The Canadian Personal Information Protection and Electronic Documents Act (PIPEDA) is a comprehensive act that governs collecting, using and disclosing personal information. Initially, the act was a mechanism proposed to ensure trust in e-commerce in the early years of the Internet. However, it has been evolving since its enaction in April 2000 toward enhancing enforcement and oversight.1 In Canada, the Office of the Privacy Commissioner (OPC) is responsible for overseeing compliance over PIPEDA by investigating complaints, conducting audits and pursuing court action under federal laws (i.e., Privacy Act, PIPEDA). An overview of the incidents reported to the OPC from 2019 to 2020 helps to better understand how PIPEDA has affected private organizations and the public interest.
PIPEDA has 10 principles that allow users to control how their personal information is handled and classify the complaints received, associating them with a specific violation (figure 1).
Figure 1—PIPEDA Principles
|
Principle |
Definition |
|
1. Accountability |
"An organization is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the organization's compliance." |
|
2. Identifying purposes |
"The organization shall identify the purposes for which personal information is collected at or before the time the information is collected." |
|
3. Consent |
"The individual's knowledge and consent are required for the collection, use, or disclosure of personal information, except where inappropriate." |
|
4. Limiting collection |
"The collection of personal information shall be limited to that which is necessary for the purposes identified by the organization. Also, the information shall be collected by fair and lawful means." |
|
5. Limiting use, disclosure and retention |
"Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information shall be retained only as long as necessary for the fulfillment of those purposes." |
|
6. Accuracy |
"Personal information shall be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used." |
|
7. Safeguards |
"Personal information shall be protected by security safeguards appropriate to the sensitivity of the information." |
|
8. Openness |
"An organization shall make readily available to individuals specific information about its policies and practices relating to the management of personal information." |
|
9. Individual access |
"Upon request, an individual shall be informed of the existence, use, and disclosure of his or her personal information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate." |
|
10. Challenging compliance |
"An individual shall be able to address a challenge concerning compliance with the PIPEDA principles to the designated individual or individuals accountable for the organization's compliance." |
Source: Adapted from Government of Canada, Personal Information Protection and Electronic Documents Act (S.C. 2000, c. 5), Principles Set Out in the National Standard of Canada Entitled Model Code for the Protection of Personal Information, CAN/CSA-Q830-96, Schedule 1, Section 5, 2019
The OPC provides enforcement of PIPEDA by a defined process.2 It starts when an individual or the OPC initiates a complaint. The complaint then passes through a triage process to verify the grounds for establishing an investigation. Based on the evidence collected or early resolution, additional enforcement mechanisms are available for administrative or legal considerations (e.g., Canadian federal court). As an alternative dispute resolution procedure, the early resolution process is a remarkable feature under PIPEDA.3 Since 2004, outside of the possibility of settlement during the course of an investigation, the early resolution process allows the issue to be dealt with before a formal investigation is established.
The latest PIPEDA statistics4 of reported incidents and investigations conducted from 2019 to 2020 show several trends (figure 2):
- Unauthorized access and accidental disclosure are the most common types of privacy incidents. An example of such cases includes an organization that provided support during provincial and municipal political campaigns in Canada and stored personal information, encryption keys and logging credentials of more than 35 million people from Canada and abroad in an unsecured GitLab repository.5
- The main complaint types are related to individual access and consent. For instance, a recent case reported describes a real estate enterprise that embedded cameras inside their digital information kiosks and used facial recognition without customers' knowledge or consent.6
- The primary industries affected include financial, telecommunications, sales and insurance. Specifically, in the telecommunication sector, the inconsistencies between privacy rules in Canadian communications laws have weakened the enforcement of PIPEDA.7 In the financial sector, a debate between privacy and financial disclosure was also raised regarding the data collection scheme established by the Canadian Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PC[ML]TFA).8
- The majority of cases successfully obtained an early resolution during the initial investigation instead of pursuing additional regulation enforcement. For OPC, this represents an average time of approximately 6 months to complete an early resolution case compared to almost 21 months for cases with no or insufficient evidence (i.e., "not well founded") and 28 months for incidents where there is a conflict between jurisdictions.9 An example of a jurisdiction conflict occurred in 2018 when a New Zealand enterprise repurposed social media data from 4.5 million Canadian accounts on Facebook without consent. The findings had to be forwarded to the OPC in New Zealand for further consideration.10
Figure 2—OPC PIPEDA Complaints and Investigations (2019-2020)
View Large Graphic
Source: Adapted from Office of the Privacy Commissioner of Canada, 2019-2020 Annual Report to Parliament on the Privacy Act and Personal Information Protection and Electronic Documents Act, 2020
Overall, 78% of the complaints in which the organization or institution contravened 1 or more principles of the PIPEDA were considered well-founded. An example of a well-founded case was reported by an insurance company client who provided consent to review their credit score in a claim adjustment process without being informed clearly of the purpose and intended usage of the personal data collected. The insurance company used such information to decide the scrutiny level to settle a claim for damages.11
Conclusion
There are various privacy laws worldwide, and the legislation's oversight and enforcement are new challenges. Dedicated formal government structures are essential to guarantee that the privacy rights of individuals are protected. The Canadian experience shows some perspectives about oversight and enforcement of privacy regulations that could support other national agencies in implementing and managing similar programs. In the Canadian model, the existence of a process to collect, analyze and classify incidents can be considered an excellent initiative to typify events, associate sanctions and align court procedures. Also, the OPC's mediation role is a relevant aspect of reducing the amount of time required to settle incidents before considering an ordinary court procedure that could take years. These approaches can provide more accessibility for individuals to exercise their right to protect their personal data and, at the same time, allow organizations to address issues and concerns about their clients' information.
Endnotes
1 Innovation, Science and Economic Development Canada, "Strengthening Privacy for the Digital Age,"21 May 2019
2 Office of the Privacy Commissioner of Canada, Enforcement of PIPEDA, 20 April 2017
3 Millar, S. A.; "Privacy and Security: Best Practices for Global Security," Journal of International Trade Law and Policy, vol. 5, iss. 1, 2006, p. 36–49
4 Office of the Privacy Commissioner of Canada, 2019-2020 Annual Report to Parliament on the Privacy Act and Personal Information Protection and Electronic Documents Act, 2020
5 Catenacci, C.; "Joint Investigation by the Privacy Commissioner of Canada and the Information and Privacy Commissioner for British Columbia—BC Company Failed to Comply With Privacy Laws," First Reference, 2 December 2019
6 Office of the Privacy Commissioner of Canada, "Cadillac Fairview Collected 5 Million Shoppers' Images," Cision, 29 October 2020
7 Geist, M.; "All About the Internet: My Submission to the Broadcasting and Telecommunications Legislative Review Panel on the Future of Canadian Communications Law," 14 January 2019
8 Reynolds, M.; A. Laskin; A. Eftekharpour; "The Difficult Position: PIPEDA, PC(ML)TFA, and the Challenges of Dual Compliance," Banking and Finance Law Review, vol. 33, iss. 2, 2018, p. 213–225
9 Op cit Office of the Privacy Commissioner of Canada, 2019-2020 Annual Report to Parliament on the Privacy Act and Personal Information Protection and Electronic Documents Act
10 Association of Records Managers and Administrators, "OPC Says Re-Use of Social Media Data Violates PIPEDA," Information Management Journal, vol. 52, iss. 5, 2018, p. 11
11 Haikola v. The Personal Insurance Company, 2019 ONSC 5982 (CanLII)
Thiago de Oliveira Teodoro, CISA, CDPSE
Is a consultant focusing on governance, risk, and compliance (GRC). He has 15 years of professional experience in auditing and internal controls in both the public and private sectors. He has served as an ISACA® Academic Advocate volunteer since 2011.