Serving Canada's Legal Community Since 1983  
RSS Feed RSS Feed
This Week's Issue:

Want to learn more about this week's issue?

Legal Update Services

Click on the links above to view recent decisions from the Supreme Court of Canada and summaries for noteworthy cases from across the country.

Privacy watchdog wants to see new office enforcement muscle

Fraser worries people would ‘lawyer up’ in face of enhanced powers
By Cristin Schmitz
May 27 2016 issue

Federal Privacy Commissioner Daniel Therrien, seen above in Ottawa, says it’s time the office moved beyond the role of ombudsman and gained regulatory powers, including the ability to levy fines, like those with similar roles in other countries. [ROY GROGAN FOR THE LAWYERS WEEKLY]

Click here to see full sized version.


Comments?
Please contact us at comments@lawyersweekly.ca.
Please include your name, your law firm or company name and address.

Canada’s privacy watchdog says “the time has come” to change his role under the federal Personal Information Protection and Electronic Documents Act (PIPEDA) from that of an ombudsman, who can only make non-binding recommendations, to a regulator with authority to make binding orders, and even impose fines on recalcitrant organizations.

In an exclusive interview, federal Privacy Commissioner Daniel Therrien contrasted his limited enforcement powers (“naming and shaming” privacy transgressors and, on occasion, taking them to court) with those of EU and U.S. regulators.

“In many other jurisdictions, privacy regulators have order-making powers and they can impose fines for organizations that violate privacy laws,” Therrien said. “We’ve done well in Canada without these powers, but we think that the time has come to align our laws to those of other western democracies where privacy regulators do have order-making and fine powers. We’re dealing with organizations that are extremely wealthy. To recommend that they change a practice has some effect. But to be able to make an order, and to impose fines, when warranted, I think is necessary.”

The commissioner did not disclose what level of fines he considers appropriate (“we’re not there yet,” he said).

But his endorsement of adding beefed-up enforcement powers to the federal privacy regime — which he considers “an important enhancement” and “not a revolution” — will spark debate.

“I would be quite against…giving the commissioner order-making powers,” privacy law expert David Fraser of McInnes Cooper in Halifax told The Lawyers Weekly. “That would be a revolutionary thing in Canadian privacy law, and actually would require, I think, kind of essentially burning [the office of the privacy commissioner] to the ground and starting again because…if it’s going to have the ability to levy fines, or anything else like that, you have to build in all the procedural fairness requirements. You can’t have a kind of ‘judge-jury-executioner-prosecutor’ all in one office and all in one person, particularly in light of the advocacy-for-privacy role that the commissioner takes.”

Fraser called PIPEDA, as it stands, “a made-in-Canada solution that, in fact, is a complete solution. You have a privacy commissioner whose job…not to an insignificant degree, is framed as a champion of privacy, [who] investigates. The objective is principally to resolve [privacy complaints] and because the commissioner isn’t the cops, and isn’t the judge, at least in my experience, the businesses are inclined to sit down at the table with the commissioner and the commissioner’s investigators, lay all their cards on the table, and look towards building a solution, rather than something that is more adversarial. And so in fact I think all that goodwill would pretty well go out the window, and people would kind of ‘lawyer-up’ in the classic sense. It would get very defensive and it would get very adversarial.”

Fraser said having an impartial judge as the ultimate arbiter, under the current system, has worked. “Very, very seldom does it ever go that far,” he noted. “People are looking to get these things resolved.”

Moreover “interacting with folks in the commissioner’s office, their advocacy role sometimes —at least in my experience, and reasonable people can disagree — clouds their interpretation of the statute, of their law and their authorities,” he suggested.

Therrien’s comments in favour of more enforcement powers came after his office published a 31-page discussion paper May 11 as part of a public consultation until July 13 on “potential enhancements” to PIPEDA’s key requirement that entities must get individuals’ informed consent to commercial collection, use and disclosure of their personal information. The paper asks, but doesn’t answer, “What additional powers, if any, should be given to the office of the privacy commissioner to oversee compliance and enforce new or enhanced consent rules?”

Privacy lawyer Deirdre Wade of Cox & Palmer in Saint John, N.B., agreed with Fraser that the fundamental questions of the commissioner’s role and enforcement powers require a separate discussion paper and consultation. “I wouldn’t think that you would give a privacy commissioner order-making power, based on four paragraphs tacked on to the end of a report on consent,” she said, noting she was speaking on her own account, and not as the past chair of the Canadian Bar Association’s (CBA) national privacy and information law section.

A decade ago the CBA recommended against giving order-making powers to the office of the privacy commissioner, as it is currently structured. Combining the roles of advocacy, investigation and decision-making in one office could violate the s. 7 Charter principles of fundamental justice and undermine the commissioner’s credibility by placing him in a conflict of interest, the association said. It suggested the government instead consider boosting enforcement by creating an impartial tribunal that would operate relatively informally and have the power to make orders and award damages.

“We have to sort of come to some kind of grips where all this is going,” Wade said. “Is privacy something that should be retained in the jurisdiction of the court, or is it something that we want to separate and give to an administrative tribunal or administrative officer?” she asked. “What do we want our privacy watchdogs to be?”

The discussion paper notes that a study by Osgoode Hall Law School dean Lorne Sossin and Université de Montréal law professor France Houle in 2010 found that provincial information commissioners with order-making powers use them sparingly, preferring to resolve complaints through mediation, conciliation and other informal means. However, Sossin and Houle remarked that the experiences of privacy regulators here and abroad indicate that “the ability to levy fines and other order-making capabilities can lead to additional compliance and serve as an important deterrent, even if not used often.”

The discussion paper also indicates that while consent remains a cornerstone of PIPEDA, cracks are emerging from the weight of new digital technologies and business models.

Some suggest PIPEDA’s requirement to get informed consent from individuals should be dropped when obtaining it is “impracticable” — in favour of alternatives that better balance business needs with the individual’s control over their personal information.

The discussion paper highlights possible changes — via amendments or within the current statutory framework — which the commissioner says deserve consideration.

“There’s still a place for consent,” Therrien said. “There’s still a place for organizations to properly advise consumers about what will happen to their information. But the new reality, including big data and the Internet of things [digital devices connected via the Internet] really beg the question of: Is [consent] realistic in certain circumstances?”

For example, is obtaining informed consent practical, or even possible, in the context of complex and multi-party business models — where dozens, or even hundreds, of companies can be involved in a single business transaction?

“There may be situations where it’s not practical,” Therrien acknowledges. “So in that case let’s adapt our laws to the technological reality so that businesses could continue to operate and innovate and have business relationships that make sense from their perspective, yet — and it is an important yet — it is my job to ensure that this is done in a privacy-sensitive way.”

The human rights lawyer, a career public servant who marks his second anniversary as privacy commissioner next month, invites the bar to reflect on the paper’s questions and options for reform, or propose their own. “Lawyers, particularly those who advise companies who process information for a living, will know first-hand when [the requirement of consent] works and when it’s challenged, and what kind of changes, amendments or improvements would be required to align the concept with the new technological reality,” Therrien says. “What I would like for lawyers…given their experience, is to make the best suggestions that they can think of to make the consent model more effective in balancing the needs of business and consumers.”

The commissioner’s quest to find ways to adapt the traditional privacy law concept of consent to the digital era is part of a larger ongoing consultation, which began in 2014 by soliciting the public’s input on what his office’s strategic priorities should be and also includes a discussion paper earlier this year exploring online reputations and the purported “right to be forgotten.”

Click here to see this article in our digital edition (available to subscribers).