Dr Stephanie Perrin discusses Canada's private sector privacy law PIPEDA

[INTRO] You’re listening to POWER PLAYS: the podcast charting how important decisions about the Internet – it’s infrastructure, and its institutions – have been made. Here’s your host, Ayden Férdeline

[FÉRDELINE] Today on POWER PLAYS we are joined by Stephanie Perrin, an internationally-recognized privacy expert and advocate for civil liberties.

Dr Perrin spent over 30 years of her career in the Canadian government, where she was instrumental in developing Canada’s privacy and cryptography policies.  

She led the drafting initiative that resulted in the Personal Information Protection and Electronic Documents Act, PIPEDA, privacy legislation that came into force in 2001 and which is still in effect today. The story behind that law is going to be the focus of our conversation today.

Dr Perrin, thank you for your time.

How early on in your career was it when you realised it would be necessary for Canada to introduce legislation that sought to safeguard privacy rights?

[PERRIN] I had the good fortune of being the Privacy Coordinator in the Department of Communications. I started that job in 1984, which I always joke is a good year for privacy. And we were at that time experiencing a great deal of new innovations coming across our desk. You know, this was a day when cell phones shrunk down from the enormous things the military was using to the handsets we have today and the personal computer hit the desktop. So privacy became an issue with all of this new technology, and I took a job within technology impact assessment, a division of our department, and it became pretty clear that privacy legislation was necessary.

But, as with any government, it takes many years to get there. So we did research on the powers that we had as the federal government to bring in a law. And in Canada those powers are different because of the federal/provincial arrangements. And the provinces were not acting to bring in legislation even in their own jurisdiction.

[FÉRDELINE] Why was there a need for the provinces to act? What data do the provinces themselves manage?

[PERRIN] There is a need to have governments act to protect licensing data, educational data, driving, health, all of that is under provincial jurisdiction.

[FÉRDELINE] Okay. And you wanted the provinces to safeguard that data.

[PERRIN] So we were figuring out ways to encourage them to do that, and at the same time to cover the private sector, which was becoming more and more important.  

[FÉRDELINE] Was that, then, the principal reason there was a need for the Personal Information Protection and Electronic Documents Act, PIPEDA? Or was PIPEDA more of a response to the European Union’s Data Protection Directive of 1995, that was, I imagine, impacting data flows between Canada and the European Union?

[PERRIN] The major data flows in Canada are really north-south, to the United States. So it’s not that we didn’t care about Europe and the European Directive, but it wasn’t the driver that it might be for say, the United Kingdom, which is right there. So definitely we wanted to comply with the European Directive and avoid blockage of data flows, but there was another factor which I think was fairly important, and that is that the province of Quebec had regulated. They had passed their charter of rights and updated their civil code. And so they had a suite of constitutional protections that looked at the protection of personal data, and they also passed a data protection act that passed everything in Quebec’s jurisdiction, so we already had federally-regulated industries that were in the province of Quebec complying with Quebec legislation because they pretty well had to even though it didn’t apply to them, but in a vacuum because there wasn’t federal legislation, they were complying. So there were complaints being filed, and the commissioner was reviewing complaints, and that kind of a vacuum needs to be addressed. And Quebec of course was advertising to Europe that it was the only safe place in North America to ship your data. And that wasn’t popular south of the border or in the rest of Canada, but it was a good advertising strategy. So there was pressure from the fact of Quebec having acted to move.

[FÉRDELINE] Interesting. So it was Quebec, and not the European Directive, that drove the need for PIPEDA.

[PERRIN] People say that PIPEDA was really targeted at solving the problem with the European Directive having come into force in 1998, and certainly that was a driver. When you’re explaining to governments why you need to pass legislation, you sort out all the drivers. And that was one. But in fact we needed it to sort out fair competition in industry. Some industries were regulated. The banks, for instance, had within their own banking regulation restrictions on what they could do with personal data. The telecommunications industry could see legislation coming in certain respects. And we didn’t want to have a patchwork, a patchwork of industries or a patchwork of provinces in terms of what they covered.

[FÉRDELINE] So there was a desire for convergence and harmonization?

[PERRIN] It was an era where the industries were all trying to get into one another’s businesses. The telcos were all of a sudden becoming content producers and movie producers. And that kind of split apart after a while. But at the time it certainly looked like everybody would be doing everything, so making these distinctions as to what was within their purview as to legislating was really difficult.

[FÉRDELINE] So what did you do?

[PERRIN] So we put together the legislation in a way that we felt would be trade neutral in terms of trade barriers. The way we did this was take an existing Canadian standard that I’d been working on from 1991 to 1996, that is the Canadian Standard Association’s model code, and basically attached that as a schedule to a law. It was an ugly approach from a legal drafting perspective, but most privacy legislation is not elegant. We hear a lot of complaints about how long the GDPR is and various bills. So we were kind of feeling this was as logical as any. The model code itself provides a template for any industry, any business, of any size to look at it and to come up with management practices to protect the data.

[FÉRDELINE] Why management practices as opposed to something more prescriptive?

[PERRIN] It is often very difficult for a small business to look at a piece of privacy legislation, for instance, and figure out what is required. A set of management practices organized on principles on the other hand, they can go through it and go ‘ah, I see, I have to do this, fine I’ll do that.’ We also wanted this legislation to be cheap to implement. It was called light touch regulation. I’m not quite sure what that means, but from our perspective we were trying to make it clear and not the kind of thing where you had to hire lawyers to figure out what to do.

[FÉRDELINE] What other considerations fed into the creation of PIPEDA?

[PERRIN] During the period of time when we were doing the research and simultaneously doing the Canadian Standard we were looking at the federal suite of powers that would enable us to do this. And it was very clear that the federal government is responsible for international trade, transborder activities – so transportation, trucking, regulating those industries - banking, telecommunications, most of the information rich industries, and it was clear that we would have jurisdiction over the Internet. But the decision to not regulate the Internet has more or less impacted how we would do this. In the United States they were passing various types of privacy legislation that were sectoral. The Children’s Online Privacy Act, for instance, and the health legislation. We certainly did not want that approach. We wanted a harmonized approach and frankly the trade and commerce power, which PIPEDA is based on, had not been used since it had been used to justify the Competition Act and the Competition Bureau that looks at deceptive trade practices. So it hadn’t been used in sixty years, but it certainly applied in this case, because if the federal government did not apply rules across the entire country, information flows everywhere – in fact it flows south of the border in most cases – in Canada, so it was going to be inevitably crossing borders, which gives the federal government the inter-provincial aspect of it. But it made sense to put it under the trade and commerce power.

[FÉRDELINE] Was there a consensus that privacy was something that required a federal approach?

[PERRIN] I’m sure the constitutional scholars were wondering, when we came forward and did this – in Canada lots of things are still regulated provincially in a manner that well I sound like a federalist, but in a manner that makes it really expensive and inconvenient for industry. The insurance business, for instance, is provincially regulated. And Canadians are very mobile. They didn’t used to be, but they’re moving from province to province to province all the time, particularly young people seeking jobs. This makes this regulatory landscape very difficult and an added cost. So there is always pressure on the federal government to reduce cost. That was kind of the medley of things we were looking at. Of course, when you are bringing forward new legislation there’s a lot of things you have to think about, so it took a while.

[FÉRDELINE] It took a while. Why do you think that was?

[PERRIN] It was the first private sector legislation, apart from Quebec of course, and therefore you have to take baby steps and move forward. There was a lot of anxiety about the cost of this regulation, particularly given the North American market where our Canadian companies were competing against Americans who had no intention of bringing in data protection legislation. It was explicit. So, we had to be mindful of that. This had to be light touch to keep our Canadian companies competitive. Because there’s no question about it, if you’re doing data protection legislation properly, there are costs. There’s overhead. And at this time the government was also trying to get rid of a deficit and avoid new, massive expenditure. So my favourite oversight models were out of the question because they cost too much. We had to work with existing oversight, which in our case was the federal court that had a big backlog already, so we couldn’t put too big a burden on the federal court. We could not expand the size and powers of the privacy commissioner’s office too much. And the current privacy commissioner at the time did not want binding powers. So it is very difficult to force binding powers down the throat of a commissioner that says he doesn’t need it.

[FÉRDELINE] With the benefit of hindsight, was that a mistake?

[PERRIN] So there are a few things that I think – I wouldn’t say it’s hindsight, I don’t think we could have done better at the time, we wouldn’t have gotten the bill through. In fact, my legal counsel at the time, Heather Black, we used to say in our presentations, we could have developed a better law, but it wouldn’t have passed parliament. You have to work with the political climate that you have, of the day, and people were very leery of going too, too much further. It must be said that the European directive that was forcing legislation was also in its early days. The directive was a decided improvement as a harmonizing factor so to get the laws of Europe looking more like each other, because they were going, much like we were having to sort out our provinces, they had to get their laws harmonized or they would have the same kind of mess we could have in our provinces. With data havens here, different rules over there. So that was a preliminary step to harmonize and to impose on the sovereignty of the nation-states of Europe. And it must be said, there wasn’t a charter of rights underneath, underpinning the directive at the time. It was just a harmonizing, trade-focused instrument.

[FÉRDELINE] Can you walk us through the passage of the bill through Parliament and speak to the language of the bill, because some critics have labelled PIPEDA a messy, long, and difficult-to-understand statute.

[PERRIN] During the actual passage of the bill through Parliament, as often is the case with legislation, it was put together with the Electronic Documents Act, which is a very technical piece of legislation that brought our documents up to electronic standards based on some of the international work going on. That was a very dry and unrelated piece of work that was added to it. So, when you look at the bill, you have a schedule which is a set of management practices, some of them had to be tweaked a wee bit because they were too vague to be useful in a law and we had to take them back to the Canadian Standards Association to get the amendments approved. And then the provisions respecting oversight, which of course was not in the code, had to be worked up in the first part of the legislation, not the schedule. And the exemptions for things like disclosure of information to law enforcement had to be added. So it’s a very messy bill in those respects. There’s providing further amplification of something that was spelled out vaguely in the code. Never a good thing, and there’s pressure now to basically stop the standard and have a more harmonized, more traditional looking law.

[FÉRDELINE] What do you think about that, the idea of dropping the Standard altogether?

[PERRIN] Hanging on to the standard is useful, because internationally we still do not have a standard, a set of management practices. And transborder data flow is a huge problem that has not been solved. It was never solved at the OECD when the first guidelines on transborder data flows came through; there was to be further work that would actually consult and cross-consult on what you do in the data flows. There have obviously been successive laws coming out of Europe, blockages of data flow, administering that is difficult. And there has been cloud legislation, which is really just another name for data flow. We haven’t solved that problem. It’s a very difficult one because it impinges upon the sovereignty of states. And differing standards around the world. And the inability of constitutional protections to follow an individual around the world. So, these are big problems, and until we solve them it is my opinion that the Canadian standard is a useful contribution.

[FÉRDELINE] There is talk of reforming PIPEDA. Twenty years later, are there changes you’d like to see?

[PERRIN] I’m actually working right now on a paper discussing what kind of changes ought to be coming to PIPEDA, because the government has been suggesting that it might change the law, amalgamate, get rid of the standard. And I do believe that the standard still has utility because it can be cited in a quality management system. It provides a trade-neutral way to get around transborder data flow restrictions. It sets out a very clear set of management practices that would be required if you shipped data. And it also, one of the problems with contractual clauses where you have to agree to provisions, is who’s going to audit? The beauty of an ICO system is that a country overseas can hire ICO accredited auditors who meet international standards and you’re assured of a neutral audit, locally done. It’s not quite the same when you have a contract and you send in Party A’s auditors to check on what Party B is doing. This is a more internationally recognised system, and we’d like to see that go forward, at least those of us who worked on the standard, and that’s getting quite old now, that’s 1991 to 1996.

[FÉRDELINE] So you’d like to see those provisions remain.

[PERRIN] Until we solve all these problems with transborder data flow, there’s still plenty of room for this instrument. And ICO is continuing to work on these standards. Our vision originally was that there would be work on security management and the two would go hand in hand together and meet. It’s a long, slow process but that does seem to be happening. So you can meet the requirements of a security standard and a privacy standard.

[FÉRDELINE] You’ve obviously seen other privacy and data protection laws and regulations emerge around the world in the years since PIPEDA was drafted. Are there any best practices within PIPEDA that you’d like other jurisdictions to consider adopting?

[PERRIN] One of the innovations that Canada had, that we don’t often get credit for, is that we were one of the first countries to really put in place at the federal level a requirement to do privacy impact assessments and we had very good templates and documents instructing on how to do that. It was actually something that the former executive who was leading our drafting project – she moved to the Treasury Board of Canada and was working on moving government online, and was very well aware that as we moved our citizen services online we would need privacy impact assessment to make sure nothing stupid happened as we moved into electronic form. And these things were happening all the time. People were trying to save money and put records systems on the Internet and there were quite a few horror stories in the late 90s. I think this was a very innovative approach. It made it through Parliament in 2001, right after 9/11, and it’s been a really useful exercise because now every major government initiative has to have a privacy impact assessment, and those things are thoroughly worked on in the departments, then they go to the Privacy Commissioner’s office, the Privacy Commissioner gets a look-see into what’s going on with these things, and we always get a security risk assessment at the same time so you have a complete picture of what is going on. Complete – complete as one can do in a reasonable amount of time. But absent that, you have projects coming forward where things have not been properly assessed, so I think it is a very good exercise.

[FÉRDELINE] Within the European Union, the Article 29 Data Protection Working Party, now replaced by the European Data Protection Board, meets and adopts opinions to ensure the European law, the General Data Protection Regulation, is applied in a consistent manner. Does Canada have something similar?

[PERRIN] That kind of thing would be useful. We’re a few steps behind them in terms of evolution. In Canada the federal and provincial commissioners meet regularly and have a constructive arrangement. They do issue guidance; they do work together. It would be good to have that knocked up a notch so they were more like a body like the European body.

[FÉRDELINE] Was that something that was discussed when PIPEDA was being drafted? The Article 29 Working Party issued its first opinions back in 1997.

[PERRIN] It wasn’t clear when the original Article 29 Committee arose out of the Directive that that would work as well as it has. That they’d work collegially as a body and come up with common opinions. It’s not easy to get consensus on how to apply privacy legislation. But it’s worked remarkably well over the years. It’s provided a lot of guidance. And we see that further blossoming now in the European Data Protection Board because they now have power to determine who is going to adjudicate these complex complaints that flow across borders.

[FÉRDELINE] You said before and I wanted to follow up on that remark, “we could have developed a better law, but it wouldn’t have passed parliament.” What would that better law have looked like? What were the political considerations you were cognizant of?

[PERRIN] Well you’re bringing me back to the times when we were drafting. First of all, back in the ‘90s, privacy was not the big machine that it is today. We all make jokes about how we could have all met in a phone booth. So pretty much everyone in Canada knew each other. And we’d all been working on the code. So it was not too surprising to see legislation come that was based on the code. I personally thought it was excellent work. I had turned down other job opportunities to keep working on this. I thought it was a meaningful contribution and I still think it was a meaningful contribution. One of the things that happens in bureaucracies nowadays is people tend to move around every couple of years. And I don’t see how, honestly, we could have easily got this through if someone hadn’t stayed there and kept the corporate memory going. Because these things are complex projects and you only have a limited runway to get something through a parliament. I know my colleagues in the United States have a very difficult time getting items through Congress. It’s even more fractious and difficult. You seem odd pieces of legislation being tacked on to budget bills. Well that happens to a certain extent in Canada as well, it’s hard to get particularly new and innovative legislation through, and you wind up dropping things off just to get something through. So I think we were very proud of getting that bill through, of trying to harmonize across the country. There was a lot of pressure on us. From Quebec. Because there was a feeling that we were intruding into provincial space. So that was uncomfortable. I had to go present this, particularly the use of the Trade and Commerce Power, to different officials at the provincial level. Fortunately for us, British Columbia and Alberta got together right away and drafted legislation that basically met our adequacy standard, substantially similar standard, and they then had their own laws that we were looking for. So that was leadership at the provincial level that was helpful and constructive. In Canada there’s a lot of griping that goes on over federal and provincial powers, turf protection. As a bureaucrat, you have to learn to work with that. So there’s always pressure. But there was support from consumer organizations. Of course they were critical that we didn’t go far enough. That we didn’t include enough human rights-based grounding.

[FÉRDELINE] Was that a fair critique?

[PERRIN] I think on the whole there was appreciation that we got it through. And remember, we’re Canada, we’re the mouse and the elephant, and the elephant below us did not bring in data protection legislation. So there’s a certain amount of pride that we actually did. We got it through and we were more like Europe in terms of protecting human rights.

[FÉRDELINE] Can you expand a bit on that, was there political opposition to PIPEDA coming from the United States?

[PERRIN] In terms of opposition expressed by the United States, the leaders in the political establishment in the United States were proceeding forward without regulating. They were very pro no-regulation. Our minister made numerous statements saying we were taking a different route, and I certainly was in regular discussions with my discussions at the NTIA, the National Telecommunications Agency that is an arm of the Department of Commerce, so I did hear a fair bit of pushback from the United States official at a non-official level. ‘Why are you doing this?’ ha ha. I think there’s a recognition though, years later, that a light-touch approach might have helped solved a lot of problems. I think the chances of legislation getting through in the United States right now are not great. One wonders when it will happen. But the number of issues that are stacking up that indicate regulation is perhaps the only way to deal with personal information – that’s getting to be a huge pile, there’s getting to be huge fines, and the major players are being hit and tarnished with data breaches.

[FÉRDELINE] Was there domestic political opposition, not coming from the provinces I mean, but from political parties or other actors lobbying against your work?

[PERRIN] PIPEDA was introduced in 1998, passed the Senate in 2000, we had a bit of a slowdown because the healthcare industry did not anticipate being regulated, I think, at the federal level, because health is a provincial matter, and they had not been interested in joining the CSA code. We attempted to get them to join. The Hospital Association, for instance. And they weren’t interested. So unfortunately when they realized that a lot of things, even in a publicly-funded healthcare program are outsourced to private sector firms, blood services for instance, testing, even running the kitchens and things in a publicly-run hospital, they were hit by the fact that they engaged in commercial activity. Sure, healthcare is a human service, but if it’s done through companies it’s commercial activity. So that made their lives quite complex and they had to catch up quite quickly. There was a slowdown in the passage of the bill. We had to make some concessions in the bringing into force of the legislation, but basically, we were trying to encourage provincial action before the full brunt of the law came into force. So, that phased approach meant we really weren’t sure of how well it would succeed until the end of that five-year period.

[FÉRDELINE] Interesting. Twenty years later, though, what’s your verdict?

[PERRIN] The proof of the pudding is in the eating. The question is, ‘Were people changing their practices?’ ‘Did organizations actually bring in management practices?’ ‘Was there effective consumer education?’ ‘Were the transparency notices getting better?’ And I would say there’s lots of room, even 20 years later, for improvements there. Many companies still don’t realize they’re covered by privacy legislation. They may find out the hard way or, you know, we put an audit power into the legislation because during the research period I consulted with data commissioners and asked what their most effective powers were, and the Dutch data commissioner at the time was Peter Hustings and he told us that that was his most effective power. The ability to audit, to phone up and ask a few questions and say ‘gee, those weren’t the right answers.’ And go in and help an organization realize that they had to go in and put in some management practices. There are different ways of going about and tackling the problem of getting some implementation in. The British law, for years, had required registration of databases. We thought that was a bit clunky given the Internet and the info society that we were staring at. I was often look back and think, maybe that would have been a good idea because a lot of things slip under the radar if you don’t have to register. But, as I said earlier, we were trying to cut administrative burden and there’s always this push to cut paper burden. So registration was a huge paper burden. But it also brought revenue in to the data commissioner’s office. And revenue is always good when you’re a data commissioner because these are expensive functions.

[FÉRDELINE] The challenges that data commissioners face today, are they ones you predicted when PIPEDA was drafted?

[PERRIN] One of the things that really hasn’t changed, it’s just gotten more and more intense, and it was well foreseen by early technology writers. People like Willis Ware wrote about what they foresaw in the Internet, and it rewards reading. These things were written in the ‘60s and ‘70s. We didn’t actually have an Internet that we could see would turn into what it is today.

[FÉRDELINE] What concerns keep you up at night?

[PERRIN] I am deeply concerned about the interconnection of technologies in what we would call the Internet of Things. The smart cities. And the use of artificial intelligence to manipulate those environments. It is not exactly clear, nor is it universal, the concepts of where people have a constitutional right of privacy or right to be let alone. We are kind of breaking down those walls where if you decide to live in a smart city, you consent to monitoring of who comes in the door. Smart elevators that figure out where you’re going. Doorbells that look at you and have a continuous scan. We used to worry about video surveillance. Now it’s ubiquitous surveillance, not video, it’s electronic surveillance of all kinds. And the integration of facial recognition systems, or other human recognition systems, into these things. We have proven years ago that anonymization is next to impossible in these situations. But that doesn’t stop the, progress in quotations, towards these goals. Now the first documents I was reading on smart cities were back in the ‘80s. And there were trials going on. And we raised alarms. But none of those alarms have typically been heeded. So that’s what I’m focused on now.

[FÉRDELINE] What influenced your decision to focus on that?

[PERRIN] Oscar Gandy is one of my favourite scholars. He looked at algorithms and risk discrimination. He was a black studies scholar as well, he spent much of his career looking at redlining and how companies and the systems avoided the anti-segregation legislation that protected blacks in the United States. And so, his book, Coming to Terms with Chance, came out several years ago now, more or less gives up on data protection as being able to solve this problem. He had suggested we had needed something like the Environmental Protection Agency to look at these systems. I think it’s an interesting concept. I think we have to look at these systems in terms of constitutional rights and ethics and the autonomy of the individual. Different cultures have different concepts of how autonomous a citizen can be. And it is their sovereign right as to where to put that balance. But that doesn’t mean that we have to consume the products that don’t recognize the autonomy of the individual. That’s a very difficult problem because we’ve made so little progress in my view on getting the universal declaration of human rights addressed by all countries. We still have countries with the death penalty, for instance. So the speed of technological advancement is overtaking our ability to bring in human protection mechanisms. So I’m particularly worried about the use of facial recognition systems to produce population databases in developing countries. That’s a problem. It is true that you need a population database, but if it’s done electronically, you’re building a wonderful surveillance system. And you’re also basing it on biological factors that will enable you to do discrimination automatically. History shows that happens over and over and over again. So we need extra controls to protect against that kind of disaster. And given climate change, given what’s happening in the world, the refugee situation where we have more refugees today than we had after the second World War, we have a crisis on our hands and it’s very difficult to get attention drawn to that crisis. So what’s the biggest threat? Well that we are blindly bringing these in to build fancy, rich smart cities but they’re going to be used for the kind of extermination that mankind has often in indulged in. Just a tiny one. Just a wee one, ha ha.

[FÉRDELINE] One last question before we wrap up. You have a long career. You have been awarded so many prizes, from the Electronic Frontier Foundation’s Pioneer Award through to the Electronic Privacy Information Center's Lifetime Achievement Award. What do you consider to be your most significant professional achievement?

[PERRIN] I think the fact that I have stuck at it for so many years, and I saw this thing through to completion, is a contribution. There are many wrinkles in PIPEDA, I wouldn’t say it’s perfect by any means. I do think the Standard was an achievement. Getting consensus in that group of basically waring industry players and consumers was a very interesting exercise and I think that’s a personal achievement that I’m very proud of. I pushed and pushed, but still managed to get the respect of the players there and to get them to work together.

[FÉRDELINE] Stephanie Perrin, thank you.

[CLOSE] This has been POWER PLAYS, the podcast that takes you inside the rooms and into the minds of the decision makers behind some of the most instrumental decisions that help shape the Internet which we all use today. If you’d like to help us spread the word, please give us a five-star review and tell your friends to subscribe. We’re available on every major listening app, as well as at POWERPLAYS.XYZ.