Information & Ethics Committee on Feb. 23rd, 2017

I think that's a serious issue as well. I'm not sure it's a PIPEDA issue. In some circumstances, issues like that have been dealt with through the tort system. Where it's been done maliciously, they've been dealt with through other mechanisms, because I think they raise issues that go beyond simply data protection.

While I agree that it's an important issue, I'm not entirely convinced it's as much a PIPEDA issue as it is a problem that maybe requires multiple different solutions, depending on the circumstances. I mean, revenge porn falls into that category. That's clearly a tort and also perhaps criminal activity and so on.

Oh, oh!

I'll start by endorsing the distinction that Professor Scassa made between data protection and a right to deletion and a right to be forgotten, because that is a key distinction.

The way it was handed down was the first problem we saw. There was a decision by the European Court of Justice that didn't even really mention freedom of expression, and included statements that, for example, the right to privacy generally trumps people's right to obtain information. There was a lack of proper consideration of the rights that were being infringed. That would be the first one. With that decision, which was relatively bare, providing the only guidance at the outset at least that Google was going to have in implementing that, it was hugely problematic, because you create this enormous new responsibility without a huge amount of guidance on how it's supposed to be implemented.

As I mentioned briefly before, putting this on the private sector is hugely problematic, because this is a very tricky decision. It involves balancing different rights against one another, and it involves considering the overall public interest. Google is absolutely not equipped to do that. Even for a company of their size, this is something that you need judicial or quasi-judicial decision-makers to take on. Saddling it onto the private sector was also a significant mistake. I think you saw that the floodgates sort of came open. I looked it up in the interim, and I saw 348,000 requests to remove links by Google.

When I say that I have a certain amount of sympathy with regard to a few limited cases of where the right to be forgotten could be applied, I think it's a challenging thing to implement in terms of just applying it to those extreme cases. I think the European example shows that once the right is implemented, the floodgates kind of come open, and you have a huge amount of legitimate or accurate information, or perfectly relevant information, that people would request deletion for.

My understanding of the way in which it's applied is based on the initial rollout of the ECJ decision. I believe the data protection regulation does address that, but I haven't reviewed that specific aspect.

No. Absolutely not.

Even in the new GDPR, which addresses the issue of the right to be forgotten, it is in quotation marks. In that context, it is called “the right to erasure”. The Regulation makes the distinction that Professor Scassa mentioned. In fact, the right to erasure provided for in the GDPR is somewhat in line with the one already in the 1995 directive, which was in force in most European Union countries.

It is possible to request that data be deleted, but only for the data whose collection, communication or disclosure violates the Regulation. However, the Regulation sets out exceptions for freedom of expression, freedom of the press, the right to information and so on.

Like Professor Scassa, I think PIPEDA should clearly provide for the right to erase inaccurate and erroneous data so that it is not just a recommendation.

I would also like to point out that the second paragraph of article 45, which talks about adequacy, does not mean just doing a cut-and-paste; it means considering effective and enforceable rights. Direct rights would therefore be appropriate. In terms of data protection, it does not directly relate to any right to erasure, but indicates that the country’s rules on human rights and fundamental freedoms will be taken into account. In this case, we are talking about the Canadian Charter of Rights and Freedoms.

That's a very good question.

It's challenging. I think there are small fixes in terms of tools, direction, and guidance in drafting better privacy policies and more condensed or short-form privacy policy templates, as you suggest.

In terms of ubiquitous and continuous collection, people have suggested that there should be pop-ups from time to time to remind people that their information is being collected by the toaster, for example, and that they might want to think about whether they still want that to be happening. There are those types of things. Some of those could be mandated in legislation. Some could be done through guidance from the Privacy Commissioner.

There are others who suggest, as you know, broader fixes, such as moving all sorts of data collection and considering it fairly routine, and consent wouldn't be required. What worries me about that, of course, is the threshold that there be no risk or no harm. I think that in the big data environment, we're still trying to figure out exactly what the risks and the harms are. It's not always obvious at the outset what the implications of the collection of certain types of data are going to be, depending on what is then subsequently collected by someone else and put together.

I think there are some very serious challenges there, and I wish I could say, “Here are the three things that need to be done”, but I'm still struggling with it myself.

Maybe I'll pass the floor to our resident European.

Oh, oh!

In my view, PIPEDA should clarify the issue of the retention of data over time, provide for an obligation for organizations, and also provide a direct right to litigants. The direct rights of litigants are one of the conditions for adequacy. As with the enforceable orders and fines, paragraph 45(2)(b) of the Regulation tells us to look at whether the supervisory authority is truly independent and has adequate enforcement powers.

Yes. I would agree with that. I certainly think the biggest weakness in PIPEDA in terms of conformity with European norms is on the enforcement side. There are simply not enough powers for the commissioner.