Table of Contents
- 1.0 Introduction
- 2.0 OPC Policies and Procedures on Enforcement (PIPEDA)
- 3.0 Substantially Similar Provincial Legislation
- 4.0 Compliance Agreements
1.1 On July 13, 2017, Canadian Government and European Commission officials held a videoconference to review the May 2017 Update Report on developments in data protection law in Canada (2001-2017). During this session, EC officials sought clarification on several elements of the report. This Addendum has been prepared to provide additional information and clarification on elements that relate to the oversight role of the Office of the Privacy Commissioner of Canada (OPC) as the regulator under the Personal Information Protection and Electronic Documents Act (PIPEDA). The Addendum includes further information on the OPC policies and procedures on enforcement, a summary of trends related to PIPEDA investigations, an overview of "substantially similar" designations under the Act, and an explanation of compliance agreements and how they are being used.
1.2 Additional questions arising from the update report, those not confined to enforcement of PIPEDA, will be addressed in the next regular Update Report.
2.0 OPC policies and procedures on enforcement
2.1 In response to the request for additional information on the enforcement policies and procedures of the Office of the Privacy Commissioner of Canada, with respect to the Personal Information Protection and Electronic Documents Act, as referenced in Section 3.1 of the May 2017 Update Report, we offer the following information with respect to the OPC, its oversight and enforcement functions, investigations by the Commissioner and how they were resolved, as well as significant trends that relate.
2.2 The Office of the Privacy Commissioner of Canada (OPC) oversees compliance with Part 1 of PIPEDA, which sets out the privacy obligations private sector organizations must adhere to when they handle personal information in the course of their commercial activities. For federally regulated organizations, PIPEDA also applies to the personal information of employees as well as applicants for employment.
2.3 The OPC oversees compliance with PIPEDA in a variety of ways, including formal and informal actions of both a reactive and proactive nature. Such activities include: investigating privacy complaints that are either filed by individuals or initiated by the Commissioner, following up on breach reports, resolving complaint matters through early resolution, conducting reviews of organizations' personal information handling practices, issuing letters of concern to organizations, and participating in sector or issue wide international privacy sweeps. For detailed information on the complaints process, please refer to www.priv.gc.ca/biens-assets/compliance-framework/en/index#.
2.4 Section 24 of PIPEDA requires the Commissioner to promote the purposes of the Act. This is done through a variety of means, including public education, the issuance of guidance and outreach activities (directed to organizations and consumers), undertaking and publishing research on privacy issues, and providing funding for academic or other research on privacy issues, for example, through the OPC's Contributions Program.
2.5 With respect to addressing and resolving complaints, the OPC follows the process outlined below:
- An individual may complain to the OPC about any alleged breaches of the law. The Commissioner may also initiate a complaint if there are reasonable grounds.
- Whenever possible, the OPC seeks to resolve disputes through investigation, persuasion, mediation and conciliation. In some cases, where a complaint involves a concern that could potentially be resolved quickly and consensually, the complaint is referred to the Early Resolution Unit.
- An Early Resolution officer works with both the complainant and the respondent organization to identify a solution that satisfies all parties without a formal investigation.
- If a resolution cannot be found, the complaint is then investigated and ultimately a report of findings is issued by the OPC, unless the matter is discontinued.
- The Commissioner makes findings and non-binding recommendations, not orders. When recommendations are accepted by an organization, a well-founded matter can be determined to be "resolved" (or "conditionally resolved" if the remedy takes time to implement).
- PIPEDA does allow complainants or the Privacy Commissioner to apply to the Federal Court for a hearing in certain cases.
- The Court may order an organization to change its practices and/or award damages to a complainant, including damages for any humiliation suffered.
- The Commissioner may also resolve a matter with an organization through a court-enforceable Compliance Agreement (see dedicated discussion below).
2.6 For recent trends in PIPEDA investigations, please refer to the OPC's annual report, which was tabled in Parliament on September 21, 2017. Past annual reports can be found here.
3.0 Substantially Similar Provincial Legislation
3.1 In response to the request for additional information on the designation of "substantially similar" granted to provincial/territorial privacy legislation under PIPEDA, and the roles and responsibilities of data protection authorities in and across jurisdictions, we offer the following clarifications to Sections 3.3 to 3.5 of the May 2017 Update Report.
3.2 Under paragraph 26(2)(b) of PIPEDA, the Governor in Council can exempt an organization, a class of organizations, an activity or a class of activities from the application of PIPEDA with respect to the collection, use or disclosure of personal information that occurs within a province that has passed legislation deemed to be substantially similar to PIPEDA.
3.3 There are three fundamental requirements for a provincial law to be considered substantially similar to PIPEDA.
- The law must incorporate all 10 principles of the Model Code for the Protection of Personal Information, CAN/CSA-Q830-96, which appear as Schedule 1 (Section 5) of PIPEDA. These principles do not have to be enumerated distinctly and separately in substantially similar legislation - what is important is that they all be represented. Special emphasis is placed on the principles of consent, access and correction rights.
- The law must provide for an independent and effective oversight and redress mechanism with powers to investigate. The effective enforcement of privacy protection and recourse for individuals who believe that their personal information has been misused are both essential.
- The law must restrict the collection, use and disclosure of personal information to purposes that are appropriate or legitimate. Substantially similar legislation must include some reference to the reasonableness and appropriateness of the purposes for which it authorizes the collection, use or disclosure of personal information.
3.4 Organizations that are subject to provincial legislation deemed substantially similar are exempt from PIPEDA with respect to the collection, use or disclosure of personal information occurring within that province. PIPEDA continues to apply where there is no substantially similar legislation; where personal information crosses borders for consideration; and, where the collection, use or disclosure of personal information is carried out by federally regulated businesses irrespective of the province.
3.5 The determination of the substantially similar nature of a provincial private sector privacy law is made by Governor in Council, based on a recommendation by the Minister of IndustryFootnote 1. On August 3, 2002, Industry Canada published the "Process for the Determination of "Substantially Similar" Provincial Legislation by the Governor in Council" which, in addition to outlining the policy and criteria used to determine whether provincial legislation will be considered as substantially similar, states that the department of IndustryFootnote 2 will seek, consider and reflect the views of the Office of the Privacy Commissioner of Canada in developing its recommendation to Governor in Council. Specifically,
"As an independent Officer of Parliament, the Privacy Commissioner can present his views on provincial/territorial privacy legislation, including draft legislation, as he deems appropriate. Subsection 25(1) of PIPEDA requires the Commissioner to report to Parliament annually, and to report specifically on the extent to which the provinces have enacted legislation that is substantially similar ... and the application of any such legislation. The Privacy Commissioner [shall] consult directly with his counterpart(s) or any other person who is in a position to assist him in the relevant provinces prior to the release of his Annual Report.
In order to allow the Privacy Commissioner to carry out his mandate under subsection 25(1) of PIPEDA, the Minister of Industry will inform the Privacy Commissioner of a request under subsection 26(2) when it is received, and will seek the Privacy Commissioner's view as to whether the legislation is substantially similar to PIPEDA. For all submissions to the Governor in Council, the Minister will consider and include the views of the Privacy Commissioner."
3.6 Section 23 of PIPEDA gives the Commissioner authority to consult with his provincial counterparts on a variety of privacy issues. For example, the OPC may communicate with Provincial offices with substantially similar laws to discuss jurisdictional issues to determine which office is better suited to handle a particular complaint.
3.7 The Information and Privacy Commissioners of British Columbia, Alberta and the OPC have signed a Memorandum of Understanding (MOU) which sets out a framework for consulting, cooperating and sharing relevant information on private sector privacy issues, including with respect to investigations on matters of mutual interest which affect Canadians in each of our jurisdictions. An example of a joint federal-provincial investigation can be found here.
3.8 The OPC has also signed an MOU with the Ontario Information and Privacy Commissioner related to the administration and enforcement of PIPEDA and the Ontario Personal Health Information Protection Act (PHIPA).
3.9 Pursuant to the MOU between OPC, BC and AB, the Private Sector Privacy (PSP) Forum, consisting of representatives from the BC and AB privacy oversight offices and the OPC, is the primary vehicle for achieving the objectives set out in the MOU. Examples of PSP Forum activities may include discussing issues such as legislative changes, research and policy issues and also to collaborate on the development of guidance documents. An example of joint federal-provincial guidance is "Getting accountability right with a privacy management program." Although Quebec is not a signatory to the MOU, it does participate in the forum for discussions related to general privacy issues.
3.10 A subgroup of the PSP Forum is the Domestic Enforcement Collaboration Forum (DECF), which provides an opportunity for representatives from the BC and AB privacy oversight offices and the OPC to collaborate on enforcement matters. The DECF focuses on the following activities: 1) identifying new complaints or incidents of potential interest for collaboration; 2) providing updates and strategic advice on ongoing collaborative investigations and incidents and 3) discussing key investigations and other informal enforcement matters of interest to participants.
3.11 Collaborating on breach incidents has been a key focus of the DECF to ensure that a thorough and efficient assessment of the incident occurs to the benefit of all Canadians. In addition to breaches, each participating office is encouraged to highlight any active investigations which they think may be of interest to the other offices or may have a potential collaborative aspect. The discussions led to collaboration activities in some matters while ensuring a solidified approach was taken on certain positions. The DECF also discusses general trends, approaches and best practices with respect to complaints and investigations.
3.12 The OPC also may collaborate with provincial offices on private sector privacy matters as part of the Global Privacy Enforcement Network, for example in the annual GPEN Sweep initiative. For more information on GPEN sweeps, please refer to the GPEN and OPC websites.
4.0 Compliance Agreements
4.1 In response to the request for additional information on compliance agreements under PIPEDA and how they relate to court actions and the role of the Privacy Commissioner, we offer the following supplemental information to Section 3.14 of the May 2017 Update Report.
4.2 The Digital Privacy Act, 2015 includes provisions allowing the Privacy Commissioner to enter into compliance agreements aimed at ensuring organizations comply with PIPEDA. Compliance Agreements, as provided for under section 17.1 of PIPEDA,Footnote 3 may be invoked where the Commissioner believes on reasonable grounds that an organization has committed, is about to commit or is likely to commit an act or omission that could constitute a contravention of PIPEDA or a failure to follow a recommendation in Schedule I to the Act.
4.3 The OPC's submission to the Senate Committee studying Bill S-4 outlined the benefits of compliance agreements as a way of ensuring that organizations honour their commitments to improve privacy practices without the OPC having to resort to court action.
4.4 Compliance agreements are a fairly new tool under PIPEDA. If an organization fails to meet the commitments in a compliance agreement the OPC can apply to the Federal Court for an order requiring the organization to comply with the terms of the agreement. The fulfillment of Compliance Agreements is tracked internally by the Compliance Monitoring Unit. When the OPC has determined an organization has successfully executed all of their commitments in a compliance agreement it will notify the organization to that effect. Two examples of Compliance Agreements are as follows:
4.5 Additional information about compliance agreements can be found in the Enforcement of PIPEDA chart.