Canada Introduces a Digital Charter to Better Protect Privacy

“Misinformation and privacy have threatened the very foundations of Western democracy, and Canada has proposed a response – a Digital Charter.

An announcement this past week builds on the commitment made to join the Christchurch Call, to “bring together countries and tech companies in an attempt to bring to an end the ability to use social media to organise and promote terrorism and violent extremism.” The 10 Principles of the proposed Digital Charter are as follows:

1. Universal Access: All Canadians will have equal opportunity to participate in the digital world and the necessary tools to do so, including access, connectivity, literacy and skills.
2. Safety and Security: Canadians will be able to rely on the integrity, authenticity and security of the services they use and should feel safe online.
3. Control and Consent: Canadians will have control over what data they are sharing, who is using their personal data and for what purposes, and know that their privacy is protected.
4. Transparency, Portability and Interoperability: Canadians will have clear and manageable access to their personal data and should be free to share or transfer it without undue burden.
5. Open and Modern Digital Government: Canadians will be able to access modern digital services from the Government of Canada, which are secure and simple to use.
6. A Level Playing Field: The Government of Canada will ensure fair competition in the online marketplace to facilitate the growth of Canadian businesses and affirm Canada’s leadership on digital and data innovation, while protecting Canadian consumers from market abuses.
7. Data and Digital for Good: The Government of Canada will ensure the ethical use of data to create value, promote openness and improve the lives of people—at home and around the world.
8. Strong Democracy: The Government of Canada will defend freedom of expression and protect against online threats and disinformation designed to undermine the integrity of elections and democratic institutions.
9. Free from Hate and Violent Extremism: Canadians can expect that digital platforms will not foster or disseminate hate, violent extremism or criminal content.
10. Strong Enforcement and Real Accountability: There will be clear, meaningful penalties for violations of the laws and regulations that support these principles.

How all of this will be achieved legislatively is still not entirely clear, but there are formal proposals available to modernize the Personal Information Protection and Electronic Documents Act (PIPEDA), which has notable shortcomings to ensure compliance in a digital and information driven economy. The proposals to update PIPEDA are divided into 4 parts:

1. Enhancing individuals’ control
2. Enabling responsible innovation
3. Enhancing Enforcement and Oversight
4.  Areas of Ongoing Assessment

Greater individual control is needed to provide consumers greater control of their own data, and to develop new frameworks for the ethical use of data, including potentially putting the impetus for privacy on the user through the Privacy Self-Management approach. Potential changes to achieve this might include greater standardization of consent agreements, and prohibiting the bundling of consent into complex contracts. Consumers could obtain an explicit right for private personal information to be moved between organizations in a standardized digital format, similar to a digital portfolio.

In Unraveling Privacy: The Personal Prospectus and the Threat of a Full Disclosure Future, Scott Peppett describes a similar notion of a personal prospectus,

The personal prospectus would be a compilation of an individual’s verified private information about himself: a digital repository containing the data collected from the sensors and drug tests in the previous examples, or from the many other innovative monitors undoubtedly around the corner, as well as information from one’s bank accounts, educational records, tax history, criminal history, immigration records, health records, and other private sources.

Although this approach creates the appearance of consumer control, he emphasizes that the privacy interests are actually compromised by those who refuse to disclose, as they are stigmatized and penalized on the assumption they are hiding harmful information,

Those who refuse to share their private information will face new forms of economic discrimination. How long before one’s unwillingness to put a monitor in one’s car amounts to an admission of bad driving habits, and one’s unwillingness to wear a medical monitor leads to insurance penalties for assumed risky behavior? In a signaling economy, forced disclosure will be at least as difficult a problem as data mining and the digital dossier.

Consumer control would also potentially be enhanced through an explicit right to be forgotten or de-indexed, built directly into PIPEDA. This exact question has been proposed by the Privacy Commissioner, and referred to the Federal Court. As I’ve noted previously, this might be difficult to achieve without the Act being amended.

The amendments also consider how important data is in a digital economy, and the government wants to adopt an approach that does not unduly stifle innovation. Solutions proposed for this problem are the creation of data trusts managed by third-parties within a fiduciary asset management framework. This approach might use certification, codes of conduct and standards to ensure the appropriate level of de-anonymization of data, while still supporting innovation.

The third proposal for amending the Act includes a more robust model of enforcement, given that the current structure is largely considered ineffective in protecting individual privacy interests. The current fining powers have never been used in almost 20 years of PIPEDA’s existence. Contemplated changes include enhancing the Commissioner’s powers, including the potential use of Administrative Monetary Penalties (AMPs) and the use of a tribunal.

The final proposal is to ensure that there is ongoing assessment to maintain clarity, especially for individuals and smaller organizations. The collection, use and disclosure of data by non-commercial entities might also be covered by PIPEDA. The models under B.C. and Alberta‘s Personal Information Protection Act may contain some basis for moving forward for the rest of Canada.

Many of us have been lamenting about the inability of the legislatures across Canada to keep up with technology and privacy interests. The proposed Digital Charter provides an opportunity for us to establish what those next steps might be. Organizations and individuals interested in contributing further should consider providing a written submission on the subject.”