Privacy: Do you have a right to be “forgotten”?
Someone in Vietnam recently hacked my son’s Facebook page and took over his profile. For the past month, he has tried to have Facebook intervene and return his access to his own profile. Unfortunately, he is making very little progress. Needless to say, he is upset and disillusioned with the social media giant.
That’s my personal story about Facebook. As you are probably aware, Facebook was also responsible for a massive user data breach earlier this year. The Office of the Privacy Commissioner (OPC) of Canada subsequently launched an investigation into the company’s practices. As I understand it, the investigation continues at the time of writing, although the OPC issued a couple of rulings involving Facebook. You can read them here.
My son’s experience coupled with the ongoing heightened awareness of privacy “inspired” me to write about the topic. For those of you who want to understand Canadian business’ privacy obligations, you can read my article about PIPEDA here. This article focuses on individual rights rather than business owner rights. I’ll also take a look at the horizon and provide insight into the direction we’re likely to head.
To understand your privacy rights, you must first understand how your privacy rights are created in the first place. The Canadian government enacted the clumsily named Personal Information and Private Electronic Document Act (PIPEDA) in 2000. Since then Quebec, Alberta and BC have enacted their own provincial laws. The other provinces have not enacted privacy laws, so the Canadian PIPEDA applies until they do.
PIPEDA introduced the concept of Privacy by Design into law. Privacy by Design means that businesses must consider privacy throughout the entire process and company. The law introduced obligations to create systems to collect and protect personal information while giving rights to individuals to control their personal information.
Since then, countries around the world have either introduced or strengthened their privacy laws. The EU recently introduced a new law incorporating significant new penalties for companies that breach their obligations.
With the recent news about the EU’s new law, I was actually surprised to learn that PIPEDA stacked up fairly well against the new GDPR (General Data Protection Regulation). I was surprised because PIPEDA has been around since 2000 and the news about GDPR made the new law sound like it gave EU residents significantly more protection. While differences exist, a large amount of overlap also applies to both laws.
But, to answer the question above, Canadians DO enjoy the right to be forgotten or erased from a business’ database. In Canada, a business may not keep personal data when it no longer requires it nor can it keep information if an individual withdraw’s his or her consent. So, in that sense, a company must delete personal information when the work involved to service that customer is no longer required or when an individual provides notice that he or she withdraws their consent.
Other individual rights shared by most privacy laws around the globe include the right to access your personal information kept on the company’s records. Companies cannot collect data without your permission. When businesses collect personal information of low value, such as your name, it can rely on implied consent. For example, if a business needs your name to perform a service, that business can rely on your implied consent to use your name. However, if the information recorded is more sensitive such as a driver’s licence number, then businesses must obtain express consent and their means of securing that information must correspond to the sensitivity of the information. Better security for more sensitive information.
Businesses cannot collect more information than required to supply the product or service. So a corner store selling you a chocolate bar should not ask for your phone number, address and number of dependants. If you want a more detailed account of your rights under PIPEDA, you should visit the Privacy Commissionner of Canada webpage here.
The European GDPR provides individuals the right to request erasure under certain circumstances. These include the right to withdraw consent and the right to demand erasure when the business no longer required. Sound familiar? The main difference between the GDPR and PIPEDA appears to be which organizations fall under their jurisdiction. Under the GDPR, search engines are clearly included, while under PIPEDA they are not.
So Canadians, like Europeans, can force companies to remove their personal data. But only Europeans seem to be able to extend that right to search engines like Google and Bing.
In Canada, if you believe that a business is not meeting its obligations under the act, you can complain to the Privacy Commissioner. Click here for more information on the reporting process. Essentially, the Privacy Commissioner can investigate. If the business does not cooperate with an investigation or comply with its rulings, the OPC can apply to court and obtain orders forcing businesses to comply.
The GDPR on the other hand imposes significant penalties on businesses that violate the regulation. The GDPR imposes two levels of fines. On the lower level, companies that violate the rules on less sensitive personal information are subject to the GREATER of 10,000,000.00 Euros or 2% of their world wide annual revenue. For upper level fines, the GDPR imposes the GREATER of 20,000,000.00 or 4% of their world wide annual revenue. You read that correctly. These are staggering penalties. Our penalties, while not insignificant, pale in comparison.
With the increase of the value tied to big data collection, privacy laws continue to evolve to provide stronger protections. We witnessed the taming of SPAM emails when Canada and other western countries implemented strict anti-spam laws with significant penalties (These laws did not eliminate spam, but they reduced it significantly).
Privacy laws will likely follow the same pattern. The OPC has already recommended bringing search engines under the umbrella of PIPEDA. He wants to extend the rights enjoyed by Europeans to Canadians. I suspect the Canadian government will watch the EU’s penalty provisions in action carefully. I wouldn’t be surprised if our government eventually enacted similar penalties.
Philippe Richer is President of TLR Law Group. TLR has been located in the St. Boniface neighbourhood, in Winnipeg, since 1996. The office serves the middle class and small business within the province. With a focus on estates, wills, real estate, and corporate law, he leads his team in providing accessible legal services. Philippe also authored the business law course for the Knowledge Bureau and instructed the français juridique class at the faculty of Law at the University of Manitoba.