Tuesday, December 13, 2016

Parliamentary Committee calls for reform of federal Privacy Act

Yesterday, the Parliament of Canada Standing Committee on Access to Information, Privacy and Ethics has issued the result of its study of the Privacy Act. The Act, which regulates the collection, use and disclosure of personal information by federal public bodies, is antiquated and is in dire need of reform. You'll see in the Report that I appeared as a witness, generally backing the recommendations of the Privacy Commissioner and the Canadian Bar Association.

Many of the recommendations are not new and have been ignored by a succession of federal governments. We'll see what happens now ...

Here, in short, are the recommendations:

LIST OF RECOMMENDATIONS

RECOMMENDATION 1

a) That the purpose clause in section 2 of the Privacy Act be expanded to reinforce the quasi-constitutional nature of privacy rights by including generally accepted and technologically neutral privacy principles similar to those in contained in the Personal Information Protection and Electronic Documents Act, including accountability; identifying purposes; limiting collection; limiting use, disclosure, and retention; accuracy; safeguards; openness; individual access; and challenging compliance.

b) That the Privacy Act be modified to clarify that the privacy principles in the amended purpose clause shall guide the interpretation of the Act.

RECOMMENDATION 2

That the definition of “personal information” in section 3 of the Privacy Act be amended to ensure that it be technologically neutral and that it include unrecorded information.

RECOMMENDATION 3

That the Government of Canada define metadata in the Privacy Act, in a technologically neutral way and with an emphasis on the information it can reveal about an individual.

RECOMMENDATION 4

That the Privacy Act be amended to require that all information sharing under paragraphs 8(2)(a) and (f) of the Privacy Act be governed by written agreements and that these agreements include specified elements.

RECOMMENDATION 5

That the Privacy Act be amended to create an explicit requirement that new or amended information-sharing agreements be submitted to the Office of the Privacy Commissioner of Canada for review, and that existing agreements should be reviewable by the Privacy Commissioner upon request.

RECOMMENDATION 6

a) That the Privacy Act be amended to create an explicit requirement that departments be transparent about the existence of any information-sharing agreements.

b) That the Privacy Act be amended to require, except in appropriate circumstances, the publication of the content of information-sharing agreements between departments or with other governments.

RECOMMENDATION 7

That the Privacy Act be amended to create an explicit requirement for institutions to safeguard personal information with appropriate physical, organizational and technological measures commensurate with the level of sensitivity of the data.

RECOMMANDATION 8

That the Privacy Act be amended to set out clear consequences for failing to safeguard personal information.

RECOMMENDATION 9

That the Privacy Act be amended to create an explicit requirement for government institutions to report material breaches of personal information to the Office of the Privacy Commissioner of Canada in a timely manner.

RECOMMENDATION 10

That the Privacy Act be amended to create an explicit requirement for government institutions to notify affected individuals of material breaches of personal information, except in appropriate cases, provided that the notification does not compound the damage to the individuals.

RECOMMENDATION 11

That section 4 of the Privacy Act be amended to explicitly require compliance with the criteria of necessity and proportionality in the context of any collection of personal information, consistent with other privacy laws in effect in Canada and abroad.

RECOMMENDATION 12

That the Privacy Act be amended to clarify that a recipient federal institution that receives personal information through information sharing with another federal institution is collecting personal information within the meaning of section 4 of the Privacy Act, and must meet the criteria of necessity and proportionality that apply to the collection of personal information.

RECOMMENDATION 13

That section 6 of the Privacy Act be amended so as to explicitly require compliance with the criteria of necessity and proportionality in the context of any retention of personal information.

RECOMMENDATION 14

That the Privacy Act be amended to set clear rules governing the collection and protection of personal information that is collected on the internet and through social media.

RECOMMENDATION 15

a) That the Government of Canada strengthen the oversight of privacy rights by adopting an order-making model with clear and rigorously defined parameters.

b) That, in order to ensure the most effective use of resources, the Government of Canada explore ways of finding efficiencies, by, among other things, combining the adjudicative functions of the Office of the Privacy Commissioner of Canada and the Office of the Information Commissioner of Canada.

RECOMMENDATION 16

That the Government of Canada further examine the possibility of expanding judicial recourse and remedies under the Privacy Act.

RECOMMENDATION 17

That the Privacy Act be amended to include a requirement for government institutions to conduct privacy impact assessments for new or significantly amended programs and submit them to the Office of the Privacy Commissioner of Canada in a timely manner.

RECOMMENDATION 18

That the Privacy Act be amended to require federal government institutions to consult with Office of the Privacy Commissioner of Canada on draft legislation and regulations with privacy implications before they are implemented.

RECOMMENDATION 19

That the Privacy Act be amended to explicitly confer the Privacy Commissioner with:

a) the authority to conduct, on his own initiative, research and studies on issues of public importance, and

b) a mandate to undertake public education and awareness activities.

RECOMMENDATION 20

That the Privacy Act be amended to require an ongoing five-year parliamentary review.

RECOMMENDATION 21

That section 64 of the Privacy Act be amended to create an exemption from confidentiality requirements to provide the Privacy Commissioner with the discretionary authority to report proactively on government privacy issues where he considers it in the public interest to do so.

RECOMMENDATION 22

That the Privacy Act be amended to expand the ability of the Office of the Privacy Commissioner of Canada to collaborate with other data protection authorities and review bodies on audits and investigations of shared concern in connection with Privacy Act issues.

RECOMMENDATION 23

That section 32 of the Privacy Act be amended to grant the Privacy Commissioner discretion to discontinue or decline complaints on specified grounds, including when the complaint is frivolous, vexatious or made in bad faith, and that the Commissioner’s decision to discontinue or decline a complaint be subject to a right of appeal by the complainant.

RECOMMENDATION 24

That reporting requirements on broader privacy issues dealt with by federal institutions be reinforced by requiring the addition of a descriptive element so as to make the information in the reports accessible and relevant.

RECOMMENDATION 25

That there be specific transparency requirements for lawful access requests from agencies involved in law enforcement.

RECOMMENDATION 26

That the Government of Canada explore extending the scope of the Privacy Act to all federal government institutions, including ministers’ offices and the Prime Minister’s Office.

RECOMMENDATION 27

That the Government of Canada consider extending the right of access to personal information to foreign nationals.

RECOMMENDATION 28

That the Government of Canada examine the possibility of limiting exemptions to access to personal information requests under the Privacy Act.‎

Thursday, December 01, 2016

Did the Supreme Court of Canada formally establish a new form of consent? Is "implied consent" really "deemed, irrevocable consent"?

I just posted a comment on the new Royal Bank of Canada v. Trang decision from the Supreme Court of Canada (Supreme Court of Canada permits disclosure of mortgage document over debtor’s privacy objections), but there’s an aspect of it I’d like to dig into further.

On close review, it does appear that the Supreme Court of Canada has -- perhaps inadvertently -- re-written a key aspect of the Personal Information Protection and Electronic Documents Act ("PIPEDA"). In the decision, the Court found that Scotiabank had Trang’s implied consent to disclose a mortgage discharge statement to the Royal Bank of Canada. I don’t think that’s very controversial, but if you dig into it, the Court’s conclusion is significant. It found that "implied consent" is really not consent, but deemed and irrevocable consent where it’s reasonable.

“Implied consent” is consent where you can imply someone’s permission or consent from the circumstances. For example, if I ask someone for their name and address to send them something and they give their name and address, you can imply their consent to use it for that purpose. In other circumstances, it can be unspoken. If I were to ask the same person for their name and address and it is clear in the circumstances that I’d be using it to send them something, their consent can be implied by their providing the information.

This is in contrast to express consent, which is where the individual has expressed his or her consent at the time. (“Yes, I give you consent to use my name and address to send me that thing.”)

All of this is clear from PIPEDA. But what is also clear from PIPEDA is that an individual can withdraw his or her consent at any time:

4.3.8 An individual may withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice. The organization shall inform the individual of the implications of such withdrawal.

In the Trang case, it was abundantly clear that Trang did not consent to any disclosure of the mortgage discharge statement. While the decision does not specifically say that Trang revoked it, it is clear that Trang was asked and did not consent. Further, Trang did not appear at an examination in aid of execution. (I’d imply no consent there.)

So what does this mean? In short, “implied consent” as used by the Supreme Court here is really not “implied consent” but “deemed deemed”. It’s a consent that is reasonable in the circumstances but really cannot be revoked or overridden. It occurs regardless of the actual wishes of the individual. And that’s a big deal.

Now, I don’t think that the Supreme Court just made this up. You might even say it is necessary given that that PIPEDA only has a limited number of circumstances where an organization can do away with consent, all of which are listed in s. 7 of the Act. We can see many examples in findings from the Office of the Privacy Commissioner of Canada, particularly those that arise in the workplace. For example, in Transit driver objects to use of technology (MDT and GPS) on company vehicle, the Commissioner found there was implied consent for a transit operation to use GPS to track his movements on the job. The driver who complained clearly objected -- definitively communicated a lack of consent, but the Commissioner found that the purpose was reasonable and that notice was given to the employees, so all was kosher.

Much of this has been fixed with the Digital Privacy Act (but only for employees), which added this new section 7.3:

Employment relationship

7.3 In addition to the circumstances set out in section 7, for the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that clause, a federal work, undertaking or business may collect, use and disclose personal information without the consent of the individual if

(a) the collection, use or disclosure is necessary to establish, manage or terminate an employment relationship between the federal work, undertaking or business and the individual; and

(b) the federal work, undertaking or business has informed the individual that the personal information will be or may be collected, used or disclosed for those purposes.

So 7.3 fixes it and makes this discussion moot in the employment context, but the Supreme Court’s decision seems to support the proposition that there are circumstances where implied consent really equals deemed, irrevocable consent.

I hesitate to predict how this will play out in the future, but it's likely significant.