It is no secret that Canada’s data protection laws are lagging badly behind both the technological challenges to data protection and emerging international standards. Canada, in fact, faces an “adequacy” assessment in the near future to determine if its data protection laws meet the standard set by the European Union’s General Data Protection Regulation (GDPR).
Bill C-11 – and the recently launched consultation on reforming the federal Privacy Act – are both aimed at meeting the new technological challenges and international pressure on Canada to up its personal data protection game.
Bill C-11 proposes the creation of a new Consumer Privacy Protection Act and a Personal Information and Data Protection Tribunal Act to replace the 20-year-old Personal Information Protection and Electronic Documents Act (PIPEDA). The bill describes itself as implementing the federal government’s Digital Charter, a set of principles designed to guide federal digital and data policy.
The first thing to note about Bill C-11 is that it transforms the awkward, cobbled-together drafting of PIPEDA into a much better organized and smartly drafted legislative text. Not only does this improve the general accessibility of the law, it marks a level of maturity for data protection in Canada. PIPEDA was a set of legal rules grafted onto the Canadian Standards Association Model Code for the Protection of Personal Information. Legislation to protect personal data collected by the private sector was a hard sell in 2000, when it was introduced largely to help build consumer confidence around new online commerce. The adoption of the Model Code as the normative heart of the law was a compromise, as was the soft-touch oversight and enforcement model in which the privacy commissioner lacks order-making power.
Times have changed. Data protection legislation is becoming a global reality. In a data economy and society, organizations seek to access, use and share more and more personal information, while individuals struggle to understand, let alone control, how the rampant collection and use of their personal information will impact them.
Massive data security breaches are becoming routine, and the misuse of personal data to manipulate and control individuals has created serious challenges at a personal and societal level. The growing use of artificial intelligence (AI) in profiling, facial recognition technologies, and in automated decision-making is also raising questions about the rights of individuals to know how their personal information is being used, to understand how it impacts them, and to have recourse against abuse.
There are many new provisions in Bill C-11 that aim to tackle these challenges. The bill will require organizations to provide upfront a “general account” of their use of “any automated decision system to make predictions, recommendations or decisions about individuals that could have significant impacts on them.” (s. 62(1)(c)) The individual right of access to one’s personal information will also include a right to an explanation of any prediction, recommendation or decision made using an automated decision system. (s. 63(3)) There is also a kind of “right to erasure” – the right of individuals to ask organizations to delete the personal information they hold about them.
Bill C-11 also enables the creation of frameworks for “data portability” stemming from a new right expressed in the GDPR. As part of the rights of individuals to control their personal data, the idea is that they can “port” their data from one service provider to another. In practice, this is more complicated than it looks. The Canadian approach in C-11 is to enable data portability between companies in a particular sector or industry. Once data standards, safeguards and appropriate infrastructure are in place, individuals will be able to port data from one provider to another within the secure framework. Expect open banking (or consumer-directed finance) to be Canada’s first experiment in this area.
The bill also seeks to address the expressed need of private sector organizations to make better use of their data. It contains a number of new exceptions to the requirements for individual knowledge or consent in relation to “business activities.” Some of these are fairly straightforward and relate to using the information necessary to provide a product or service requested by the individual, or to address internal security needs.
More controversially, the exception includes “an activity in the course of which obtaining the individual’s consent would be impracticable because the organization does not have a direct relationship with the individual.” (s. 18(2)(e)) There is considerable uncertainty as to what this might include. Although there are overarching limitations based on the expectations of a “reasonable person” in the circumstances, and a bar on uses to manipulate or influence individuals, the potential scope of this provision is unsettling.
Organizations will also be allowed to outsource personal information for processing to a third party without knowledge or consent (s. 19) – for example, using an external customer service call centre – although there is some obligation to provide information about interprovincial or international transfers of data “that may have reasonably foreseeable privacy implications.” (s. 62(2)(d))
Another interesting exception will allow organizations to first de-identify (anonymize) personal information in their possession without the individual’s knowledge or consent, and then to use that information for internal research and development purposes. These provisions may prove more challenging to apply than anticipated, since it is not clear how such data could meet the definition of de-identified information if the organization also retains the data in identifiable form.
De-identified data can also be disclosed by an organization without knowledge or consent where it is for a “socially beneficial purpose,” which is a purpose “related to health, the provision or improvement of public amenities or infrastructure, the protection of the environment or any other prescribed purpose.” (s. 39).
Critics of the bill will be quick to identify the number of places where regulations can be used to – potentially dramatically – alter the balance struck in the legislation between privacy rights on the one hand and business interests on the other. Regulations are made by cabinet and offer a more expedient means of changing the law – although it is less public and less open to bi-partisan debate. Rights to collect, use and disclose “publicly available information” without consent remain, as they are in PIPEDA, subject to regulations. The difference is that the stakes have changed. Many organizations want to be able to harvest social media data without restraint on the basis that it is “publicly available.” Although the current regulations do not permit this, that can change with relative ease. Regulations can also expand the “business activities” for which knowledge and consent are not required.
The expanded compliance and enforcement powers under the bill are also noteworthy. There is new space for the development of codes of practice and certification programs to improve compliance. Critics of PIPEDA had bemoaned its soft-touch enforcement model, which left the commissioner with relatively little in the way of authority to require organizations to comply with the law. New order-making powers and a new data tribunal that will be able to impose substantial fines for the breach of certain obligations are both welcome, although the Data Tribunal has raised some eyebrows. There are concerns it may add time and complexity to processes, and its impact will very much depend upon its composition. There is also a private right of action for individuals who have exhausted all recourse under the proposed Consumer Privacy Protection Act.
This long-awaited bill is more than just an update of PIPEDA; it is a reset – and a very interesting one. There is much to study, and there will no doubt be stakeholder disagreement over the scope and wording of a number of provisions. But this is a major and credible attempt to bring Canadian private sector data protection into step with the digital and data society.