nNovation LLP

Small Canadian regulatory law firm with a big presence

Privacy Commissioner of Canada

Loblaw’s errors are overblown

by Leave a Comment

The Office of the Privacy Commissioner of Canada (OPC) released its Report of Findings into the Loblaw’s gift card matter this week.  This case was first reported in the news several months ago when people complained that they had to provide a fair amount of personal information in order to authenticate themselves if they wanted to receive a compensatory gift card as part of the bread price-fixing fiasco. So, suffice it to say they were an already-irritated bunch.

It turns out that, after all the hoopla, Loblaw didn’t really do too much wrong in this case. I cannot say I am surprised. In a few instances, they did ask for people to provide their driver’s license as part of the authentication process and failed to adequately inform them that they could redact all the information on the license except for the name and address.  As they got better with their communications (isn’t it almost always about better communications?), people were informed of other ways they could prove  they lived where they claimed to be living.

So, the news amounts to an over collection of information – namely the driver’s license number – but for me, there are other nuggets in the OPC’s Report that are worth focusing on.

First, the OPC quotes from the Loblaw’s privacy statements and endorses the language used to explain how the personal information was being processed in other countries. It’s one of the first instances that I can think of where the OPC has provided an example of language for these messages that it considers adequate. I’m particularly glad with this because if the OPC reports more often in this manner, we’ll be able to learn what language meets requirements and what language fails to meet the test.

Similarly, the OPC examined the contracts that were in place between Loblaw and its processors. While the specific contractual language is not repeated, the OPC does provide a shopping list of clauses that were contained in the contracts.  Paragraph 41 of the Report says:

The contract also provided guarantees of confidentiality and security of personal information, and included a list of specific safeguard requirements, such as: (i) implementing measures to protect against compromise of its systems, networks and data files; (ii) encryption of personal information in transit and at rest; (iii) maintaining technical safeguards through patches, etc.; (iv) logging and alerts to monitor systems access; (v) limiting access to those who need it; (vi) training and supervision of employees to ensure compliance with security requirements; (vii) detailed incident response and notification requirements; (viii) Loblaw’s pre-approval of any third parties to whom JND wishes to share personal information, as well as a requirement for JND to ensure contractual protections that are at a minimum equivalent to those provided for by its contract with Loblaw; and (ix) to submit to oversight, monitoring, and audit by Loblaw of the security measures in place.

Moreover, the OPC endorses these clauses as having met the accountability requirements in PIPEDA.  The European DPAs have long provided input on what specifically needs to be in a contract and it’s good to see the OPC providing an example in this case.  

I guess, in a perfect world, they might even go a step further and provide a precedent contract for us privacy pros to use when negotiating with our processors.  But, regardless, this is definitely a step in the right direction and I hope for more of this type of guidance in future Reports of Findings.  On that note, I can’t help but notice that the Loblaw case summary is numbered 2019-003.  If that means we have only had 3 reported cases this entire year, I’m disappointed because, in my mind, they can be a really excellent way of getting meaningful guidance out there. 

OPC guidance on data transfers: status quo (for now)

by Leave a Comment

Following a consultation process that has seen lots of twists and turns, the Office of the Privacy Commissioner of Canada (OPC) has now decided to stick with its 2009 position that organizations do not require consent to transfer personal information to third-parties for processing.

Here’s a brief recap of how we ended up at this point.

In 2009, following an investigation into a complaint about transfers of personal information to third-party processors located in the U.S., the OPC published a policy position that transfers to third-party processors are not “disclosures” under the Personal Information Protection and Electronic Documents Act, regardless of the processor’s location. Rather, the OPC concluded that such a transfer is a “use” (a point that I strongly disagree with, more on this here), and, specifically, a type of use for which consent is not required. The OPC advised that, among other things, organizations transferring personal information across borders must ensure an adequate level of protection and notify individuals of the transfer and that their information could be accessed by law enforcement agencies in the foreign jurisdiction.

In 2017, Equifax experienced a massive data breach, affecting more than 143 million individuals, including approximately 19,000 Canadians. The OPC’s investigation (the report was published in April of this year) found that Equifax Canada had failed to demonstrate adequate accountability over personal information transferred to its parent company, Equifax Inc., located in the U.S., which the OPC characterized as a “third party” to Equifax Canada. The OPC found that Equifax Canada should have obtained consent to transfer the personal information of Canadians to Equifax Inc.

At the same time the Equifax report of findings was published, the OPC also published a consultation document revisiting its 2009 policy position, stating that “that transfers for processing, including cross border transfers, require consent as they involve the disclosure of personal information from one organization to another.

This, understandably, caused a near meltdown in the privacy community.

Then, speaking at the International Association of Privacy Professionals Canada Privacy Symposium May 22, Privacy Commissioner Daniel Therrien announced that the consultation would be suspended to allow the OPC to retool in light of the “Digital Charter,” which had been published by the Department of Innovation, Science and Economic Development the day before. Among other things, the Digital Charter provides a high-level outline of the federal government’s plan for amending PIPEDA.

While this announcement seemed like a potential end to the consultations, they came back to life with the OPC’s reframed discussion document, published June 11. The document requested feedback on a number of questions about how transborder data flows and transfers for processing should be addressed in the shorter and longer terms.

On Sept. 24, less than two months after the deadline for making submissions, the OPC announced that its 2009 policy position “will remain unchanged under the current law.” The OPC received a lot of submissions – 87 – the “vast majority” of which, according to the OPC, “took the view there was no requirement under [PIPEDA] to seek consent for transfers for processing and that doing so would create enormous challenges for their business processes.

So the OPC continues to hold the position that PIPEDA does not require consent to transfer personal information to third parties for processing. This is a very good thing, because a consent requirement would be disastrous for Canadian businesses. And the OPC should be commended for conducting a real consultation, actually listening to stakeholders, and doing it all relatively quickly.

This process has made it clear that the OPC thinks that consent should be required for transfers that occur across borders. Fortunately, however, given the nearly universal rejection of this idea, it seems very unlikely the government would choose to go this route.

OPC wins again in Google right to de-indexing case

by Leave a Comment

The Office of the Privacy Commissioner’s Reference before the Federal Court to determine whether Google is subject to the Personal Information Protection and Electronic Documents Act has passed another procedural milestone. Once again, the OPC can claim victory.

Google and media try to expand Reference

The OPC brought the reference in 2018 to ask the Federal Court to determine whether PIPEDA applies to Google when Google indexes webpages and presents search results in response to searches of an individual’s name. In essence, the question is whether Google is engaged in a form of commercial activity (otherwise PIPEDA does not apply). Google says it is not. The Reference also asks whether Google is exempt from PIPEDA because it involves the collection, use or disclosure of personal information for journalistic, artistic or literary purposes (and no other purposes). Google says it is.

Google countered the OPC’s move by attempting to expand the scope of the Reference to consider the application of the Canadian Charter of Rights and Freedoms. In particular, Google wanted the court to consider whether the application of PIPEDA to Google search would infringe section 2(b) of the Charter – freedom of thought, belief, opinion and expression, including freedom of the press and other media of communication. Google claims that the mere application of PIPEDA to Google search would breach its right to free speech. In essence, Google claims a special zone of operation for Google search – free from the constraints of privacy laws. Google was joined by media parties who wanted to intervene to make this argument.

Federal Court twice shuts down Google and media request

On July 22, 2019, Associate Chief Justice Jocelyne Gagné released her reasons dismissing appeals that Google and certain news media had launched from orders of Prothonotary Mireille Tabib. Prothonotary Tabib had rejected the news media’s request to intervene and had dismissed Google’s attempt to broaden the reference.

In confirming Prothonotary Tabib’s orders, Justice Gagné concluded that the premise of Google’s argument regarding freedom of expression rested on the assumption that PIPEDA applied to Google search. However, that was the very question to be determined by the court. Moreover, even if PIPEDA did apply, the question of how it would apply would depend on particular facts. Justice Gagné called Google’s bluff. If Google really thought that the very hint of application of PIPEDA to Google search rendered PIPEDA unconstitutional, why, she asked, hadn’t Google just brought an application seeking a declaration of invalidity of PIPEDA?

With the expanded scope of the Reference off the table, the news media remain shut out of the Reference.

Our submission to the OPC consultation on transfers for processing

by Leave a Comment

Between busy work schedules and attempts to squeeze some enjoyment out of the great summer weather, it’s not easy to find the time to write a submission to the Office of the Privacy Commissioner of Canada (OPC) consultation on transfers for processing. But we did it; not because we wanted to spend even more time indoors, but because this is a really important issue, and we wanted to be sure that our perspective was heard (our submission is here).

Until recently, the notion that a transfer of personal information for processing (regardless of the location of the processor) is not a disclosure, and does not require consent, seemed like a simple fact under PIPEDA that everyone acknowledged and accepted. It was also, in our view, intentional, reflecting one of the finer examples of foresight and wisdom demonstrated by the drafters of PIPEDA.

While we still believe this to be true, that the OPC may be trying to change this is concerning, and shows that you can never really take anything for granted in law. Here’s hoping that our submission (and, we assume, the many others with a similar perspective) is effective.

Clarity on the Privacy Commissioner’s Consultation on Transborder Data Flows

by Leave a Comment

I (and many other privacy lawyers I’m sure) have been asked countless times this past week for clarity on the Office of the Privacy Commissioner’s consultation process regarding transborder data flows and the transfer of personal information for processing purposes. I’m humbled that people think I somehow know what to do or what to say; however, all I can do is provide my best interpretation of what’s going on and why.

For background, in case you missed it, the OPC issued its Equifax Report of Findings a few weeks ago and, at the same time, proposed a new interpretation of PIPEDA that changed the office’s position on transborder data flows. A transfer to a third party outside of the country for processing purposes was now going to be considered a disclosure – one requiring some sort of consent mechanism.

Before finalizing their position, Commissioner Therrien, as he has been known to do since taking up the mantle of Privacy Commissioner, wanted to consult more broadly with stakeholders about their proposed change in position. This resulted in a number of organizations, advocacy groups, businesses and individuals mobilizing efforts with a view of eventually providing submissions that might have influenced the final outcome.

Then, last week, the Department of Industry, Science and Economic Development (ISED, the government Ministry responsible for PIPEDA), issued some sort of commitment to modernize and amend PIPEDA in a number of significant ways.  The Digest last week had an article about it if you missed it. This (somewhat of a) commitment to change the law could very well have an impact on how Canada deals with the issue of transborder data flows and the issue of whether consent is required for processing information in this way.

Recognizing that this entire issue was therefore subject to legislative reform, Commissioner Therrien announced at last week’s Symposium during his Annual Address to the Profession, that he was suspending his consultation process so that he could restructure it in light of some of ISED’s proposals.

As of today, we are waiting to see from the OPC what their revised consultation process is going to look like.  I personally think it might get subsumed with the larger consultation process ISED has begun on PIPEDA reform. What we know for sure, however, is that if you already have a submission, the OPC has said that you can provide it to them and that they will consider it going forward.

So, all that to say, there’s a bit of uncertainty surrounding this issue.  That being said, I think it’s fair to say that there’s a bit of uncertainty when it comes to all of privacy regulation in Canada more broadly.  Apart from the transborder data flow issue, ISED’s proposals to amend PIPEDA might result in a completely different regulatory landscape that doesn’t look anything like the one we’ve got now. So, in my mind, everything seems to be a moving target. Nineteen years ago, my colleagues and I published The Law of Privacy in Canada. It was borne of the idea that privacy regulation in Canada was about to dramatically change and that people would want to learn about it. At this point, my sense is that we’re at a similar tipping point today. I certainly foresee a lot of updates to my book in the near future!