Reflections on PIPEDA and the Future of Privacy Law in Canada

Slides:

Advertisements

Similar presentations

29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY.

Advertisements

Could mandatory Privacy Impact Assessment be a solution to enhance Personal Privacy and Data Protection? Chester Soong.

Sept Topics of interest & risk in our industry today Christine Scaini Compliance Consultant Market Conduct Compliance.

CHAPTER 4 E-ENVIRONMENT

29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL DATA PROTECTION AND PRIVACY COMMISSIONERS.

1 PRIVACY ISSUES IN THE U.S. – CANADA CROSS BORDER BUSINESS CONTEXT Presented by: Anneli LeGault ACC Greater New York Chapter Compliance Seminar May 19,

Introduction to the APPs and the OAIC’s regulatory approach Presented by: Este Darin-Cooper Director, Regulation and Strategy May 2015.

The role of the Office of the Privacy Commissioner in telecommunications Andrew Solomon Director, Policy.

1 Office of theCommissariat Privacy Commissionerà la protection de of Canadala vie privée du Canada Personal Information Protection and Electronic Documents.

Keeping on top of the Cloud - Compliance from a Regulator’s Perspective Henry Chang, IT Advisor Office of the Privacy Commissioner for Personal Data, Hong.

Introduction to Health Law B. Barrowman September 2002.

MALCOLM CROMPTON FEDERAL PRIVACY COMMISSIONER Building Trust in the Online Environment: Business to Consumer Dispute Resolution The Hague December.

13 July 2006Susan Joseph Health Privacy It’s My Business Health Records Act 2001 (Vic) eReferral Service Co-ordination System.

Part 6 – Special Legal Rights and Relationships Chapter 35 – Privacy Law Prepared by Michael Bozzo, Mohawk College © 2015 McGraw-Hill Ryerson Limited 34-1.

Financial Services Privacy - the interaction of the privacy and financial services regulatory systems Chris Connolly Financial Services Consumer Policy.

PIPEDA and Receivables Management Robin Gould-Soil Receivables Management Association of Canada November 16, 2011.

IoT Trust Framework leading to self regulation code of conduct and certification models Craig Spiezle Executive Director & President Online.

Privacy Issues - Watch Out! John D.R. Craig ORIMS Professional Development Day March 19, 2013.

Introduction to the Australian Privacy Principles & the OAIC’s regulatory approach Privacy Awareness Week 2016.

Your Code of Conduct: Data Protection & Compliance Your Code of Conduct: Data Protection & Compliance for Charities.

General Data Protection Regulation (EU 2016/679)

General Data Protection Regulation (GDPR)

Data Protection Officer’s Overview of the GDPR

Accountability & Structured Privacy Management

Principles of Good Governance

The future of data protection: General Data Protection Regulation

Supervision of Insurance Market Conduct in Canada

MGMT 452 Corporate Social Responsibility

APEC Seminar on Cross-Border Credit Information Exchange Session III: Key elements of a successful Cross-Border Credit Information Exchange mechanism.

Understanding EU GDPR from an Office 365 perspective

Viewing the GDPR Through a De-Identification Lens

Microsoft 365 Get help with regulatory compliance

GDPR – Legal Aspects Desislava Krusteva, Attorney-at-Law, CIPP/E

General Data Protection Regulations: what you really need to know

General Data Protection Regulation (GDPR

General Data Protection Regulation

Museums + Heritage webinar, 30 November 2017

Data Protection Update – GDPR or bust

PRESENTATION OF THE AUTHORITY’S ANNUAL REPORT TO THE PORTFOLIO COMMITTEE ON SAFETY & SECURITY 4TH NOVEMBER Private Security Industry Regulatory.

Data Protection Legislation

Bob Siegel President Privacy Ref, Inc.

GENERAL DATA PROTECTION REGULATION (GDPR)

Data protection reform – update from the ICO

State of the privacy union

G.D.P.R General Data Protection Regulations

Data protection in the Education Sector - understanding the impact of GDPR Tuesday 23rd January 2018.

Data Protection What’s new about The General Data Protection Regulation (GDPR) May 2018? Call Kerry on Or .

General Data Protection Regulation (GDPR)

How we’ll prepare for the General Data Protection Regulation (GDPR)

Information technologies/NBIC and Big data

Data Protection and Audit

General Data Protection Regulations 2018

 How does GDPR impact your business? Pro Tip: Pro Tip: Pro Tip:

The General Data Protection Regulation Six months on – What’s changed

Mandatory Breach Reporting (isn’t *that* bad)

General Data Protection regulation (GDPR)

What Governors need to know about GDPR

Introduction of the new Canada Consumer Product Safety Act

The General Data Protection Regulations 2016

Stakeholder Engagement: Webinar Part I: The Regulatory Development Process for the Government of Canada Part II: Making Technical Regulations Under.

AOITI WG3 Privacy-in-IoT Taskforce

The European Union’s General Data Protection Regulation (GDPR): Overview and Guidance SUNY Office of General Counsel Spring 2019.

General Data Protection Regulation “11 months in”

Ethical Implications of using Big Data for Official Statistics

EU Data Protection Legislation

Chapter 1: The Nature and Sources of Law

THE IMPACT OF DATA PROTECTION RULES ON CORPORATE INFO SECURITY AND INCIDENT RESPONSE MANAGEMENT – The Energy sector CEER Cybersecurity Workshop Massimo.

Transparency Serbia Presentation September 27th 2010

Getting Ready For GDPR Simon Marks Director

Presentation transcript:

Reflections on PIPEDA and the Future of Privacy Law in Canada Kate Wilson, Legal Counsel Office of the Privacy Commissioner of Canada McGill University, Faculty of Law November 27, 2018

Privacy Commissioner of Canada Mandate covers Privacy Act and PIPEDA Commissioner’s overarching goal of enhancing Canadians’ control over their personal information

OPC strategic privacy priorities Economics of personal information Government surveillance Reputation and privacy The body as information

PIPEDA, 17 years on… Constitutional underpinnings: “trade and commerce” (s.91(2)) Quasi-constitutional status Human rights legislation? Consumer protection?

Parallel evolution of common law Statutory torts in various provinces (e.g., British Columbia) Increasing recognition of torts at common law (e.g., intrusion upon seclusion post Jones v. Tsige in Ontario) Increase in class action activity and in certification of class actions, particularly post breach

2001: bricks and mortar Bilateral relationship: customer + business Collection of PI at time of purchase of product or service (e.g., opening a bank account)

2018: virtual ecosystems Complex data-driven business models Opaque data flows and processes Frequently transborder nature of data flows

Pressures on privacy protection Big data Artificial intelligence Internet of things Algorithmic decision-making Cloud computing

International developments General Data Protection Regulation May 25, 2018 Broad extra-territorial reach Significant consequences for non-compliance

GDPR: new elements In addition to differences already present under the Directive: Right to data portability Right to erasure Privacy by design and default

GDPR: Adequacy Role of Innovation, Science and Economic Development (ISED) Adequate but not identical Impetus for legislative action?

Consent under PIPEDA Remains a cornerstone of the Act How to strengthen? When is it impracticable? Illusory? Are there alternatives?

Valid consent s. 6.1: « …the consent of an individual is only valid if it is reasonable to expect that an individual to whom the organization’s activities are directed would understand the nature, purpose and consequences of the collection, use or disclosure to which they are consenting »

Challenges to meaningful consent Can the individual understand who is making what use of her PI? Continuous collection, use or disclosure (e.g., IoT) « Take it or leave it » -- contracts of adhesion?

An industry perspective Consent is impracticable for certain unanticipated uses of data Increase reliance on implied consent as a means of facilitating innovation Promote de-identification Consider a risk-based consent model Broaden the concept of « publicly available »

Guidelines for obtaining meaningful consent Guidance takes effect January 1, 2019 Consent consultation process Further clarifies how organizations achieve valid/meaningful consent

7 principles for meaningful consent Emphasize key elements (4) Allow individuals to control level of detail and timing Provide clear options for yes or no Be innovative and creative Consider the consumer’s perspective Make consent a dynamic and ongoing process Be accountable: be ready to demonstrate compliance

Exploring other avenues for protection and control Legitimate interests Ethical assessment of data processing Promoting algorithmic transparency De-identification of personal information

Reputation Draft position paper on online reputation: to what extent does PIPEDA already speak to these issues? Identification of inappropriate practice of posting information in order to then charge to take it down (e.g., Globe24h.com) Federal Court reference re whether Google’s search engine service subject to PIPEDA

Updating the OPC enforcement tool kit Ombudsmodel, pros and cons Order-making powers Administrative monetary penalties Not new ‘asks’

In the interim at the OPC… Restructuring : promotion and compliance sectors Encouraging compliance v. dealing with existing compliance issues Shift towards pro-active enforcement Emphasis on guidance in key areas Development of Business Advisory Services

Learn more at www.priv.gc.ca