Data transfers and consumer privacy part two: Cybera’s response to Innovation, Science, and Economic Development Canada

In early September, Cybera submitted its response to a consultation by Innovation, Science and Economic Development (ISED) Canada on the modernization of Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA). (This followed our August submission to an Office of the Privacy Commissioner (OPC) consultation on transfers for processing.)

Comments were requested on a number of issues related to modern privacy governance, including consent, data mobility, enabling data trusts, and the new authorities given to Canada’s Office of the Privacy Commissioner (OPC). 

Forming the foundation of Canada’s privacy protection regime, PIPEDA is an incredibly important document that, as such, needs regular updating to meet modern personal information protection needs. In our response, Cybera stated that consent and accountability are important foundational principles that need to be maintained in any future privacy legislation. We also feel that emerging concepts such as data mobility and data trusts must also be seriously considered within updated privacy legislation. 

As well, Cybera argued that the OPC needs additional powers to proactively investigate and audit, and the power to levy monetary penalties. 

However, Cybera recommended that ISED view the above matters in the context of the needs of commercial entities, organizations, and researchers. These groups regularly transfer data for novel and innovative uses that are often in the public interest. 

In our response to the ISED consultation, Cybera made the following recommendations with respect to the issue of modernizing PIPEDA: 

  1. Allow for a degree of flexibility in future privacy legislation to maintain a relative free-flow of data, including for transfers for processing, and transborder transfers for processing.
  2. Maintain the principles of consent and accountability in future legislation, while allowing for implied consent to apply to transfers, where possible. 
  3. Continue to allow reasonable exceptions for data used for academic, scholarly and research purposes, and regulate these uses as a separate legal category from commercial uses.
  4. Refrain from an overly broad requirement for data mobility, and instead address the issue from a competition or antitrust perspective.
  5. Give the OPC greater powers to proactively review, investigate and audit. 
  6. Give the OPC the power to levy monetary penalties.

You can read our full submission here:

Cybera - ISED PIPEDA Modernization