19 June 2020
The Government of Canada has created a Digital Charter. It provides Canadians with new rights and expectations about how businesses will treat their personal information.
In conjunction with the Digital Charter, flowing from its ten principles, there will also be some changes to the Personal Information Processing and Electronic Documents Act (PIPEDA).
PIPEDA is the chief privacy law in Canada and applies to virtually all private companies.
But what could these legal changes mean for your business?
The Government of Canada has produced some guidance on its proposed changes to PIPEDA. Unfortunately, it reads like an especially dry and technical Ph.D. thesis.
However, we've read the Government's proposals in detail, and present you with some practical tips on how you can thrive in Canada's new privacy landscape.
Canada's Digital Charter sets out a bold vision of a nation where every individual has true control over their personal information.
The collection and exchange of personal information powers the internet economy. Digital advertisers and tech companies seem intent on collecting as much personal information as possible.
And the harvesting of personal information is no longer purely something that happens on websites. Smart devices collect information about "real world" activity. Recently, Canadian data protection authorities showed great concern about the intrusive potential of so-called "Smart Cities."
Canada is not unique in moving toward a more consumer-focused digital economy. Many other jurisdictions are introducing new privacy laws or making amendments to their existing laws. The EU's General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) are two high-profile examples.
These laws apply to businesses all over the world. Canadian companies which improve their data protection practices will be much better-placed to comply with other international privacy laws.
Canada's Digital Charter contains ten principles that underpin the country's new approach to privacy.
We'll look briefly at these ten principles, before turning to how they will affect PIPEDA and your business.
These principles sound great. But what do they mean for businesses operating in Canada?
The Government's guidance suggests some upcoming changes to how consent operates under PIPEDA.
PIPEDA currently operates a model of "express" and "implied" consent. Implied consent allows businesses to claim that they have a person's consent to use their behavior in a particular way, even when they haven't asked for it.
Consent is a key part of privacy law. However, getting a person's consent isn't always necessary or appropriate.
People expect trusted companies to use their personal information in certain ways. But they receive endless requests to consent to inconsequential things. Frequent consent requests can lead to "consent fatigue," causing people to start thoughtlessly giving consenting to more important things.
To understand where requesting consent might not be appropriate, consider these two examples:
The software company is sending spam to people who might never even have heard of it. This intrusive unsolicited electronic marketing is not allowed under PIPEDA or most other privacy laws.
The coffee company doesn't necessarily require its users' consent for this activity. Under PIPEDA, the coffee company could argue it has "implied" consent (because it's sending messages to current subscribers to, by nature of subscribing, must have implied they consent to receive such messages). And under the GDPR, the coffee company could argue that it is acting within its legitimate interests.
The Government suggests that PIPEDA could be amended to provide clearer information about when requesting consent is not appropriate.
This reinforces some earlier guidance on consent from Canada's Office of the Privacy Commissioner (OPC). In 2016, the OPC proposed the introduction of a concept similar to the GDPR's "legitimate interests" to replace the notion of "implied consent" in PIPEDA.
It's not yet clear how this proposed change could impact businesses.
Consider which activities for which you request consent. Ask yourself:
If the answer to any of these questions is "no," think about whether you should be requesting consent for this activity.
Another possible change to PIPEDA would see a prohibition on certain types of contracts. Businesses would no longer be allowed to make contracts contingent on consent to the processing of their personal information.
Let's look at some examples.
Some companies also require users to consent to direct marketing as part of their Terms and Conditions agreement. Here's an example from the SDL AppStore Terms and Conditions:
This sort of clause might not be allowed under the changes to PIPEDA.
Sometimes websites will deny users access unless they consent to behavioral advertising. This is sometimes called a "cookie wall." Here's an example from Time:
These methods of earning consent are common but problematic. It's not clear that a user has genuinely consented if they did so as part of a contract. They may have agreed because they wanted to gain access to the service.
Of course, almost all contracts require some personal information to be exchanged. Requiring a customer to provide personal information as part of a contract is not always a problem if obtaining their personal information is necessary to carry out the contract.
For example, you need to collect someone's name and address to send them the product they've just purchased. You don't need to send them marketing communications as well.
To prepare for these proposed changes, review your Terms and Conditions agreements and other contracts. Check for references to "consent" or "personal information." Make sure that you're not using implied consent practices or making users consent to multiple things in order to simply use your service (unless actually necessary).
Proposed changes to PIPEDA would require businesses to provide clear information when requesting consent. This information would include details of:
Here's an example of how something like this could look, from Prestone:
To prepare for the new information requirement, review your consent requests.
Whenever you request consent, make sure you also provide clear and transparent information about what you'll be doing with the personal information your users provide.
Privacy laws typically provide individuals with some consumer rights that grant them control over their personal information. It's up to businesses to facilitate these rights for their users.
PIPEDA already contains a "right of access," which requires businesses to provide an individual with a copy of their personal information on request. The proposed changes to PIPEDA include a new "right to data mobility."
The California's new privacy law, the CCPA, also requires this as part of its right of access. If an individual requests access to their personal information provide the individual with a copy of their personal data in an "easily accessible format."
The GDPR provides a similar right: the "right to data portability." A business that receives a valid data portability request must provide the consumer with their personal information in a format that will allow consumers to transmit it to a different business.
Where an individual wishes to transmit their personal information to another business, the GDPR requires the companies to actually arrange this transmission between themselves.
PIPEDA's proposed right to data mobility is likely to go as far as the right to data portability under the GDPR.
If an amendment to PIPEDA introduces a new right to data mobility, you might need to implement a way for your users to download a portable copy of their personal information.
Here's how Twitter does this as a function within its "settings" menu:
The UK's Data Protection Authority, the Information Commissioner's Office (ICO) suggests using a file format such as CSV, XML, or JSON.
As mentioned, the right to data mobility is likely to require that businesses transmit their customers' personal information to another business where requested. This won't apply in all sectors, but you should be open to facilitating it.
If you believe you will receive such requests, it would be prudent to come to an arrangement with other businesses in your sector. Cooperating in this way will allow you to verify your users' requests and transmit their personal information more securely and efficiently.
The clause can be short and simple, as long as you make it known that users have such rights available to them.
Another consumer right common to many privacy laws is the "right to deletion." This is sometimes known as the "right to be forgotten."
Under PIPEDA, individuals already have a limited right to request the deletion of their personal information. But this can only be enforced by an individual where the personal information is inaccurate or outdated.
PIPEDA is weaker than other laws such as the GDPR and the CCPA in this respect. These laws don't require businesses to comply with a request for deletion in all circumstances. However, there must be a good reason to refuse to delete an individual's personal information.
The proposed changes to PIPEDA would give individuals a much stronger right to deletion.
Preparing for the introduction of a PIPEDA right to deletion would mean setting up a system that allows your users to make a deletion request.
You'll also need an easy way to carry out a deletion request. You can make this easier on your business by keeping your users' personal information well-organized.
There's no downside to this. So long as you don't need personal information, you should be happy to delete it. The less personal information you store, the less likely you are to suffer a data breach.
If your users can create an account with your service, you can usually delete their personal information once they close it. Account deletion is a good chance to jettison some unnecessary personal information from your servers.
You need to make sure your users understand the implications of their request. Here's the message that Instagram users see when deleting their accounts:
Of course, prevention is better than cure. It's much easier to manage deletion requests if you:
Canada's Office of the Privacy Commissioner (OPC) is well-respected and provides genuinely helpful guidance on Canadian privacy law. But the OPC doesn't have a lot of powers. The OPC mostly relies on recommendations and bringing cases before the Canadian courts.
The OPC is, quite frankly, toothless.
The government proposes bringing the OPC new powers to enforce PIPEDA and issue fines and penalties directly. This would bring the organization closer to the EU's formidable Data Protection Authorities.
Although there's not much detail about what these new powers might be, it's clear that the age of "polite" enforcement could soon come to an end. This should convince all businesses operating in Canada to start taking their privacy practices more seriously.
Canada's Digital Charter might seem kind of vague and utopian at first glance. But the document is driving some truly significant changes to Canadian privacy law.
Here are our tips to help you prepare for the proposed changes to PIPEDA:
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.