Teresa Scassa - Blog

Canada’s Privacy Commissioner has released a set of findings that recognize a right to be forgotten (RTBF) under the Personal Information Protection and Electronic Documents Act (PIPEDA). The complainant’s long legal journey began in 2017 when they complained that a search of their name in Google’s search engine returned news articles from many years earlier regarding an arrest and criminal charges relating to having sexual activity without disclosing their status as being HIV positive. Although these reports were accurate at the time they were published, the charges were stayed shortly afterwards, because the complainant posed no danger to public health. Charging guidelines for the offence in question indicated that no charges should be laid where there is no realistic possibility that HIV could be transmitted. The search results contain none of that information. Instead, they publicly disclose the HIV status of the complainant, and they create the impression that their conduct was criminal in nature. As a result of the linking of their name to these search results, the complainant experienced – and continues to experience – negative consequences including social stigma, loss of career opportunities and even physical violence.

Google’s initial response to the complaint was to challenge the jurisdiction of the Privacy Commissioner to investigate the matter under PIPEDA, arguing that PIPEDA did not apply to its search engine functions. The Commissioner referred this issue to the Federal Court, which found that PIPEDA applied. That decision was (unsuccessfully) appealed by Google to the Federal Court of Appeal. When the matter was not appealed further to the Supreme Court of Canada, the Commissioner began his investigation which resulted in the current findings. Google has indicated that it will not comply with the Commissioner’s recommendation to delist the articles so that they do not appear in a search using the complainant’s name. This means that it is likely that an application will be made to Federal Court for a binding order. The matter is therefore not yet resolved.

This post considers three issues. The first relates to the nature and scope of the RTBF in PIPEDA, as found by the Commissioner. The second relates to the Commissioner’s woeful lack of authority when it comes to the enforcement of PIPEDA. Law reform is needed to address this, yet Bill C-27, which would have given greater enforcement powers to the Commissioner, died on the order paper. The government’s intentions with respect to future reform and its timing remain unclear. The third point also addresses PIPEDA reform. I consider the somewhat fragile footing for the Commissioner’s version of the RTBF given how Bill C-27 had proposed to rework PIPEDA’s normative core.

The Right to be Forgotten (RTBF) and PIPEDA

In his findings, the Commissioner grounds the RTBF in an interpretation of s. 5(3) of PIPEDA:

5(3) An organization may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances.

This is a core normative provision in PIPEDA. For example, although organizations may collect personal information with the consent of the individual, they cannot do so if the collection is for purposes that a reasonable person would not consider appropriate in the circumstances. This provision (or at least one very similar to it in Alberta’s Personal Information Protection Act), was recently found to place important limits on the scraping of photographs from the public internet by Clearview AI to create a massive facial recognition (FRT) database. Essentially, even though the court found that photographs posted on the internet were publicly available and could be collected and used without consent, they could not be collected and used to create a FRT database because this was not a purpose a reasonable person would consider appropriate in the circumstances.

The RTBF would function much in the same way when it comes to the operations of platform search engines. Those search engines – such as Google’s – collect, use and disclose information found on the public internet when they return search results to users in response to queries. When searches involve individuals, search results may direct users to personal information about that individual. That is acceptable – as long as the information is being collected, used and disclosed for purposes a reasonable person would consider appropriate in the circumstances. In the case of the RTBF, according to the Commissioner, the threshold will be crossed when the privacy harms caused by the disclosure of the personal information in the search results outweigh the public interest in having that information shared through the search function. In order to make that calculation, the Commissioner articulates a set of criteria that can be applied on a case-by-case basis. The criteria include:

a. Whether the individual is a public figure (e.g. a public office holder, a politician, a prominent business person, etc.);

b. Whether the information relates to an individual’s working or professional life as opposed to their private life;

c. Whether the information relates to an adult as opposed to a minor;

d. Whether the information relates to a criminal charge that has resulted in a conviction or where the charges were stayed due to delays in the criminal proceedings;

e. Whether the information is accurate and up to date;

f. Whether the ability to link the information with the individual is relevant and necessary to the public consideration of a matter under current controversy or debate;

g. The length of time that has elapsed since the publication of the information and the request for de-listing. (at para 109)

In this case, the facts were quite compelling, and the Commissioner had no difficulty finding that the information at issue caused great harm to the complainant while providing no real public benefit. This led to the de-listing recommendation – which would mean that a search for the complainant’s name would no longer turn up the harmful and misleading articles – although the content itself would remain on the web and could be arrived at using other search criteria.

The Privacy Commissioner’s ‘Powers’

Unlike his counterparts in other jurisdictions, including the UK, EU member countries, and Quebec, Canada’s Privacy Commissioner lacks suitable enforcement powers. PIPEDA was Canada’s first federal data protection law, and it was designed to gently nudge organizations into compliance. It has been effective up to a point. Many organizations do their best to comply proactively, and the vast majority of complaints are resolved prior to investigation. Those that result in a finding of a breach of PIPEDA contain recommendations to bring the organization into compliance, and in many cases, organizations voluntarily comply with the recommendations. The legislation works – up to a point.

The problem is that the data economy has dramatically evolved since PIPEDA’s enactment. There is a great deal of money to be made from business models that extract large volumes of data that are then monetized in ways that are beyond the comprehension of individuals who have little choice but to consent to obscure practices laid out in complex privacy policies in order to receive services. Where complaint investigations result in recommendations that run up against these extractive business models, the response is increasingly to disregard the recommendations. Although there is still the option for a complainant or the Commissioner to apply to Federal Court for an order, the statutory process set out in PIPEDA requires the Federal Court to hold a hearing de novo. In other words, notwithstanding the outcome of the investigation, the court hears both sides and draws its own conclusions. The Commissioner, despite his expertise, is owed no deference.

In the proposed Consumer Protection Privacy Act (CPPA) that was part of the now defunct Bill C-27, the Commissioner was poised to receive some important new powers, including order-making powers and the ability to recommend the imposition of steep administrative monetary penalties. Admittedly, these new powers came with some clunky constraints that would have put the Commissioner on training wheels in the privacy peloton of his international counterparts. Still, it was a big step beyond the current process of having to ask the Federal Court to redo his work and reach its own conclusions.

Bill C-27, however, died on the order paper with the last federal election. The current government is likely in the process of pep-talking itself into reintroducing a PIPEDA reform bill, but as yet there is no clear timeline for action. Until a new bill is passed, the Commissioner is going to have to make do with his current woefully inadequate enforcement tools.

The Dangers of PIPEDA Reform

Assuming a PIPEDA reform bill will contain enforcement powers better adapted to a data-driven economy, one might be forgiven for thinking that PIPEDA reform will support the nascent RTBF in Canada (assuming that the Federal Court agrees with the Commissioner’s approach). The problem is, however, there could be some uncomfortable surprises in PIPEDA reform. Indeed, this RTBF case offers a good illustration of how tinkering with PIPEDA may unsettle current interpretations of the law – and might do so at the expense of privacy rights.

As noted above, the Commissioner grounded the RTBF on the strong and simple principle at the core of PIPEDA and expressed in s. 5(3), which I repeat here for convenience:

5(3) An organization may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances.

The Federal Court of Appeal has told us that this is a normative standard – in other words, the fact that millions of otherwise reasonable people may have consented to certain terms of service does not on its own make those terms something that a reasonable person would consider appropriate in the circumstances. The terms might be unduly exploitative but leave individuals with little or no choice. The reasonableness inquiry sets a standard for the level of privacy protection an individual should be entitled to in a given set of circumstances.

Notably, Bill C-27 sought to disrupt the simplicity of s. 5(3), replacing it with the following:

12 (1) An organization may collect, use or disclose personal information only in a manner and for purposes that a reasonable person would consider appropriate in the circumstances, whether or not consent is required under this Act.

(2) The following factors must be taken into account in determining whether the manner and purposes referred to in subsection (1) are appropriate:

(a) the sensitivity of the personal information;

(b) whether the purposes represent legitimate business needs of the organization;

(c) the effectiveness of the collection, use or disclosure in meeting the organization’s legitimate business needs;

(d) whether there are less intrusive means of achieving those purposes at a comparable cost and with comparable benefits; and

(e) whether the individual’s loss of privacy is proportionate to the benefits in light of the measures, technical or otherwise, implemented by the organization to mitigate the impacts of the loss of privacy on the individual.

Although s. 12(1) is not so different from s. 5(3), the government saw fit to add a set of criteria in s. 12(2) that would shape any analysis in a way that leans the decision-maker towards accommodating the business needs of the organization over the privacy rights of the individual. Paragraph 12(2)(b) and (c) explicitly require the decision-maker to think about the legitimate business needs of the organization and the effectiveness of the particular collection, use or disclosure in meeting those needs. In an RTBF case, this might mean thinking about how indexing the web and returning search results meets the legitimate business needs of a search engine company and does so effectively. It then asks whether there are “less intrusive means of achieving those purposes at a comparable cost and with comparable benefits”. This too focuses on the organization. Not only is this criterion heavily weighted in favour of business in terms of its substance – less intrusive means should be of comparable cost – the issues it raises are ones about which an individual challenging the practice would have great difficulty producing evidence. While the Commissioner has greater resources, these are still limited. The fifth criterion returns us to the issue of privacy, but it asks whether “the individual’s loss of privacy is proportionate to the benefits [to the organization] in light of the measures, technical or otherwise, implemented by the organization to mitigate the impacts of the loss of privacy on the individual”. The criteria in s. 12(2) fall over themselves to nudge a decision-maker towards finding privacy-invasive practices to be “for purposes that a reasonable person would consider appropriate in the circumstances” – not because a reasonable person would find them appropriate in light of the human right to privacy, but because an organization has a commercial need for the data and has fiddled about a bit to attempt to mitigate the worst of the impacts. Privacy essentially becomes what the business model will allow – the reasonable person is now an accountant.

It is also worth noting that by the time a reform bill is reintroduced (and if we dare to imagine it – actually passed), the Federal Court may have weighed in on the RTBF under PIPEDA, putting us another step closer to clarifying whether there is a RTBF in Canada’s private sector privacy law. Assuming that the Federal Court largely agrees with the Commissioner and his approach, if something like s. 12 of the CPPA becomes part of a new law, the criteria developed by the Commissioner for the reasonableness assessment in RTBF cases will be supplanted by the rather ugly list in s. 12(2). Not only will this cast doubt on the continuing existence of a RTBF, it may likely doom one. And this is not the only established interpretation/approach that will be unsettled by such a change.

The Commissioner’s findings in the RTBF investigation demonstrate the flexibility and simplicity of s. 5(3). When a PIPEDA reform bill returns to Parliament, let us hope that the s. 12(2) is no longer part of it.

A recent decision on a motion before the Federal Court marks the progress of the Privacy Commissioner’s reference case on whether the Personal Information Protection and Electronic Documents Act (PIPEDA) includes a right to be forgotten. In an earlier report following the OPC’s consultation on digital reputation, the Privacy Commissioner had indicated that he was of the view that PIPEDA, in its unamended form, provided for a right to be forgotten that could be exercised against search engines.

The reference, launched on October 10, 2018, is linked to a complaint filed with the Office of the Privacy Commissioner (OPC) by an individual against Google. The Complainant is concerned that Google searches of his name produce links to news articles that he alleges “are outdated and inaccurate and disclose sensitive information such as his sexual orientation and a serious medical condition” (at para 6). The complainant’s view is that by providing prominent links to these articles, Google is breaching the PIPEDA. He is seeking to have these results de-indexed. This means that they would no longer appear in Google search results. De-indexing does not involve the removal of content from the source websites. Basically, the articles would still be out there, but they would not appear in Google search results. Unless similar orders were made against other search engines such as Bing, they content would be findable using those engines.

The Commissioner has referred two questions to the Federal Court. First, he seeks to know whether Google’s search engine activities constitute the “commercial activity” necessary to bring these activities within the scope of PIPEDA, which applies to the collection, use or disclosure of personal information in the course of commercial activity. The second question is whether Google’s search engine activities, even if commercial, fall within the exception to PIPEDA’s application where personal information is collected, used or disclosed “for journalistic, artistic or literary purposes and for no other purpose” (s. 4(2)(c)). Google and the Attorney General of Canada were given notice of the reference and are entitled to become parties to the reference. Google has challenged the scope of the reference. It seeks to add the question of whether, if PIPEDA does apply to the search engine’s activities, and if there is a deindexing order, such an order would violate s. 2(b) of the Canadian Charter of Rights and Freedoms. This motion to expand the scope of the reference had not yet been heard.

The CBC, along with a coalition of other Canadian media organizations brought motions seeking to be added as parties to the original reference. Their concern is that the Commissioner’s interpretation of the scope of PIPEDA as including a right to be forgotten is a violation of the freedom of expression guaranteed by s. 2(b) of the Charter. Their argument is based on the principle that the right of expression includes the right to receive information, and that measures taken to limit access to information in the news media thus breach the Charter. By bringing their motion, the media outlets sought to be added as parties, with the right to introduce evidence and make argument before the Court.

The motion was heard by Prothonotary Tabib, who rendered her decision on March 1. She began by noting that since the motion was being heard prior to any decision on Google’s motion to expand the scope of proceedings, party status would be considered only with respect to the original reference questions. She was critical of the motion on the basis that it proceeded “from the fundamental assumption that the Court’s determination of the jurisdictional questions in a way that confers jurisdiction on the OPC to investigate the underlying complaint will inevitably result in deindexing lawful news media content from Internet search results” (at para 17). She noted that in fact the reference questions were directed towards the issue of whether the Commissioner had jurisdiction in the matter. If the outcome of the reference was a finding that there was jurisdiction, the Commissioner would still have to investigate, would have to find the complaint well-founded, and would have to determine whether de-indexing was an appropriate remedy. The Commissioner can only make non-binding orders, so no Charter rights would be violated unless the matter proceeded to a recommendation to de-index with which Google voluntarily complied. If Google refused to comply the complainant or the Commissioner could bring the matter to Federal Court seeking a binding order, but the Court would hold a hearing de novo and might reach different conclusions. Basically, the prothonotary was of the view that the matter was a long way from breaching anyone’s Charter rights. She noted that “The media parties’ reliance on assumptions as to the ultimate result to form the cornerstone of their argument conflates all subsequent steps and determinations into the preliminary issue” (at para 18).

Prothonotary Tabib considered Rule 104(1)(b) of the Federal Courts Rules, which empowers the Court to order a person to be joined as a party. She focused on the issue of whether the presence of the media parties was necessary “for a full and effectual determination” of all of the issues in the reference. The media companies argued that their presence was necessary since the results of the reference would be binding on them. Prothonotary Tabib noted:

The media parties’ arguments thus essentially rest on the underlying assumption that what is truly at issue in this reference is the constitutionality of the Privacy Commissioner "“intended”" institution of a deindexing process in respect of lawful news content from Internet search results. However, as determined above, that is not what is truly at issue in this reference. What is at issue here is only whether Google is subject to or exempt from the application of Part 1 of PIPEDA in respect of how it collects, uses or discloses personal information in the operation of its search engine service when it presents search results in response to an individual’s name. (at para 36)

She observed that the only direct effect of the outcome of the reference would be the Commissioner’s decision to proceed with the investigation of the complaint against Google. She also noted that any freedom of expression impact that might ultimately flow from this matter would be shared by all internet content providers, as well as all those who used Google’s search engines. If the Charter interests of the media entitled them to be parties, then there was virtually no limit to who could be a party – which would be an absurd and unmanageable result. In her view it would be more appropriate for the media companies to seek intervenor status. However, she found that their motion did not address the issues they would need to establish for intervenor status. In brief, they failed to show how their contributions to the argument would be distinct from what Google would provide as party to the reference case. The motions were dismissed, with leave provided for the companies to reapply for leave to intervene once Google’s motion to vary the scope of the reference is decided.