It has long been an article of faith among privacy watchers that Canada features better privacy protection than the United States. While the U.S. relies on binding enforcement of privacy policies alongside limited sector-specific rules for children and video rentals, Canada’s private sector privacy law (PIPEDA or the Personal Information Protection and Electronic Documents Act), which applies broadly to all commercial activities, has received the European Union’s stamp of approval, and has a privacy commissioner charged with investigating complaints.
Despite its strength on paper, my Globe and Mail op-ed notes the Canadian approach emphasizes rules over enforcement, which runs the risk of leaving the public woefully unprotected. PIPEDA establishes requirements to obtain consent for the collection, use and disclosure of personal information, but leaves the Privacy Commissioner of Canada with limited tools to actually enforce the law. In fact, the not-so-secret shortcoming of Canadian law is that the federal commissioner cannot order anyone to do much of anything. Instead, the office is limited to issuing non-binding findings and racing to the federal court if an organization refuses to comply with its recommendations.
The weakness of Canadian law became evident last week when the federal and British Columbia privacy commissioners released the results of their investigation into Facebook arising from the Cambridge Analytica scandal. The report details serious privacy violations and includes several recommendations for reform, including new measures to ensure “valid and meaningful consent”, greater transparency for users, and oversight by a third-party monitor for five years.
Facebook’s response? No thanks. The social media giant started by disputing whether the privacy commissioner even had jurisdiction over the matter. After a brief negotiation, the company simply refused to adopt the commissioners’ recommendations. As their report notes “Facebook disagreed with our findings and proposed alternative commitments, which reflected material amendments to our recommendations, in certain instances, altering the very nature of the recommendations themselves, undermining the objectives of our proposed remedies, or outright rejecting the proposed remedy.”
The federal commissioner has indicated that he plans to take the case to the federal court, where he will be forced to start from scratch by presenting sufficient evidence that Facebook violated Canadian law. Even with a successful claim, the law provides little in the way of penalties, with a newly established maximum of $100,000 for certain violations. By contrast, Facebook said last week that it has set aside US$3 billion in anticipation of U.S. enforcement penalties that could hit US$5 billion.
This is not the first time a major company has refused to comply with privacy commissioner recommendations. In 2015, Bell initially rejected findings associated with its relevant advertising program that would have required customers to opt-out of behavioural tracking. After an avalanche of negative publicity, it reversed its position.
With companies seemingly free to reject privacy commissioner findings – Facebook earns more than enough revenue every sixty seconds to pay the maximum PIPEDA penalty – Canadians are left without effective privacy protection. Innovation, Science and Economic Development Minister Navdeep Bains touted changes to the law that added new penalties, but the reality is that Canadian law now badly lags behind other countries.
The obvious solution starts with granting the Office of the Privacy Commissioner order making power and supplementing the law with penalties that would make companies think twice before ignoring PIPEDA.
The Office of the Privacy Commissioner was admittedly slow to recognize that the effectiveness of the law depends upon serious enforcement. In 2006, Jennifer Stoddart, then the federal privacy commissioner, told a House of Commons committee that order making powers were not a priority. A year later, it took federal court ruling to push a reluctant commissioner’s office to investigate foreign entities collecting personal information from Canadians.
Today, as global companies are on the verge of regarding Canadian privacy law as irrelevant and the European Union is increasingly likely to re-examine its decision to consider Canadian law “adequate” for the purposes of cross-border data transfers, the office has rightly become convinced that the law must be upgraded. That leaves the question of what more Mr. Bains and the government need to recognize that their vision of leadership in the digital economy is being undermined by privacy rules that leave millions of Canadians without effective and enforceable protection.