Good afternoon.
Another area that requires a new rule is data retention and destruction. Can consumers in the future be sure that the information they have provided, or that was extracted from their habits, will be destroyed or no longer used when the reasons for why they gave that consent are gone? Will they have control? Some of those present today would say no.
We say that now is the time to erase. PIPEDA states that personal information must only be retained for as long as necessary to fulfill an organization's stated purpose. However, the act only requires organizations to develop guidelines and implement procedures regarding the retention of personal data. It says that personal information that is no longer required to fulfill the stated purposes should—not shall—be destroyed, erased, or made anonymous. This is not strong enough.
The only OPC findings that Nexopia refused to implement, to the point of being taken to court by the OPC, were those requiring them to erase the personal information of teens who had left their service. As Canadians can now spend years, decades and, in the case of children, possibly their entire lives on an online service such as a social networking website, the amount of personal information collected from a user could be staggering. The more information on individuals that an organization has and the longer they keep it, the greater and more serious the risk of a data breach.
Canadians must have choice and control over the ways their personal data is used, including through consent, rectification of information, and especially the removal or erasure of their information.
A right to erasure was recognized in the European Union's recent general data protection regulation, which comes into force in 2018. The new GDPR codifies what is known as the “right to erasure”. This gives individuals the right to have personal data erased and to prevent the processing of their data when, for instance, the individual withdraws consent or objects to the processing and there is no overriding legitimate interest for continuing it.
Organizations are also required to be particularly sensitive when it comes to personal data shared by children on, for instance, a social networking site. They can only refuse in certain circumstances to erase personal data when requested, such as to comply with legal obligations or to exercise freedom of expression.
PIAC submits that the committee should consider recommending similar rules for PIPEDA that would align with the GDPR's protections. For instance, organizations should be upfront with users about how long they intend to retain their personal data and why. They should also be required to erase or destroy personal information once the data is no longer needed for a stated purpose, or when an individual withdraws consent.