House of Commons Standing Committee Report on PIPEDA

Published on

March 29, 2018

Mar 2018 Charity & NFP Law Update

On February 28, 2018 the House of Commons’ Standing Committee on Access to Information, Privacy and Ethics (the “Committee”) tabled for consideration its report “Towards Privacy by Design: Review of the Personal Information Protection and Electronic Documents Act” (the “Report”). The Report contains 19 recommendations that would update the Personal Information Protection and Electronic Documents Act (“PIPEDA”) and align it with the European Union’s General Data Protection Regulation (“GDPR”), which is coming into force in May, 2018.

Several of the recommendations in the Report deal with consent under PIPEDA. The Report recommends that consent remain the core model for PIPEDA’s privacy regime but that the consent model be enhanced and clarified by additional means (Recommendation 1). In response to concerns about organizations using personal information for secondary purposes such as marketing, the Report recommends that an opt-in system of consent – in which users explicitly choose to disclose their personal information – be implemented as the default for any use of personal information for secondary purposes and, potentially, for all purposes (Recommendation 2). Affirming that the right to revoke consent is a key element in maintaining a consent-based privacy model, the Report recommends that the government study the issue of revocation of consent and its legal and practical implications, particularly in relation to social media, where personal information may have been copied and shared with others (Recommendation 4). The Report examines the challenges of the consent-based model when dealing with minors, particularly in light of the GDPR and the United States Children’s Online Privacy Protection Act, both of which mandate parental consent for collecting personal information from children below a prescribed age. The Report recommends that the government consider implementing specific rules of consent for minors and for the collection, use and disclosure of their personal information, which would limit the ability of organizations to collect, use and disclose the personal information of minors (Recommendation 9).

The Report also makes a number of recommendations that address new rights inspired by the GDPR. The Report recommends that PIPEDA be amended to provide for a right to data portability which would allow users to request and easily transfer their personal information from one provider to another (Recommendation 10). The Report recommends that the government consider including in PIPEDA a framework for a right to erasure in which online information could be deleted, including, at a minimum, the right for minors to have their information taken down (Recommendation 11). The Report also recommends that the government consider including a framework for a right to de-indexing, which would not delete the information but would ensure that it no longer appears in online searches, and that this right would be expressly recognized in the case of personal information posted online while a person was a minor (Recommendation 12). This was similarly recommended in the Office of the Privacy Commissioner of Canada’s Draft Position on Online Reputation, discussed in Charity & NFP Law Bulletin No. 416.

The Report also recommends that PIPEDA be amended to make “privacy by design” a central principle. Privacy by design, which has been entrenched in the GDPR, means that privacy considerations are taken into account at all stages of a service or system and that measures to protect personal information are implemented proactively and preventively (Recommendation 14).

A number of recommendations would grant new enforcement and audit powers to the Privacy Commissioner of Canada (Recommendations 15 and 16). The Report also recommends a collaborative approach with the European Union and with the Canadian provinces and territories to maintain Canada’s adequacy status under the GDPR (Recommendations 17 and 19) and that the government consider what changes must be made to PIPEDA to maintain its adequacy status under the GDPR (Recommendation 18). Adequacy status is required in order to ensure that data can continue to flow from the European Union to Canada.

As privacy continues to be a growing concern for legislators and the global community, charities and not-for-profits should continue to monitor these developments. Should the recommendations of the Report find their way into PIPEDA or any other Canadian legislation, these may potentially affect interactions with donors, volunteers, beneficiaries of charitable programs, and contractual counterparties, including employees and service providers.


Read the March 2018 Charity & NFP Law Update