It is time to overhaul Canada’s data protection—your rights are at stake
Teresa Scassa is the Canada Research Chair in information law and policy at the University of Ottawa, and is a member of the Centre For Law, Technology, and Society.
Nobody wants to be haunted by false, inaccurate or even just plain embarrassing online personal information. The risks and consequences are such that the protection of online reputation has become an increasingly compelling issue for Canadians. The stakes are even higher for young Canadians who may be forced to deal with the lasting traces of poor adolescent decision-making as adults, not to mention images posted by friends or family without their knowledge or consent. The “right to be forgotten” is the right to have information in the hands of other parties erased or obscured, and it has become a major and evolving issue in Europe, where data protection and privacy laws not only treat privacy as a human right, but are considerably more adapted to technology than the laws in Canada.
Given the high-profile developments in Europe, it is not surprising that Daniel Therrien, the privacy commissioner of Canada, has identified the protection of online reputation as a key area of interest. On Jan. 26, the commissioner released a position paper on the topic that builds upon an open consultation process held in 2017. Remarkably, the commissioner argues that the current law—the Personal Information Protection and Electronic Documents Act (PIPEDA)—already provides important recourse to those seeking to obscure their online personal information.
The commissioner argues that PIPEDA, which applies to organizations that collect, use and disclose personal information in the course of commercial activity, extends to the search functions of search engines. In other words, when a person enters the name of a neighbour or co-worker into a search engine and the search engine returns a list of results, the search engine has collected, used, and/or disclosed this information and is obliged to comply with PIPEDA. Since PIPEDA includes an obligation to maintain accurate information, the commissioner argues that an individual could demand to be de-indexed—to have the problematic results on these search engines completely erased. De-indexing, it should be noted, does not mean the actual removal of the content—after all, the content is hosted by someone other than the search engine company. It simply means that steps would have to be taken to ensure that the content does not appear in search results for the affected individual. But de-indexing is a serious matter given that search engines operate as a primary gateway for almost all content online.
Many of those who made submissions to the commissioner during the consultation process raised doubts about whether such a system could work. They also expressed concerns about the potential impact on freedom of expression—and indeed, a right of this kind would have to be balanced with that freedom. The commissioner suggests that the obligation to de-index would apply only where the content is unlawful in some way or where access to the information could cause significant harm to an individual, and avoiding that harm outweighs any public interest in continued access.
Currently, search engines already can and do de-index search results in appropriate circumstances—usually where there is a court order. But the commissioner’s reading of PIPEDA twists it to create rights that could swamp search engines with requests requiring individual evaluation—and that could overburden an important resource relied upon by almost everyone.
As it stands, there is a strong argument that PIPEDA does not apply to the search functions of search engines. A Federal Court of Canada decision in 2010 found that where intermediaries are retained or used by individuals to collect personal information on their behalf, the fact that the intermediary is engaged in commercial activity does not turn a purely personal search for information into one to which PIPEDA applies. In other words, it is the searcher who is collecting the personal information. If they are doing so in the course of commercial activity, PIPEDA applies. But if they are searching the internet for purely personal purposes, it does not. PIPEDA expressly does not apply to information collect by individuals for purely personal or domestic purposes, nor does it apply to information collected for journalistic, literary or artistic purposes. Applying PIPEDA to the tool used by a person to whom the statute does not apply would extend its scope inappropriately.
Make no mistake: PIPEDA is a weak statute that is frankly inadequate to address the challenges of our digital and data-driven society. Its inadequacy has been noted by privacy advocates across the country, and both the former and current privacy commissioners have also weighed in on the need to reform many aspects of the law. PIPEDA has been repeatedly studied by Parliamentary committees, and it has been the subject of some rather piecemeal amendments over the years, some of which have actually made it easier for businesses to collect, use, or disclose personal information, or to share it with governments. New data-breach reporting requirements—aimed at protecting the public—are still not in effect as the long process of implementation drags on. It is understandable that the commissioner might seek to make the best of a bad situation by stretching the statute to fit emerging technological challenges. But there is no point in building expectations and encouraging actions that are doomed ultimately to fail because the law just is not there to support them.
In engaging in his work on protecting online reputation, the commissioner expressed the desire “to create an environment where individuals may use the internet to explore their interests and develop as persons without fear that their digital trace will lead to unfair treatment.” This is a worthy aspiration. Yet it is still not sensible to stretch an inadequate law beyond its point of elasticity. Search engines do not want onerous and uncertain duties foisted upon them, and they will fight—and win—in court. It does not help Canadians for the commissioner to encourage them to invest resources and energy into pursing remedies, only to learn that the recourse really does not exist.
What would help Canadians would be to have a private-sector data protection statute that is fully adequate to meet the needs of our data-driven society and economy and that offers meaningful protection, with appropriate remedies for affected individuals. Parliament has danced around PIPEDA reform for far too long. It is time to overhaul data protection for Canadians.