Canada Privacy Enforcer Shifts to Corporate Focus

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Peter Menyasz

A move by the Canadian privacy regulator to enforcement that focuses on systemic issues, such as cross-device tracking of consumers, would expose companies to greater scrutiny even if there aren’t public complaints, privacy attorneys told Bloomberg BNA.

Privacy Commissioner of Canada Daniel Therrien recently announced plans to move away from an enforcement agenda based primarily on consumer complaints to a more proactive approach. The Office of the Privacy Commissioner (OPC) will continue to be a complaint-driven ombudsman as specified in the Personal Information Protection and Electronic Documents Act, but intends to move resources to identifying and investigating systemic privacy issues of its own initiative, Therrien said at a news conference to release the agency’s annual report to the Canadian Parliament.

“Conducting involuntary audits will change the relationship between the agency and organizations and we may begin to see more resistance to its recommendations,” Timothy Banks, Canadian leader of global privacy and cyberscurity practice in the Toronto office of Dentons Canada LLP. “This may be a good thing in the development of privacy law in Canada.”

Systemic privacy issues include uses of data by companies that aren’t transparent to consumers and by companies in new and unusual business models, Therrien said. It would be “naive” to leave responsibility for addressing privacy to the companies, particularly as surveys show that more than 90 percent of Canadian consumers have “nagging doubts” about the safety of their information, he said.

But the focus on systemic issues may largely focus on big online players, such as Facebook Inc., Alphabet Inc.'s Google, and Microsoft Corp., David Fraser, a privacy partner with McInnes Cooper in Halifax, told Bloomberg BNA. Those are the most privacy-conscious entities, with many more privacy lawyers and security engineers than any privacy body, he said. “If there’s a zone of non-compliance in Canada, it’s the small and medium-sized businesses,” Fraser said.

Financial Resources

It is unclear whether the OPC has the resources necessary to carry out the new agenda envisioned by Therrien.

Therrien said that a “relatively modest” increase in the OPC budget would allow the agency to meet the expanded mandate. If an increased budget isn’t forthcoming, the OPC will have to make a “difficult choice” on whether to launch proactive investigations or continue with individual, fact-specific cases, he said.

Smaller businesses, and the consumers they serve, might receive less attention under an OPC enforcement plan that focuses on systemic privacy issues.

The proposed policy change would likely only affect large businesses in the short term due to the OPC’s limited resources, Paige Backman, a privacy partner in the Toronto office of Aird & Berlis LLP, told Bloomberg BNA. “You may see long-term impacts on businesses as the privacy commissioner’s office increases its profile and lobbies for more resources,” Backman said. “The impact you may see on smaller businesses or smaller issues is less attention given to complaints regarding their information handling practices.”

Increased Powers

“Canadians do not feel protected by a law that has no teeth,” Therrien said. The OPC wants “greater authority to choose the systemic approach,” he said, but “won’t wait for legislative changes” to move the proactive systemic approach forward.

The federal privacy agency has long advocated for Parliament to boost its enforcement mandate, including the ability to undertake more self-initiated investigations, clearer order-making powers, and the ability to levy administrative fines.

Nathaniel Erskine-Smith, vice-chairman of the House of Commons Access to Information, Privacy, and Ethics Committee, told Bloomberg BNA that Therrien’s proposed policy change is consistent with arguments he and his predecessors at the OPC have made to the committee. PIPEDA already gives the OPC the authority to initiate its own investigations if they are based on “reasonable grounds,” he said.

The OPC can already ask the Federal Court of Canada to enforce its orders if companies don’t accept its recommendations to fix their privacy policies, The court can issue binding orders and mete out penalties, including forcing companies to turn over profits from unlawful privacy-impinging activities.

The OPC is seeking enforcement powers similar to privacy regulators in the U.S. and Europe, but that isn’t necessarily a better option compared to Canada’s less confrontational approach, Fraser said.

To contact the reporter on this story: Peter Menyasz in Ottawa at correspondents@bna.com

To contact the editor responsible for this story: Donald Aplin at DAplin@bna.com

For More Information

The Office of the Privacy Commissioner's annual report is available at http://src.bna.com/sPH.

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law: Privacy & Data Security