Does the OPC really need a massive increase in funding?

In a recent letter to the Standing Committee on Access to Information, Privacy and Ethics, Daniel Therrien, the Privacy Commissioner of Canada, suggested that a 90% increase in funding for the Office of the Privacy Commissioner (OPC) was required to have a “true impact in protecting Canadians’ privacy rights”.

OPC receives $25 million already

The OPC’s current funding is approximately $25 million per year. The Commissioner considered a $23 million increase to be “realistic”. However, the Commissioner added that it had only sought a more “modest” $8 million increase, which represented a 30% increase to permanent funding. The Commissioner cited “rapidly evolving privacy threats” for the budgetary increases and noted that a 90% increase in funding would be in-line with increases to the UK Information Commissioner’s Office.

What a 90% increase buys

The Commissioner argues that a 30% increase would allow for a “limited number of proactive promotion and compliance activities”. The backlog of existing complaints would be “reduced” but not eliminated.

However, with a 90% increase, the Commissioner says that the OPC could provide more advisory services to businesses than it does at present. The increase in funding would also be used to engage in “targeted advertising to bring individuals to our site when they are about to make a decision on whether to disclose their personal information.” Backlogs could be reduced and more proactive activities could be undertaken.

Is a 90% increase necessary?

One of the justifications for a 90% increase is the desire to provide more advisory services. However, the OPC has not demonstrated that it has explored available options to work with stakeholders when developing guidance. The Personal Information Protection and Electronic Documents Act (PIPEDA) was borne out of a voluntary industry code. Quite literally, the main substantive protections in PIPEDA are in Schedule 1 to the legislation, which was that industry code. Arguably, PIPEDA has stood the test of time precisely because the provisions of Schedule 1 were developed by industry stakeholders with an understanding of the operational impacts of the provisions they were drafting.

The OPC could take a lesson from that success. The OPC could increase the use of working groups of stakeholders to draft guidance on important topics. This shared responsibility model would have the benefit of developing industry and consumer group buy-in.  It would also shift the expense of developing that advisory guidance to stakeholders. It would be more likely to produce guidance that is relevant and attuned to operational realities.

The OPC also wants money for advertising. In particular, the OPC wants to “use contextual advertising to bring individuals to [the OPC’s] site when they are about to make a decision on whether to disclose their personal information”. There is a certain irony in the OPC wanting to engage in targeted online advertising of individuals when the OPC has been so hostile to the interest-based advertising industry.

The fact that the OPC feels the need to engage in this type of advertising is an indictment of its resistance to developing model privacy notices. The OPC missed an opportunity during the consultations on consent to modernize and standardize how disclosures are made.

The OPC could have identified types and uses of data that a reasonable person would expect when engaging in online activities. Disclosures regarding these uses could have been done in a short-form manner and only those uses falling outside of these categories would need to be highlighted.

In exchange for using the short-form disclosure, the organization could have been required to link back to educational material at the OPC website. While large, international organizations may not have adopted this approach due to potential operational complexities, this would have solved a problem for numerous small and medium-sized enterprises.

No, the OPC does not need a 90% increase in funding. It needs to work more creatively with industry.

Check out Commissioner Therrien’s letter here.

Canada and the Right to be Forgotten

It may be surprising that, until this past Friday, there was considerable doubt about whether Canada’s federal private sector privacy law to online search engines. The Office of the Privacy Commissioner of Canada (OPC) had previously skirted deciding this issue.

This changed with the release of the draft OPC Position on Online Reputation. The OPC decided not only that online search engines (such as Google search, Bing and others) are subject to the Personal Information Protection and Electronic Documents Act (PIPEDA), but also that search engines may be required to “de-index” search results about an individual in some cases. In other words, the OPC has introduced a limited type of “right to be forgotten” in Canada.

It will be interesting to watch whether search engines accede to the OPC’s interpretation of PIPEDA. Certainly, we should expect to see some vigorous debate before the OPC finalizes its Guidelines. After that, perhaps the OPC will need to find a case and take it to court. The OPC’s “position” does not have the force of law. And, until the OPC completes an investigation, the OPC cannot take a search engine to court for a ruling.

Are search engines engaged in a “commercial activity”?

Search engines form an indispensable tool through which most individuals navigate the world wide web. However, in order for a search engine to be subject to PIPEDA, it must be performing a commercial activity and not be engaged in journalism or a literary activity. read-reading-book-reader-159623.jpeg

The OPC concluded that the search engine is not performing a “journalistic” or “literary” function. A search engine operator indexes content, applies proprietary algorithms to that content, and then displays results based on relevance, as predicted by those algorithms. The relevance of the search results are to some extent customized depending on the user and the user’ location. The OPC concluded that in many cases the search engines display advertising along with the search results and that this sale of advertising is “inextricably linked” to the search function. In this way, the OPC concluded that search engines are engaged in a commercial activity.

Where is the “right to be forgotten” in PIPEDA?

The OPC constructed a right to challenge search engine results by combining three principles in Schedule 1 to PIPEDA to develop an individual’s right to request de-indexing. These are the “accuracy”, “individual access”, and “challenging compliance” principles. Essentially, the OPC concluded that if the de-indexed result is inaccurate, incomplete or not up-to-date, then the search engine must balance the interests of the individual against the public interest of the web page continuing to be indexed and displayed in the search results.

Stay tuned for further debate

The OPC’s guidance is in draft. We should expect that the coming weeks will see considerable debate. The OPC has itself called for Parliament to consider the issues, and whether the OPC has “struck the ight balance”.

There will be supporters and critics of the OPC’s activism. Supporters of the OPC’s approach may cite the role of search engines in driving traffic to content. They will argue that the algorithms deployed by search engines are not transparent or neutral. If the information being returned by the algorithm does not accurately reflect information about the individual, they may rightly ask what the overriding interest is in making inaccurate information prominent in the search results or even displaying it at all if the harm to the individual exceeds other interests.

Nevertheless, there will be many critics of the OPC’s approach. It places the burden on search engines to arbitrate what results should be de-indexed or shown. Moreover, the OPC’s suggestion that search engines will need to geo-block results is a remarkable interference with the ability of individuals to obtain access to information and interferes with the freedom of expression of the authors of the underlying information. If the underlying information is the problem, there are a variety of tools for dealing with that information, such as the law of defamation, torts of invasion of privacy, and other legal remedies.

Read the full OPC Position on Online Reputation.

Professor Michael Geist penned a response to the OPC decision in the Globe and Mail, which can be found here.

Consent and the Connected Car – Is this the right choice?

Recently, Daniel Therrien, the Privacy Commissioner of Canada, made a written submission to the Standing Senate Committee on Transport and Communications on the privacy issues relating to connected vehicles. This submission supplemented the Commissioner’s oral remarks to the Committee on March 28, 2017.

The Commissioner’s written submission follows the release of the Office of the Privacy Commissioner’s draft guidelines on consent. Unsurprisingly, the Commissioner focused on the role of consent in protecting the privacy interests of consumers. The Commissioner allowed that “there may be some collections, uses or disclosures in which it might be inappropriate for the driver to control how the information is used.” The Commissioner cited the situation of  the use or disclosure of data is “necessary” for road safety as an example. However, overall, the Commissioner’s emphasis is on consent and meaningful user choice.

The Commissioner’s room to manoeuvre is constrained by the requirements of the governing legislation that the Commissioner must enforce — the Personal Information Protection and Electronic Documents Act (PIPEDA). PIPEDA requires meaningful, informed consent for the collection, use and disclosure of personal information. The Commissioner’s emphasis on consent is understandable. pexels-photo-409701.jpeg

However, if we think beyond PIPEDA, would we really design a consent-based model for the features of a connected car? Would this be the right way to balance the interests of vehicle manufacturers, vehicle owners/lessees, rental car companies, passengers, insurers, law enforcement, urban planners, cyclists, pedestrians, and others stakeholders? Given the stakeholders and the context — driving is a licensed activity — is this an area where there might be more room to apply a broader set of policy considerations instead of focusing on consumer choice? Should the focus really be on notice and consent?

A multi-faceted approach would acknowledge that certain interests may take priority over consumer choice when engaging in a licenced activity. For example, manufacturers and Transport Canada have a legitimate interest in detecting vehicle flaws that could endanger passengers and others. Manufacturers and environmental protection agencies also have a legitimate interest in continual improvement of the longevity and energy efficiency of vehicles. Moreover, city planners and transportation managers have legitimate interests in affecting traffic flows in real time and understanding driving behaviour with greater precision using larger data sets. Do these interests rise to the level of “necessity” as the Commissioner would suggest might be required in order to jettison a notice and consent model? Should they have to?

There are also other means to regulate uses of information in order to mitigate harms to individuals without focusing on consumer choice. Manufacturers and others could be encouraged to implement privacy enhancing features by eliminating the need for consent when the collection, use and disclosure of information falls within a socially acceptable zone that involves few risks. Using technology to limit harm could be supplemented with targeted regulatory protections that do not prohibit the collection of data but rather discriminatory or other harmful uses of the data. Long before we had statutory privacy laws in most of the country, we had human rights legislation prohibiting certain harmful, discriminatory uses of personal information.

Just a thought.

Click to read the Commissioner’s Submission to the Standing Committee.

Click to read the draft Guidelines on Consent.