TORONTO/NEW YORK (Thomson Reuters Regulatory Intelligence) - The Office of the Privacy Commissioner of Canada (OPC), which oversees the administration and enforcement of data privacy law, is mulling over policy reforms to offer Canadians more regulatory tools to protect their personal information online.
Following an initial consultation in 2016 to explore issues pertaining to online reputation, the OPC has launched a separate public consultation on proposed reforms that will give individuals the legal right to ask search engines to de-index web pages and take down online information under certain circumstances.
While the OPC has yet to confirm whether the proposed reforms will be implemented, heightened regulatory interest in the protection of personal information posted online merits close monitoring by Canadian businesses.
The OPC two years ago sought public comment(here) on regulatory solutions to challenges faced by individuals seeking to remove online information that has a negative impact on their reputation.
The OPC received 28 submissions from academics(here), corporations, advocacy groups, legal professionals and the general public. Proposals from commentators included introducing standardized request forms to remove online information to enhancing the authority of the OPC itself compel businesses to remove information.
Many commentators cited a "right to be forgotten" enshrined in the European Union General Data Protection Regulation (GDPR)(www.eugdpr.org/) as a reference point for the idea that individuals should have a right to have their personal information de-indexed from search engines in certain circumstances. While most commentators objected to implementing a GDPR-style "right to be forgotten" regime, some submissions were receptive to a search engine de-indexing option.
Based on the submissions received from the consultation, the OPC recently published a draft position on online reputation(here). The document outlines proposed solutions from the regulator to balance the freedom of expression with the privacy interests of Canadian individuals.
The OPC identified two options, de-indexing and source takedown, which the regulator asserted is currently within the scope of the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s principal data-privacy law.
De-indexing involves removing certain information from search engine results associated with an individual’s name. The OPC stated that in its interpretation, indexing of websites that contain personal information by search engines falls within the definition of “collection, use or disclosure” of personal information under PIPEDA.
Under the PIPEDA, businesses have an obligation to ensure that personal information is accurate and up-to-date, taking into account the interests of the individual. As a result, the OPC asserts that search engine operators must comply with requests to de-index information if it is inaccurate, out-of-date or goes against the interests of the individual in certain circumstances.
In cases where personal information of an individual is posted by a third party, individuals may have the right to challenge the accuracy of the information and request to have it de-indexed.
The second option, source takedown, refers to the removal of specific content from the internet altogether. The PIPEDA provides individuals with the right to withdraw consent and requires businesses to destroy personal information that is no longer needed or which consent is no longer valid. The OPC interprets these provisions of the PIPEDA to imply that individuals should have the ability to remove information through withdrawing consent for it to be used.
In addition to considering regulatory reforms, the OPC’s position paper also advocated for a nationwide rights-based privacy education program to strengthen public awareness of online privacy protection issues. Topics would include education the public on the use of tools to control online information such as consent to the use of personal data and takedown procedures.
The OPC’s position paper is open to public consultation until April 19, 2018. Following the consultation, the regulator will finalize its position and develop an action plan to implement new policy measures, if appropriate.
The OPC's position that the indexing of websites by search engine constitutions the collection, use or disclosure of personal information has proven it controversial(here).
Businesses and some legal professionals have questioned whether search engines collect personal information in the same manner that company databases store personally identifiable information, suggesting that this issue may be tested in court in the near future.
The implementation of a right to erasure in Canada has also been the subject of much debate. Submissions received by the OPC during its first consultation in 2016 reflect that the majority of commentators seem to be opposed to adopting a strict “right to be forgotten” regime in Canada.
Some commentators have suggested(here) that the current legal framework in Canada, at least in some provinces, efficiently addresses the privacy concerns that a right to erasure is meant to address.
Commentators supportive of this position have also argued that the better option would be for provincial governments to update their respective legislative frameworks to cover new online media.
While Canada currently does not have a “right to be forgotten” regulatory regime, the PIPEDA and provincial laws do provide individuals with some rights to control their personal information, including on online channels.
The PIPEDA requires businesses to delete personal data that is no longer relevant or inaccurate. Individuals can file complaints with the OPC against businesses that refuse to delete personal data that meets these criteria. However, the interpretation of what constitutes relevance and accuracy is not clarified.
The PIPEDA and some provincial laws also give individuals the right to consent to having personal information collected or amended for accuracy purposes. Individuals may withdraw consent, which must be honored by businesses. However, these obligations only apply to businesses that collect personal information in the course of commercial activities. It is unclear whether indexing activities of search engines would fall within this scope.
Businesses are advised to monitor developments from the OPC. While the regulator has not firmly committed to introducing new privacy measures to give individuals more options to de-index or takedown information from search engine indexes, online personal reputation privacy is an emerging area of risk and regulatory development in Canada.
More broadly, businesses that are obligated to comply with the PIPEDA should prepare for potentially more activity in the area of personal data and privacy regulation. Businesses have been repeatedly notified(here) that mandatory breach reporting obligations are set to be implemented in Canada imminently. The new obligations will be enshrined in amendments to the PIPEDA and Canada's Digital Privacy Act, which amended PIPEDA in 2015. Beyond Canada, the GDPR is set to take effect in May 2018. The extra-territorial reach(bit.ly/2CSBuZ3) of the regulation will impose some compliance and reporting obligations on Canadian businesses.
(Helen Chan is a regulatory intelligence expert in the Enterprise Risk Management division of Thomson Reuters Regulatory Intelligence. Email Helen at firstname.lastname@example.org)
This article was produced by Thomson Reuters Regulatory Intelligence and initially posted on Feb 21. Regulatory Intelligence provides a single source for regulatory news, analysis, rules and developments, with global coverage of more than 400 regulators and exchanges. Follow Regulatory Intelligence compliance news on Twitter: @thomsonreuters