A Deeper Look Into The Personal Information Protection and Electronic Documents Act (PIPEDA)
The 21st century has seen an enormous rise when it comes to technological innovations and the emergence of social media platforms. The rise of such platforms has resulted in a radical transformation of our global culture, economy, and norms. The online world, although filled with numerous beneficial resources, has also sparked a spotlight onto the question of privacy; and whether that is still something that we possess? The urgency of this has been further intensified as the rise of Covid-19 has pushed us all to be dependent upon online means of communication and entertainment. Furthermore, the spotlight continues to question whether government policies are adapting fast enough to meet the needs of the community. This article will look towards Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) and comment on how it is failing the needs of protecting children’s privacy and from the dangers of online marketers. Are our government’s policies effective enough to protect children’s privacy?
PIPEDA was originally published in 2000, as a means to tackle the growing concerns of privacy and regulation when it comes to the collection of data from commercial businesses. This article will look at the reports published by the Canadian parliament in 2013 and 2018 and examine insights into how PIPEDA has been morphed to adapt to the context of the online world, and what the government response has been. In addition, this article will also analyze the published reports outlining the concern for children’s privacy, as a tool to compare the communal urgency and government response to the problem. Although it is clear that since its creation, the context in which PIPEDA was used has changed, it is important to note the similarities that have remained consistent in the views of government from the reports published five years apart. The reports show a clear rise in the concerns of citizens and the emphasis on online privacy, while also focusing on themes of accountability, meaningful consent, and rights to revocation. To begin, the research from There Ought To Be Law: Protecting Children’s Online Privacy In The 21st Century by the Working Group of Canadian Privacy Commissioners and Child Youth Advocates closely examines children’s privacy and explore why it is worth prioritizing. Privacy is particularly important in the context of those under 18 years of age as it allows them to have control over what aspects of them are made available to the public, and by result, public opinion, and judgement. The side-effects of such dangers can also manifest themselves in development struggles and in creating trouble forming meaningful relationships with others. The online world for children is a reflection of what they see on the playground. They view it as an open space where they can play, socialize and participate in friendly games. Online activities and games are thus used as mechanisms to lure children into divulging personal information by using surveys, personal question prompts, etc. Which in turn is used for purposes unknown to the children or their parents. It is common practice within such contexts for the data that is collected to be utilized for increasing personalized ads, immersive marketing mechanisms and to study behavioural patterns of children.
Consequently “the result is a form of social sorting whereby large corporations have too great an influence over the play spaces of children and youth” (2009, 7). This allows corporations to have immense power to maneuver their marketing strategies in a way that’s immersive to the online format, thus resulting in children becoming loyal consumers from a young age and solidifying their identity as being tied to the product that is being sold to them via games and other online mechanisms. Data collected through such activities becomes an incredible violation of privacy as it is often extracted without the children’s knowledge and understanding. Although the potential of what is accessible via internet has been profound, its ability to be used on portable devices presents newfound risks and opportunities for misconduct that would easily go unnoticed. The invasion of privacy extends towards the reproduction of false information or information that is collected without consent (or once consent has been revoked). The danger lies in the fact that “what is posted online essentially becomes a permanent, irretrievable public record that can have far-reaching consequences beyond what was intended when originally posted” (2009, 12). Children specifically can fall victim to this trap as they do not recognize nor understand the depth of the permanency of what is posted online. The lines of responsibility increasingly become intertwined as it is no longer possible for the parents or school systems to monitor privacy protection but pressure must be put towards the government on safeguarding the information of minors and ensuring policies are put in place to regulate how personal information and identifiable data is used. It has been recognised by various organizations that the current privacy legislation in Canada, “the Personal Information Protection and Electronic Documents Act (PIPEDA) has been ineffective in dealing with the problem of protecting children’s online privacy… It is a content-based model of protection that does not look at the relative maturity of age or age of the person offering consent, nor are the standards for ensuring the consent is informed sufficient. To put it simply, children are not differentiated from adults when considering their privacy rights” (2009, 17). Although it is true that the critiques of PIPEDA contain merit, the Act is subject to mandatory legislative review on a regular basis. Hence why, the two reports overviewing the document by the parliamentary committee in 2013 and 2018 are critical reflections on how the state is approaching this dilemma. The concerns outlined within the reports showcase weather improvements have been made, and if so, how have the changes impacted the policy surrounding personal information and online protection.
The report on Privacy and Social Media In The Age of Big Data by Dusseault aim’s to study the efforts and measures taken by social media companies to protect the privacy and personal information of Canadians. There was no specific mention of children as a separate category of study. In the report, the committee acknowledges and is cognizant of the rising privacy concerns among the nation as many witnesses spoke out in relation to not having substantive policies put in place to protect them. Evidence was also brought forward on how the access to personally identifiable data has changed since the creation of PIPEDA, making it a crucial concern for the issue of privacy. This problem is further perpetuated as “individuals give their personal information willingly on social media sites but may not fully understand the way their information is used, or the associated privacy risks” (Dusseault 2013, 3). Additionally, the dangers of how such data can “determine the information you get, the ads you get… means that your experience on the internet and the world of knowledge that the internet represents [is] limited. It is based on what may be true or false or a partly true profile that algorithms are determining for you” (2013, 10). While research can be found to expand on such dangers and its relation to radicalization, polarization and violence, there was again little found within the report on how such data extraction, targeted advertisements and curated online design can cause serious harmful effects for children. In addition, social media companies as well as other private organizations would need more incentive than just goodwill to promote the protection of privacy and personal information of individuals, especially when that data collected can be used to better build their product and generate revenue through means of targeted add placements and so on. The way in which social media companies work has drastically changed from when PIPEDA was formed, thus making it a substantive part of how Canadians interact within the social, political, and cultural spheres.
Similarly, the report published in 2018 titled Towards Privacy by Design, echoed the same issues of meaningful consent, the lack of respect for privacy and in acknowledging the significant complexity that online interactions now possess as a result of the everchanging and increasing reliance on technology. It called to question the current model of privacy protection as “sharing personal information is based primarily on the principle that users trade their personal information for services… However, this dynamic relies on meaningful consent, which in turn requires at least a nominal understanding by the contracting party of what they’re signing on to” (Zimmer 2018, 14). It is again noticeable here that the report has been unable to distinguish the difference of understanding in relation to consent for children and adults. A distinction that can be critical when designing and relying on policies that are meant to protect citizens privacy. Since PIPEDA is essentially the only legislative framework that deals with online privacy, it is alarming to see a large demographic be left out of the policy with no mechanisms to protect themselves, especially when they fall victims to a deliberate attempt of data extraction and direct marketing techniques. Likewise, both reports have been unable to provide specific policy or action-steps that relate to the protection of children’s privacy, two critical questions arise: Why has PIPEDA been unable to create a section that specifically deals with the protection of children’s privacy online? Why have the recommended steps been unable to be implemented on given the lack of change in concerns between the two reports? A deeper look into these questions is required to understand the framework that best allows us to study this issue further.
The case of PIPEDA and its (in)ability to protect children’s privacy is examined from the lens of historical and sociological institutionalism. I will begin by explaining the significance of both approaches separately and then discuss its relation to the case of analyzing PIPEDA.
Historical institutionalism fits well within this case study as it has the ability to expand on path dependency, and its constraints upon amending or initiating innovative change. Historical institutionalists hold the believe that “the system structures collective behaviour and thus shapes external events” (Nicholas 1998, 477). When using this framework to analyze the issue of privacy and privacy policies for children, it is evident that the late response on government action is not because the concern of children’s privacy does not exist, but instead because it has yet to be legitimized by the institutional hierarchy. Within historical institutionalism, the emphasis lies on the “historical path taken by an institution in its creation and development. There are three claims made of a purported critical juncture: that significant change took place, that the change took place in a distinctive way, and that the change produced a legacy” (Nicholas 1998, 478). The legacy is an important factor of consideration as it influences what the new conditions will be, and what might the range of choices look like. Since “historical developments are path dependent, once certain choices are made, they constrain future possibilities. The range of options available to policymakers at any given point in time is a function of institutional capabilities that were put in place at some earlier period, possibly in response to very different environmental pressures” (1998, 478). Whereas PIPEDA clearly exemplified the inability of radical change to be made despite the consistency of concerns given the two reports from five-years apart. Has there been resistance to change because a significant enough case of breach of privacy hasn’t been reported, or because the issue itself is not largely understood by those within the policy world? “Historical institutionalists emphasize the role of power, competition, and coalitions in analyzing how an institution operates… [It] seeks to locate institutions in a causal chain that accommodates a role for other factors, notably socioeconomic development and the diffusion of ideas” (1998, 479). This is again compared to the insights within the parliamentary report of 2013 where the members of parliament who were in favour of keeping PIPEDA unchanged came from business, private sector and other industry associations. These members argued that PIPEDA was good at meeting the demands of industry while protecting privacy rights and facilitating self-regulation. It can be noted that these concerns might be perceived as more legitimate than the risks of privacy invasion of children as it is better understood within the historical institutionalist approach and has been previously legitimized within other legislative frameworks.
Additionally, sociological institutionalism is another framework that must be examined for its relevancy within this case study. “The underlying question for sociological institutionalists asks not what utilities caused an institution to be created, but what cultural factors led to its creation” (Nicholas 1998, 483). Political, institutional, and cultural influences are all thought to be important in explaining this approach. Institutions within the sociological institutional framework “include not only formal and informal rules and procedures, but also symbols, cognitions, norms, and any other templates that organize or give meaning to the human condition. This definition explicitly blurs the distinctions between culture and institutions; in fact, under such a definition, culture itself may be an institution” (Nicholas 1998, 483). The main difference within sociological institutionalism from historical is that it embraces a cultural approach to the “relationship between institutions and individual behaviour” (Nicholas 1998, 484). In the case of PIPEDA it is evident the influence of the time from when it was created, and the stark difference in how culture has changed, rendering the policies of PIPEDA to be ineffective in meeting the needs of individuals. The way in which data was collected in 2000 (the year PIPEDA was formed) and how it is used now has changed drastically. It is no longer possible to rely solely on organizations good conscience and public knowledge to protect those especially vulnerable to the dangers of the modern online world. Children are easy targets and perfect consumers that do not possess enough knowledge or expertise to differentiate between what information is personally identifiable and how that information will be used, thereby creating a risk of online harassment, invasion of privacy and exposure to dangerous online content. Additionally, since most of what is done online is unable to be completely removed, this creates risks for children and the concept of revocation of consent. Thus, the historical institutionalism approach analyzes decisions and contexts of the past as a tool for searching for answers, while sociological institutionalism focuses on the factors that are external and more contemporary to provide an explanation for the way things are the way they are. This is precisely why the two approaches are important and chosen to analyse this case study as with legislative frameworks, both approaches offer insight into the patterns and resistance of amendment and legitimacy that arise when studying the effectiveness of PIPEDA. Although both reports contain similarities in relation to concern for the issue of privacy and a lack of focus towards children specifically, it is good to note that the 2018 report used a different tone of language when highlighting the concerns. From a sociological institutional perspective, this can help us see that the legitimacy or urgency regarding online privacy has indeed increased, but not enough where it possesses the capacity to influence policy.
A case study analysis is used to further explore PIPEDA, while also relying on the use of qualitative analysis to better understand policy context. Reports released from the Parliament of Canada have been the main source of gathering information into how PIPEDA is viewed by the committee of Access to Information, Privacy and Ethics. Reports released by the committee in the years of 2013 and 2018 have been looked at as both provide key information into what the top concerns and recommended action steps were, given the five-year time difference between the two reports. The data and insights found in the reports was then compared to gauge what elements remained similar, what changed, how the language was similar/different and weather the action steps outlined in 2013 were able to come to fruition by 2018. In the reports it was found that although the level of concern slightly rose within the five years, no key improvements were made as outlined by the committee in 2013. The report published in 2018 built upon the same concerns and action steps that were previously outlined and touched upon the authority of the Privacy Commissioner. In comparison to various countries (as seen within the report of 2013) that also possess a legislative framework for tackling online privacy, Canada is the only one that has constrained the potential power of the Privacy Commissioner. While countries like England, Ireland or the United States possess the ability to give fines or other means of financial penalties should an organization or company violate their legal policies, in accordance with the Personal Information Protection and Electronic Documents Act the commissioner can only begin an investigation and launch a report that can go towards the federal court. No financial penalties can be executed through the Privacy Commissioner. This is an insightful detail that can help us understand the culture surrounding PIPEDA and how it is operated when organizations are in violation of it. A few key examples from the reports provide information into how penalties are more effective, which invites room for another question: Why has Canada not introduced stricter measures to encourage compliance with PIPEDA and protect children’s privacy? Is it because there has never been a violation or simply because making an amendment is too large a task within the bureaucratic machinery? This is explored further within the next section.
Results + Discussion
A look into the reports published by the Parliament of Canada has allowed us to explore how PIPEDA is enacted from members of various interests. With the reshaping of society in the modern world, online platforms and media outlets have created a culture that is able to instantly match consumer interest with the specific product without the individual even recognizing it. This is made possible by the data personalization models used to better predict consumer behaviours. The dangers of data personalization explored in PIPEDA remains to be the main framework protecting citizens online privacy, and through this case study it has been found to be ineffective in doing so. On the topic of children, it has been especially inefficient as there is a lack of differentiation and responsibilities assigned to organizations building a young consumer base. The reports released by the Parliament of Canada have supported the viewpoint that growing concerns of privacy are of priority and great complexity, however the government has been unable to act upon the recommendations and build a sustainable framework for solutions. This has been proved by the lack of progress done as witnessed in findings from the reports in 2013 and 2018. The barriers towards change can range from bureaucratic machinery, lack of understanding, complex path dependencies or to put it quite simply, ignorance. To wait for a drastic example of privacy violation to appear, especially within the case of children, is not an actionable step towards policy innovation and change. The government possesses the ability to create public-private partnerships that could aid in mutual understanding and delegation of responsibilities within the state and private organizations, which in turn would facilitate conversations to reach a mutual understanding of meaningful consent and enforce efficient policy frameworks. Furthermore, creating avenues and spaces for children to learn about the dangers of online platforms is crucial as their sense of understanding has been given little attention within PIPEDA and by many private organizations who are determined to use the data for private gain.
Throughout this article I have discussed the challenges and concerns surrounding children’s privacy and have sought to discover if PIPEDA is indeed an effective tool to combat such concerns. Although the answer to this has been painfully clear by the literature reviewed, there also exists an additional reason for caution that has stemmed from the findings within this paper. Granting all that is mentioned above, PIPEDA is treated as the main legislative document upholding a standard for organizations to adhere to, there is little power given to the privacy commissioner to hold organizations to account. In a report published by the Office of the Privacy Commissioner in 2013, the limits and enforcement powers of the commissioner are clearly stated as shown below:
“Under the Act, the Privacy Commissioner of Canada is an ‘administrative investigator’, with a range of powers, including the ability to initiate her own investigations and audits (with reasonable grounds), and the power to compel evidence and enter premises when conducting investigations. The Commissioner may seek resolution through negotiation, persuasion and mediation. While the Commissioner may encourage compliance by naming respondent organizations when it is deemed in the public interest, she herself has no direct enforcement powers. The Commissioner can only, in certain circumstances, apply to the Federal Court to have the Court hear certain matters raised in complaints to her Office; order the respondent to take action to correct its practices, or award damages to the complainant” (2013, 5).
This brings to attention not only the issue of children’s privacy, but of building trust in the fact that PIPEDA maintains enough control to establish external accountability. I implore the reader to reflect on how better incentives can be found to ensure that private organizations and governments are able to cooperate for the sake of citizens protection of data, while also emphasizing on the need to build tools that educate and aid children as well. Apart from public-private partnerships, the theories surrounding bureaucratic governance have also been explored. Historical and sociological institutionalism have given insight into the barriers of amendment PIPEDA possesses as the issues we see today have not existed nor have been prioritized until now. The lack of understanding and exposure for people in policy to the dangers of children’s privacy invasion can be seen as a strong force that disables concrete work to be done. When reflecting upon this issue, it becomes critical to ask ourselves and our government why policies exist in the first place? If the job of PIPEDA is to protect citizens online privacy, is it not long overdue that we amend it and enforce measures that do exactly what it has been designed to do? With the change of accessibility and incentives for data collection, privacy is a central theme that remains to be undervalued. The discussion around this theme should continue to explore different avenues that ensure that organizations have creative freedom while also respecting the boundaries of citizens and prioritizing the protection of children.
Maham Kaleem is an Elections Strategist for an environmental organization and has previously worked within the Parliament of Canada on developing policy surrounding youth empowerment and civic engagement. Maham is currently researching ways the post-pandemic recovery can include sustainable solutions while highlighting the BIPOC perspective.
Dusseault, Pierre-Luc. Privacy and Social Media in the Age of Big Data Report of the Standing Committee on Access to Information, Privacy and Ethics [Corr. ed.]. Ottawa, Ont: House of Commons Canada = Chambre des communes Canada, 2013.
Nichols, Philip M. "Forgotten Linkages--Historical Institutionalism and Sociological Institutionalism and Analysis of the World Trade Organization." U. Pa. J. Int'l Econ. L. 19 (1998): 461.
The Case for Reforming the Personal Information Protection and Electronic Documents Act. Ottawa: Office of the Privacy Commissioner of Canada, 2013.
There Ought to Be a Law: Protecting Children’s Online Privacy in the 21st Century. Commission des droits de la personne et des droits de la jeunesse, 2009.
Zimmer, Bob. Towards Privacy by Design : Review of the Personal Information Protection and Electronic Documents Act : Report of the Standing Committee on Access to Information, Privacy and Ethics Ottawa: Standing Committee on Access to Information, Privacy and Ethics, 2018.