By Konrad von Finckenstein
THE RECENTLY PUBLISHED mandate letter for the Minister of Innovation, Science and Industry (ISI) is extensive and deals with many large and difficult issues including climate change, copyright legislation, and new broadcast and telecom legislation.
The letter also focuses in an unprecedented way on consumer rights and privacy. Indeed, other than cell phone bills, it seems to look at most consumer issues through a privacy lens. It introduces several new terms which need to be conceptualized, explained, and put in context.
The mandate letter, in terms of consumers, provides that the Minister shall:
- Use all available instruments, including the advancement of the 2019 Telecom Policy Directive, to reduce the average cost of cellular phone bills in Canada by 25%. The Minister is directed to work with telecom companies to expand mobile virtual network operators (MVNO) in the market. If within two years this price reduction target is not achieved, the Minister may expand MVNO qualifying rules as well as the Canadian Radio-television and Telecommunications Commission mandate on affordable pricing.
- Advance Canada’s Digital Charter and introduce enhanced powers for the Privacy Commissioner, in order to establish a new set of online rights, including:
- “data portability;
- “the ability [presumably the right] to withdraw, remove and erase basic personal data from a platform;
- “the knowledge [presumably the right to know] … how personal data is being used, including with a national advertising registry and the ability (again, presumably the right) to withdraw consent for the sharing or sale of personal data;
- “the ability [the right?] to review and challenge the amount of personal data that a company or government has collected;
- “proactive data security requirements;
- “the ability [the right?] to be informed when personal data [protection] is breached, with appropriate compensation;
- and, “the ability [the right?] to be free from online discrimination including bias and harassment.”
- Create new regulations for large digital companies to better protect people’s personal data and encourage greater competition in the digital marketplace. A newly created Data Commissioner will oversee those new regulations.
- Create a new Canadian Consumer Advocate to ensure a single point of contact for people who need help with federally regulated banking, telecom or transportation-related complaints. The new Advocate is to ensure that complaints are reviewed and, if founded, appropriate remedies and penalties can be imposed.
So let’s attempt to understand this mandate letter and break it down into different tasks for the Minister and his department.
Task One: Reducing the cost of cellular services
It is far from clear how this goal will be achieved. To begin, what is the baseline on which the reduction will be calculated? Is it prices on the day of the election? The day the election was called? Or the date of the mandate letter? How will the CRTC actually achieve this reduction, since it has never regulated wireless prices, but instead forborne from wireless regulation?
The review of wholesale and wireless services is the first time the CRTC has stepped into this fray. It’s not obvious what the CRTC can do except to force down wholesale rates. As we have seen, the industry will oppose this violently, pointing to investment disincentives and the need to cut back services to remote or underserved regions. All this said, however, from a jurisdictional point view this first task is relatively simple as the responsibility rests squarely with the CRTC and the Minister has the power to issue directions to the Commission.
The remaining tasks, by contrast, all require new approaches, new tools, and new institutions. This is where the real work lies.
Task Two: Privacy as a right
To constitute privacy as a right, the Minister Bains will need to amend the Privacy Act and redraft the Personal Information Protection and Electronic Documents Act (PIPEDA). The present PIPEDA is a collection of data management principles incorporated into an Act (by way of appendix) which companies are obliged to adhere to. The present Privacy Act deals only with data held by the federal government.
Both Acts were drafted from the perspective of imposing obligations on government and companies rather than bestowing rights on consumers. Both Acts are administered by the Privacy Commissioner who, with respect to PIPEDA, essentially acts as an ombudsman. The Commissioner’s only real power is to take non-compliant companies to court.
The various privacy-related rights stated in the mandate letter and listed above need to be defined, drafted into legislation and operationalized. These are all major undertakings.
Both an amendment of the Privacy Act and a wholesale rewrite of PIPEDA are long overdue. Yet the direction of these changes is clearly the right one. There has been a global movement towards rights-based privacy/data protection legislation, as seen in the continuous stream of amendments across the developed world to bring jurisdictions up to the standards enacted by the European Union in its General Data Protection Regulation, which is considered the gold standard.
Task Three: Regulation for large digital companies
How large digital companies operate has become a concern worldwide. It appears obvious this provision in the mandate letter refers to the large social media companies – i.e. the FAANGs (Facebook, Apple, Amazon, Netflix and Google) and similar organizations.
One way to achieve this would be to declare anonymized, aggregated ‘user data’ as public resources under the rewritten Act.
The new regulations are meant to place various restrictions on these companies and to protect consumer rights, without limiting their tremendous innovative force. The authority for the regulations would be found in the new, rewritten PIPEDA. One way to achieve this would be to declare anonymized, aggregated ‘user data’ as public resources under the rewritten Act. The Act could impose on large digital companies a fiduciary duty to treat such public resources properly in the interest of consumers, i.e., the providers of the data. It would also, provide authority for the making of the necessary detailed regulations.
Such regulations would minimally include:
- Defining who is a “massive aggregator of user data” (Many large corporations, not just the FAANGs would fall under this heading);
- Requiring disclosure of what data is amassed;
- Imposing on the aggregator an obligation to anonymize such data and make it impossible to re-engineer the anonymization;
- Imposing limits on the uses to which the data may be put.
Creating a national advertising registry
For such a scheme to work, there is clearly the need for a national registry, as the mandate letter states. We already have analogous schemes for such a registry. For instance, under the Elections Act there is a requirement for third parties to register with Elections Canada and disclose their financing during elections if they engage in partisan or election advertising. Similarly, under the Textile Labelling Act all textiles imported into Canada need to register to obtain a CA identification number through which the importer and the nature of the textile can be traced. On the basis of these precedents, given the requisite legislative base a registry can easily be established.
It is more than likely that the National Advertising Registry in the digital world would be a facilitator of resulting regulatory action by agencies that are mandated to protect consumers and other businesses from abuse. These agencies, whose mandates include consumer protection, privacy and anti-competitive practices, could work together to fend off abuse caused by poor privacy and data collection practices.
In 2013, a co-operative regulatory framework model was put in place to facilitate the identification of cyber-based abuse such as botnets, malware, spyware, spam, etc. (the CRTC’s Spam Repository), routing the matters to the appropriate agency. This could be a starting point from which to develop the plans.
Creating the Office of Data Commissioner
The establishment of consumer rights, policing such rights and enforcing them is very different from the role of an Ombudsman, as the present Office of the Privacy Commissioner (OPC) is essentially constituted. A rights-focused enforcement role is also generally seen as a function of government rather than that of an independent body reporting directly to Parliament such as the current Privacy Commissioner.
The OPC has responsibility for both the Privacy Act (which deals with federal government-held private information), and PIPEDA. There are two possible ways to deal with the Privacy Act — either (a) keep it under the current OPC administration, or (b) hand it over to be enforced by the Office of the Information Commissioner, who is currently responsible for the Access to Information regime relating to the federal government and crown corporation.
This might help streamline responsibilities and avoid duplication of work. Both the Privacy Commissioner and the Information Commissioner, as independent Officers reporting to Parliament, would makes sense in this context, as either would be essentially responsible for ensuring that the government respects citizens’ privacy rights. (It should be noted that the OPC also has a separate responsibility as the oversight body for FINTRAC. This role carries with it additional authorities that go beyond those of an ombudsman, which is its main role.)
By contrast, the new position to be created, the Data Commissioner, would administer a rewritten PIPEDA containing all the new data rights of consumers. This new office would also regulate large digital companies in accordance with the new regulations, as well as administer the new advertising registry. Such an office would likely be modeled along the lines of the Competition Bureau, where it could be legally part of the Department of Industry, Science and Economic Development (ISED), but operationally distinct and autonomous. That is, it would report to the Minister of ISI but with independence in terms of enforcement.
After all, data management is a vital part of the new digital economy and should be administered in accordance with the government’s overall digital strategy.
If the new advertising registry were administrated by the Data Commissioner’s office, then any matters identified that involve multiple effects on consumers, privacy and competition, for example, would, when necessary, require a co-operative regulatory effort that ensures consumers and the process of competition are protected, at the same time that any abuse of privacy rights is resolved. This would mean co-operative action by the Data Commissioner, the Competition Commissioner and the federally mandated consumer authorities.
Task Four: Establishing the Canadian Consumer Advocate
This person (and his or her supporting office) appears intended to be the national spokesperson for consumers on all policy issues, just as the Commissioner of Competition is the advocate on competition issues. The new office should be attached to ISED, on the same lines as the Data Commissioner, and would be administratively part of the department, except that the Advocate would be independent in terms of making consumer pronouncements.
A co-ordination mandate – as opposed to a decision-making one – is never an easy undertaking.
Over and above the role of advocacy on behalf of consumers, the office could be vested with powers to act as a ‘super ombudsman’ who would look into complaints raised against decisions by federally-mandated bodies such as the CRTC, the National Transportation Agency, the Consumer Financial Agency of Canada and the Commission for Complaints for Telecom-television Services. To fulfill this role, the new office would need, at a minimum, the power to review cases, issue reports and make recommendations.
To help the consumer effort of the Canadian government succeed and to avoid agencies working at cross purposes, part of the duties of the Canadian Consumer Advocate should also be the overall co-ordination of consumer regulatory efforts. The various agencies involved will need to co-operate with each other and keep each other apprised, in real time, of urgent matters.
A key task, therefore, of the new Consumer Advocate will be to encourage and facilitate the co-operative exchange of information and data, and to identify and seek to eliminate barriers to exchange of information, investigations and confidential data. Experience has shown, however, that a co-ordination mandate – as opposed to a decision-making one – is never an easy undertaking.
The bottom line
The specific mandate assigned to the Minister of Innovation, Science and Industry is, to say the least, daunting.
Minister Bains will have his hands full with a long to-do list related to both the traditional and the new economy, but what is perhaps most significant about this forward direction from the Prime Minister is that it’s the first time since the abolition of the former Department of Consumer and Corporate Affairs in 1993 that consumer interests have figured so prominently on the federal agenda.
The unprecedented focus on digital rights is necessary if Canada is to catch up to what has already been achieved in terms of privacy rights in the EU and in California. This ambitious agenda will take Canadians in a new and positive direction, however delivering on all these changes within the current mandate will be a challenge.
Konrad W. von Finckenstein, Q.C., is a former chair of the CRTC (2007-2012), Federal Justice, and Commissioner of Competition.
