Teresa Scassa - Blog

Displaying items by tag: privacy commissioner

On April 15, 2020 Facebook filed an application for judicial review of the Privacy Commissioner’s “decisions to investigate and continue investigating” Facebook, and seeking to quash the Report of Findings issued on April 25, 2019. This joint investigation involving the BC and federal privacy commissioners was carried out in the wake of the Cambridge Analytica scandal.

The Report of Findings found that Facebook had breached a number of its obligations under the federal Personal Information Protection and Electronic Documents Act (PIPEDA) and B.C.’s Personal Information Protection Act (PIPA). [As I explain here, it is not possible to violate both statutes on the same set of facts, so it is no surprise that nothing further has happened under PIPA]. The Report of Findings set out a series of recommendations. It also contained a section on Facebook’s response to the recommendations in which the commissioners chastise Facebook. The Report led to some strongly worded criticism of Facebook by the federal Privacy Commissioner. On February 6, 2020, the Commissioner referred the matter to Federal Court for a hearing de novo under PIPEDA.

The application for judicial review is surprising. Under the Federal Courts Act, a party has thirty days from the date of a decision affecting it to seek judicial review. For Facebook, that limitation ran out a long time ago. Further, section 18.1 of the Federal Courts Act provides for judicial review of decision, but a Report of Findings is not a decision. The Commissioner does not have the power to make binding orders. Only the Federal Court can do that, after a hearing de novo. The decisions challenged in the application for judicial review are therefore the “decisions to investigate and to continue investigating” Facebook.

In its application for judicial review Facebook argues that the complainants lacked standing because they did not allege that they were users of Facebook or that their personal information had been impacted by Cambridge Analytica’s activities. Instead, they raised general concerns about Facebook’s practices leading to the Cambridge Analytica scandal. This raises the issue of whether a complaint under PIPEDA must be filed by someone directly affected by a company’s practice. The statute is not clear. Section 11(1) of PIPEDA merely states: “An individual may file with the Commissioner a written complaint against an organization for contravening a provision of Division 1 or 1.1 or for not following a recommendation set out in Schedule 1.” Facebook’s argument is that a specific affected complainant is required even though Facebook’s general practices might have left Canadian users vulnerable. This is linked to a further argument by Facebook that the investigation lacked a Canadian nexus since there was no evidence that any data about Canadians was obtained or used by Cambridge Analytica.

Another argument raised by Facebook is that that the investigation amounted to a “broad audit of Facebook’s personal information management practices, not an investigation into a particular PIPEDA contravention” as required by Paragraph 11(1) of PIPEDA. Facebook argues that the separate audit power under PIPEDA has built-in limitations, and that the investigation power is much more extensive. They argue, essentially, that the investigation was an audit without the limits. Facebook also argues that the report of findings was issued outside of the one-year time limit set in s. 13(1) of PIPEDA. In fact, it was released after thirteen rather than twelve months.

Finally, Facebook argues that the investigation carried out by the Commissioner lacked procedural fairness and independence. The allegations are that the sweeping scope of the complaint made against Facebook was not disclosed until shortly before the report was released and that as a result Facebook had been unaware of the case it had to meet. It also alleges a lack of impartiality and independence on the part of the Office of the Privacy Commissioner in the investigation. No further details are provided.

The lack of timeliness of this application may well doom it. Section 18.1 of the Federal Courts Act sets the thirty-day time limit from the date when the party receives notice of the decision it seeks to challenge; the decision in this case is the decision to initiate the investigation, which would have been communicated to Facebook almost two years ago. Although judges have discretion to extend the limitation period, and although Facebook argues it did not receive adequate communication regarding the scope of the investigation, even then their application comes almost a year after the release of the Report of Findings. Perhaps more significantly, it comes two and a half months after the Commissioner filed his application for a hearing de novo before the Federal Court. The judicial review application seems to be a bit of a long shot.

Long shot though it may be, it may be intended as a shot across the bows of both the Office of the Privacy Commissioner and the federal government. PIPEDA is due for reform in the near future. Better powers of enforcement for PIPEDA have been on the government’s agenda; better enforcement is a pillar of the Digital Charter. The Commissioner and others have raised enforcement as one of the major weaknesses of the current law. In fact, the lack of response by Facebook to the recommendations of the Commissioner following the Report of Findings was raised by the Commissioner as evidence of the need for stronger enforcement powers. One of the sought-after changes is the power for the Commissioner to be able to issue binding orders.

This application for judicial review, regardless of its success, puts on the record concerns about procedural fairness that will need to be front of mind in any reforms that increase the powers of the Commissioner. As pointed out by former Commissioner Jennifer Stoddart in a short article many years ago, PIPEDA creates an ombuds model in which the Commissioner plays a variety of roles, including promoting and encouraging compliance with the legislation, mediating and attempting early resolution of disputes and investigating and reporting on complaints. Perhaps so as to give a degree of separation between these roles and any binding order of compliance, it is left to the Federal Court to issue orders after a de novo hearing. Regardless of its merits, the Facebook application for judicial review raises important procedural fairness issues even within this soft-compliance model, particularly since the Commissioner took Facebook so publicly to task for not complying with its non-binding recommendations. If PIPEDA were to be amended to include order-making powers, then attention to procedural fairness issues will be even more crucial. Order-making powers might require clearer rules around procedures as well as potentially greater separation of functions within the OPC, or possibly the creation of a separate adjudication body (e.g. a privacy tribunal).

Published in Privacy

A recent story in iPolitics states that both the Liberals and the Conservatives support strengthening data protection laws in Canada, although it also suggests they may differ as to the best way to do so.

The Liberals have been talking about strengthening Canada’s data protection laws – both the Privacy Act (public sector) and the Personal Information Protection and Electronic Documents Act (PIPEDA) (private sector) since well before the last election, although their emphasis has been on PIPEDA. The mandate letters of both the Ministers of Justice and Industry contained directions to reform privacy laws. As I discuss in a recent post, these mandate letters speak of greater powers for the Privacy Commissioner, as well as some form of “appropriate compensation” for data breaches. There are also hints at a GDPR-style right of erasure, a right to withdraw consent to processing of data, and rights of data portability. With Canada facing a new adequacy assessment under the EU’s General Data Protection Regulation (GDPR) it is perhaps not surprising to see this inclusion of more EU-style rights.

Weirdly, though, the mandate letters of the Minister of Industry and the Minister of Heritage also contain direction to create the new role of “Data Commissioner” to serve an as-yet unclear mandate. The concept of a Data Commissioner comes almost entirely out of the blue. It seems to be first raised before the ETHI Committee on February 7, 2019 by Dr. Jeffrey Roy of Dalhousie University. He referenced in support of this idea a new Data Commissioner role being created in Australia as well as the existence of a UK Chief Data Officer. How it got from an ETHI Committee transcript to a mandate letter is still a mystery.

If this, in a nutshell, is the Liberal’s plan, it contains both the good, the worrisome, and the bizarre. Strengthening PIPEDA – both in terms of actual rights and enforcement of those rights is a good thing, although the emphasis in the mandate letters seems very oriented towards platforms and other issues that have been in the popular press. This is somewhat worrisome. What is required is a considered and substantive overhaul of the law, not a few colourful and strategically-placed band-aids.

There is no question that the role of the federal Privacy Commissioner is front and centre in this round of reform. There have been widespread calls to increase his authority to permit him to issue fines and to make binding orders. These measures might help address the fundamental weakness of Canada’s private sector data protection laws, but they will require some careful thinking about the drafting of the legislation to ensure that some of the important advisory and dispute resolution roles of the Commissioner’s office are not compromised. And, as we learned with reform of the Access to Information Act, there are order-making powers and then there are order-making powers. It will not be a solution to graft onto the legislation cautious and complicated order-making powers that increase bureaucracy without advancing data protection.

The bizarre comes in the form of the references to a new Data Commissioner. At a time when we clearly have not yet managed to properly empower the Privacy Commissioner, it is disturbing that we might be considering creating a new bureaucracy with apparently overlapping jurisdiction. The mandate letters suggest that the so-called data commissioner would oversee (among other things?) data and platform companies, and would have some sort of data protection role in this regard. His or her role might therefore overlap with both those of the Privacy Commissioner and the Competition Bureau. It is worth noting that the Competition Bureau has already dipped its toe into the waters of data use and abuse. The case for a new bureaucracy is not evident.

The Conservatives seem to be opposed to the creation of the new Data Commissioner, which is a good thing. However, Michelle Rempel Garner was reported by iPolitics as rejecting “setting up pedantic, out of date, ineffectual and bloated government regulatory bodies to enforce data privacy.” It is not clear whether this is simply a rejection of the new Data Commissioner’s office, or also a condemnation of the current regulatory approach to data protection (think baby and bath water). Instead, the Conservatives seem to be proposing creating a new data ownership right for Canadians, placing the economic value of Canadians’ data in their hands.

This is a bad idea for many reasons. In the first place, creating a market model for personal data will do little to protect Canadians. Instead, it will create a context in which there truly is no privacy because the commercial exchange of one’s data for products and services will include a transfer of any data rights. It will also accentuate existing gaps between the wealthy and those less well off. The rich can choose to pay extra for privacy; others will have no choice but to sell their data. Further, the EU, which has seriously studied data ownership rights (and not just for individuals) has walked away from them each time. Data ownership rights are just too complicated. There are too many different interests in data to assign ownership to just one party. If a company uses a proprietary algorithm to profile your preferences for films or books, is this your data which you own, or theirs because they have created it?

What is much more important is the recognition of different interests in data and the strengthening, through law, of the interests of individuals. This is what the GDPR has done. Rights of data portability and erasure, the right to withdraw consent to processing, and many other rights within the GDPR give individuals much stronger interests in their data, along with enforcement tools to protect those interests. Those strengthened interests are now supporting new business models that place consumers at the centre of data decision-making. Open banking (or consumer-directed banking), currently being studied by the Department of Finance in Canada, is an example of this, but there are others as well.

The fix, in the end, is relatively simple. PIPEDA needs to be amended to both strengthen and expand the existing interests of individuals in their personal data. It also needs to be amended to provide for appropriate enforcement, compensation, and fines. Without accountability, the rights will be effectively meaningless. It also needs to happen sooner rather than later.

 

(With thanks to my RA Émilie-Anne Fleury who was able to find the reference to the Data Commissioner in the ETHI Committee transcripts)

Published in Privacy

Canadian Trademark Law

Published in 2015 by Lexis Nexis

Canadian Trademark Law 2d Edition

Buy on LexisNexis

Electronic Commerce and Internet Law in Canada, 2nd Edition

Published in 2012 by CCH Canadian Ltd.

Electronic Commerce and Internet Law in Canada

Buy on CCH Canadian

Intellectual Property for the 21st Century

Intellectual Property Law for the 21st Century:

Interdisciplinary Approaches

Purchase from Irwin Law