Committee recommends opt-in consent, algorithmic transparency to modernized PIPEDA

The report from the Standing Committee on Access to Information, Privacy and Ethics is recommending several measures to bring the country’s Personal Information Protection and Electronic Documents Act (PIPEDA) up-to-date with the current realities of technology.

“The issue of deciding how to protect the privacy interest of people whose information is accessible to the public is extremely complex.”

PIPEDA, which passed in 2000, covers the collection, use, or disclosure of personal information in the private and public sector. PIPEDA is enforced by the Privacy Commissioner of Canada, who can receive and investigate complaints from the public or any organization; though the Commissioner does not have the power to issue final orders, they can seek a court order from the federal court to achieve resolution if cases remain unsolved.

The report’s recommendations include amending PIPEDA to explicitly provide for opt-in consent as the default for any use of personal information, in order to make consent more meaningful; pushing for organizations to be more transparent about how a consumer’s data is used; and making the revocation of consent much easier.

De-indentification — which allows data to be aggregated and presented in a way that is impossible to identify the owner — was called out as one way to tackle the challenge of opt-in consent for services like search engines.

“We caution against the common misconception that simply because personal information happens to be generally accessible online, there is no privacy interest attached to it,” the Office of the Privacy Commissioner says in the report. “The issue of deciding how to protect the privacy interest of people whose information is accessible to the public is extremely complex…ultimately, however, given the importance of this issue, it would not suffice to merely tweak the existing Regulations by the Governor-in-Council. Rather, the matter merits the further attention of and deliberation by parliament.”

The report also tackled the concern of minors using the platform, recommending a minimum age of 16 for minors to be able to meaningfully consent to the collection of their data.

According to The Globe and Mail, the need to modernize privacy laws has become more urgent as new European Union privacy regulations come into effect in May. For cross-border trade, Canada must retain adequacy status, which allows data to flow freely between countries that have agreed their respective privacy protections are adequate. Some experts warn that Canada could lose its adequacy status with its current regulations.