in the social media giant’s privacy practices. [2]  The Commissioners made a series of recommendations, which the company rejected or refused to implement in a manner that was acceptable.   The Commissioner therefore filed with Federal Court for a ruling requiring Facebook to correct its practices and comply with PIPEDA.   It is widely expected that the litigation will drag on, and will consume an enormous amount of the OPC’s time and resources.  The absence of proper remedies against Facebook received considerable attention in the media.   Many questioned why he could only give the company a figurative rap on the knuckles.   

The Government of Canada addressed the issue of the Commissioner’s powers in its 2019 Digital Charter, a sprawling and multi-faceted document designed to build greater trust in the digital economy, and which raised a range of interrelated policy issues.  The paper on Strengthening Privacy for the Digital Age acknowledged that:[3]

“There is a growing view that the ombudsman model and enforcement of PIPEDA, which relies largely on recommendation, naming of organizations in the public interest, and recourse to the Federal Court, to effect compliance with privacy laws, is outdated and does not incentivize compliance, especially when compared to the latest generation of privacy laws. The current state of affairs cannot continue; meaningful but reasoned enforcement is required to ensure that there are real consequences when the law is not followed.”

It went on the recommend: 

  • Providing the Privacy Commissioner, in the context of its investigation and audit functions, with circumscribed order-making power in the form of cessation and records preservation orders…. 
  • Extending the existing regime for fines to other key provisions of the Act, including and in particular consent requirements, data safeguard requirements, limiting use, disclosure and retention requirements. This involves the Privacy Commissioner referring matters of concern to the Attorney General of Canada for investigation…. 
  • Substantially increasing the range of fines that are tied to offences under the Act, and provide for a scheme that identifies the mitigating and aggravating factors that should be considered, including adherence to codes, certification or standards….
  • Further empowering the Court to order statutory damages for certain contraventions. PIPEDA could be amended to prescribe a range of damage awards, setting out minimum and maximum amounts for contraventions of specific provisions.

It also recommended enhanced powers for education and outreach, investigation and audit and the provision of proactive advice. 

In his annual report (2018-19), Commissioner Therrien pushed back on the idea of circumscribed order-making powers in which the Attorney-General would be involved:[4]  

“In my view, the government’s proposal is very inefficient, given it would seriously delay the enjoyment of rights by individuals to several years after they have filed a complaint. Justice delayed is justice denied.  True order-making powers and fines would change the dynamic of our discussions with companies during investigations, leading to quicker resolutions for Canadians. At the moment, as we saw in our Facebook investigation, an organization that we have found in contravention of the law can simply ignore our recommendations and wait it out until the courts have come to the same conclusion as my Office. In the government’s proposal under the Digital Charter, a further step would be added, in the form of a review by the Attorney General.”

Commissioner Therrien reiterated the argument for stronger enforcement and fining powers in other public presentations, as well as in its new consultation document on appropriate regulation of AI.   He has not, however, gone so far as to argue that he should be given the same fining powers as those enjoyed by his European counterparts.  He has merely argued for the authority to issue binding orders and impose financial penalties.[5] In October 2019, the joint meeting of the Federal, Provincial and Territorial Information and Privacy Commissioners also called for their offices to be able to rely on extensive and appropriate enforcement powers adapted to the digital environment, such as the power to conduct own-motion investigations and audits, the power to compel records and witnesses as necessary for reviews and investigations, the power to issue orders, and the power to impose penalties, fines or sanctions.[6]

One further interesting development is worthy of note.   Canada’s Competition Bureau has been making a gradual shift toward enforcement of some aspects of the digital economy.   The Bureau has the power to review any business that makes a representation to the public that is false or misleading in a material respect.  Historically, these powers have been used to regulate advertising about products, but they could be used to regulate the type of data organizations collect and why they collect it.  In a conference in January 2020, the Deputy Commissioner, Josephine Palumbo, indicated that the Bureau aims to ensure truth in advertising by addressing misleading claims about consumer privacy. Issues of privacy and deceptive marketing practices intersect in the online marketplace…. For instance, when firms make false or misleading statements about the type of data they collect, why they collect it, and how they will use, maintain and erase it, we will take action.[7]  The powers essentially mirror those exercised by the Federal Trade Commission in the United States, which can, and has, regulated unfair and deceptive advertising and has used those powers to regulate and fine companies (including Facebook and Google) which say one thing in their privacy policies, and do another thing in practice.  

This is potentially a huge development.   The Bureau is an independent law enforcement agency within the Department of Innovation, Science and Economic Development (ISED), and is headed by the Commissioner of Competition.  The Bureau has substantial enforcement powers under the Competition Act to apply to the courts for an administrative order to cease and desist, and/or to pay administrative penalties to organizations of up to C$10 million and C$15million for each subsequent order.[8]  In response to this announcement, several law forms indicated to clients that they should review their online privacy statements about the processing of personal data, to ensure completeness and accuracy.  The Competition Bureau is currently in discussions with the OPC about how the offices may collaborate going forward.  

And that is where the debate currently stands.  It has taken some time for the Federal Privacy Commissioner to come around to the position that enforcement powers are necessary.  His predecessors regularly refused to request what Daniel Therrien has now recommended.  Some in the privacy community remain sceptical of the introduction of strong fining and enforcement powers into an institution that was, and still is, based on the ombudsman model.  There is a strong tradition in Canada of reliance on softer forms of administrative law, and some deep-seated scepticism about the impact of new powers of enforcement on the ability of the Commissioner to resolve complaints consensually, effectively and in a timely manner.   Many in the Canadian private sector are also quite resistant to tinkering with the PIPEDA model which over the years they argue, has fostered a good level of compliance among responsible companies, and some cutting-edge programs in privacy management and privacy by design.  

At the same time, the realities of the contemporary global digital economy, and the dependence of so many new business models on the processing of personal data, has brought home the depressing weakness of Canadian privacy regulators to rein in the behavior of the Big Tech behemoths.   Ombudsman powers might work for smaller companies, and for some government agencies, but they are patently inadequate to force companies like Facebook to change their practices.  

This is an earlier version of an article that appeared in Privacy Laws and Business International Report 164, April 2020.

 


[1] British Columbia, Personal Information Protection Act (PIPA), Sections 52 (e) and (f)

[2] Facebook refuses to address serious privacy deficiencies despite public apologies for breach of trust,  OPC, Ottawa April 25, 2019: https://www.priv.gc.ca/en/opc-news/news-and-announcements/2019/nr-c_190425/

[3] Government of Canada, Strengthening Privacy in the Digital Age https://www.ic.gc.ca/eic/site/062.nsf/eng/h_00107.html#fn44

[4] Privacy Commissioner of Canada, 2018-19. Annual Report  https://www.priv.gc.ca/en/opc-actions-and-decisions/ar_index/201819/ar_201819/

[5] Consultation on the OPC’s Proposals for ensuring appropriate regulation of artificial intelligence. https://priv.gc.ca/en/about-the-opc/what-we-do/consultations/consultation-ai/pos_ai_202001/

[6] Effective privacy and access to information legislation in a data driven society. Resolution of the Federal, Provincial and Territorial Information and Privacy Commissioners at: https://priv.gc.ca/en/about-the-opc/what-we-do/provincial-and-territorial-collaboration/joint-resolutions-with-provinces-and-territories/res_191001/

[7] Honest Advertising in the Digital Age. Remarks by Josephine Palumbo, Deputy Commissioner, Deceptive Marketing Practices Directorate Canadian Institute 26th Annual Advertising and Marketing Law Conference, January 22, 2020 Toronto, ON

https://www.canada.ca/en/competition-bureau/news/2020/01/honest-advertising-in-the-digital-age.html

[8] https://laws.justice.gc.ca/eng/acts/C-34/page-19.html#h-89299