Below are my comments on the Ontario White Paper on the modernization of Ontario’s privacy law. Overall, I am impressed with this white paper, and the reasoning behind it. I am pleased that the Ontario government seems intent on correcting some of the flaws in the current version of the federal legislation (Bill C-11). I have offered my own critique of C-11, in which I express some skepticism about whether it is consistent with the adequacy threshold imposed by the EU for personal data transfers.
I first offer some comments on the global influence of European data protection rules. I will then address some of the specific questions in the paper. I do not go through each systematically. I instead focus on those on which I have a particular interest and/or expertise, as well as those to which there will undoubtedly be pushback from business interests.
The EU General Data Protection Regulation (GDPR) and why it matters for Ontario
The GDPR is the EU-wide set of rules that came into force in 2018 designed to update privacy rules and make them generally compatible with the contemporary digital economy. It is not the only international framework. I have contended elsewhere that the Council of Europe’s Convention 108+ offers a more flexible, and exportable, set of standards and Canada should seriously consider accession. Nevertheless, as Graham Greenleaf has argued, as the regulatory framework that applies to the world’s largest single trading block, its global influence is extensive. Many commentators from all sectors regard it as the “gold standard” for international privacy protection. It has an influence in Canada and Ontario in a number of ways:
- Through the insistence that European fundamental rights to data protection do not stop at the borders of the EU, personal data on Europeans has to be protected wherever it is processed. For 20 years, Canada has enjoyed the status as a jurisdiction that offers an “adequate level of protection” for data imported from the EU. This is significant. It means that businesses do not then have to negotiate separate contractual arrangements if they want to process personal data on Europeans in Canada. Recently the standard has been strengthened, as the European Court of Justice has insisted that personal data should only flow outside of the EU to countries whose laws display an “essential equivalence” to the GDPR. This means that the law must contain the “core” information privacy principles, but there must also be effective procedural and enforcement mechanisms: an independent supervisory authority, a good level of compliance, accountability mechanisms, and appropriate redress mechanisms for the individual.
- The GDPR applies to the processing of personal data about individuals in the EU, regardless of where those data are processed. Thus, if an Ontario business offers goods and services to individuals in the EU through their website or app, it applies. If the business uses cookies on its website or mobile app to capture the IP address of a customer in Europe, it applies. If an Ontario service provider processes data on individuals on behalf of European business clients, the GDPR applies. If an Ontario business in any way monitors the behavior of individuals in the EU, the GDPR applies.
- Even where a Canadian company does not have clients or customers in the EU, the GDPR could still have “downstream” effects through the repetition of GDPR standards in contracts throughout the data supply chain. This “ripple effect” has been described by Greenleaf as “GDPR-creep.”
- The GDPR has had a significant influence on our trading partners. It has served as the model for new privacy laws in countries such as S. Korea, Japan, and Brazil. Unlike in 2004, when PIPA was passed, data protection standards are not just being driven by the EU. The more countries that belong to the data protection “club” the greater the pressure on those without laws to join. And some of those countries, which have been granted adequacy status, are also passing provisions stipulating that personal data should not flow out of their countries unless the receiving jurisdiction has equivalent protections. For instance, the new Japanese data protection law establishes a “white list” of countries. Data protection is not just about flows of personal data from Europe to Canada, therefore, but implicates our trading relationships with other economies, including those in the Asia-Pacific.
- As a result of the recognition of the global influence of the GDPR, some companies have striven for one harmonized global policy based on that standard. Examples include Microsoft, Google, Apple, Shopify and many others. The power of the major platforms and cloud-service providers is motivating a general, if incomplete, process of “trading-up” to the GDPR privacy standard.
- Companies that do business in Europe must ensure that they apply GDPR standards to data transferred out of Europe. This means that some companies have to distinguish between the rights afforded to Europeans and those of Canadians. For instance, the GDPR guarantees citizens the right to port their data from one organization to another. The Royal Bank of Canada explicitly guarantees residents and citizens of the UK or Europe, rights of “portability or removal of the personal data that we process about you at any time…” And Air Canada’s privacy policy contains a separate section on the rights of members of the European Economic Area (EEA), the UK and Switzerland. Specifically, some of Air Canada’s data analytics and sharing practices do not apply to these citizens, unless they “separately consent to them.” These illustrations indicate that some companies offer one set of rights for Europeans, and another for Canadians.
- Other Canadian companies are owned by European multi-nationals. An example is the Fairmont hotel chain owned by the French Accor Group. Accor has instituted a Customer Personal Data Protection Charter, based on ten privacy principles for protecting your personal data in accordance with applicable regulations and in particular the GDPR.
Thus, through both legislative reform efforts in different parts of the world, as well as through the global market effects, the GDPR’s influence has become widespread. Its provisions cannot be ignored in Canada, or in Ontario. Therefore, Ontario’s new privacy protection framework needs to be in alignment with the GDPR to strengthen the rights of Ontario citizens. But it also needs to be aligned to assist the Canadian commercial sector. Privacy rules need to be interoperable.
The Scope of the Bill and the Inclusion of Provincial Political Parties
The government proposes (p. 3) to extend the scope of this bill to non-commercial organizations, including charities, unions, associations and other non—profits. This is entirely appropriate given the scope of personal data processing within these sectors. Moreover, it is increasingly difficult to ascertain where one sector begins and another ends. The BC Personal Information Act applies to every “organization” (with some exceptions). The Ontario law should be similarly broad in scope.
And that means that, as in BC, the law should cover the activities of provincial political parties. It is totally indefensible that political parties have been exempted from Canada’s privacy protection rules, as I, and others, have consistently argued.
Furthermore, Ontario political parties are already claiming that they comply with Ontario privacy law. This is on the website of the Ontario Liberal party: “The handling of all personal information by the Ontario Liberal Party is governed by the Freedom of Information and Protection of Privacy Act (FIPPA). We are committed to protecting your privacy whether you are browsing for information or conducting business with us electronically.” Now, the fact that their practices are not in fact governed by FOIPPA should indicate that: 1) they have probably paid very little attention to these issues, and that they need to and 2) they are quite open to having their practices governed by privacy protection law.
As in BC, the law governing the activities of non-governmental bodies is the appropriate vehicle. There is absolutely no justification for applying basic privacy rules to government agencies, businesses and other non-profits, and excluding political parties. There is no justification for requiring businesses and government agencies to report data breaches in a timely fashion, and for political parties to do nothing. The issue will not go away. There has been too much pressure – from the privacy commissioners, from academics, and from civil society. Furthermore, the gap has not gone unnoticed by the business sector which asks why they have to comply with this legislation, while the politicians themselves are exempting their own parties’ databases.
A Rights-Based Approach to Privacy
The GDPR is grounded in a European legal tradition that regards data protection as a fundamental right. I strongly support basing this new Ontario legislation on a fundamental right to privacy. I really cannot see any valid objection to this approach. For too long Canadian privacy protection policy has been based on an effort to “balance” privacy with competing commercial and governmental interests. Over time, this approach has led to creeping and hidden levels of surveillance. Privacy laws should fundamentally and centrally protect privacy and promote the responsible, fair and transparent processing of personal data. What a “right to privacy” approach would do, essentially, is force organizations to live up to rhetoric that already appears on thousands of corporate websites and terms of service agreements: “Your privacy is important to us.”
I have heard it argued, from some in the corporate sector, that this approach is fundamentally different from a “principled-based” approach. It really is not. Historically, a recognition of a right to privacy has motivated a set of common information privacy, or “fair information” principles. Over the last 50 years, national and international rules have converged around these principles. But they only have real force if grounded in fundamental societal belief that the right to privacy is central to democratic society. That approach is recognized in many countries in the world. There is no reason why Canada should be any different.
And it is also the way that the issue is viewed and recognized by ordinary people. Typically, when intrusive surveillance technology is introduced, or personal data is mishandled, the average person will view the infraction in terms of a violation of his/her privacy and ask “why do you need my information. I didn’t give you my consent.” This view is supported by many opinion surveys conducted over many years. Despite the difficulty of defining what privacy means, it is the way that the issue has been framed in the popular consciousness for many years. It is the fundamental, grounding concept upon which other principles (security, accountability, consent, transparency and so) are based. It is, therefore, totally appropriate for Ontario to acknowledge that reality within the preamble to its legislation.
Definitions of Sensitive Forms of Personal Data
The paper goes on to discuss the definition of sensitive forms of personal data (p. 6). C-11 and any Ontario bill will no doubt contain references to risk assessments based on sensitivity. The risks to individuals are highest when particularly sensitive forms of data are processed, and contemporary privacy legislation (including the GDPR) imposes special obligations for the processing of sensitive categories of personal data.
In the GDPR, those special categories are defined as data revealing racial or ethnic origin; political opinions; religious or philosophical beliefs; trade union membership; genetic data; biometric data; health; sex life or sexual orientation. Without definition, the bill risks leaving the specification of sensitivity to the organization and to specious arguments, typically based on anecdote, about certain types of data not being sensitive.
I, therefore, support the definition of a non-exhaustive list of special categories of data (similar to the GDPR) to guide organizations. It signals where the risks really reside, and perhaps diverts attention away from less sensitive forms of data that do not necessarily entail a risk to individuals.
The Legitimate Needs of the Organization
In the “Fair and Appropriate Purposes” section, there is a reference to the “legitimate needs” of the organization. And the White Paper proposes the clearer specification of legitimate needs in order to relieve the “consent burden.” This approach differs from that in C-11, which relies on consent as the default authority and then specifies the various conditions under which personal data may be processed without consent. Whereas depending on the drafting, the two approaches might end up at exactly the same place, I do generally favor the approach suggested within the White Paper. I believe it will force organizations to be more transparent about their practices, and force a clearer analysis of likely privacy impacts. If set within a broader privacy rights framework, then it should stipulate the different conditions under which the legitimate needs test can be justified.
Under the GDPR, the “legitimate interests” is considered the most flexible lawful basis for processing, but an organization cannot simply assume that it is the most appropriate. As explained by guidance from the Information Commissioner’s Office in the UK, it is likely to be most appropriate when an organization uses personal data in ways individuals would reasonably expect, which have a minimal privacy impact, or where there is a compelling justification for the processing. I understand that this is broadly the approach advocated within the White Paper.
However, it should also be clear that the reliance on legitimate needs forces an extra responsibility for protecting privacy rights, involving (again according to the ICO) a three-part test: a purpose test, a necessity test, and a balancing test. Thus, the organization must: 1) identify and publish those legitimate interests (which may be commercial, societal, or individual); 2) show that the processing is necessary to achieve those interests, and 3) balance those interests against the individual’s rights and freedoms. If the organization can reasonably achieve the same result in a less intrusive way, then legitimate interests should not be used as the basis for processing. And the organization must stand ready to demonstrate the appropriate risk analysis, and that the processing will not cause unjustified harm.
I believe this is the approach that the White paper has in mind. If consent is relied upon, it has to be real informed consent, but the organization may rely on other legitimate grounds for processing. The approach, therefore, puts a significant onus on the accountability requirements in the legislation (see my comments below).
Fair and Appropriate Purposes
I strongly support the strengthening of the reasonable person test with the inclusion of a “fair and appropriate” test. I, therefore, agree with Commissioner Kosseim’s submission on this issue. The “reasonable person” test has always suffered from the problem of subjectivity, as practices evolve and become normalized. That process of normalization or routinization then shapes expectations, which in turn shapes the interpretation of law. It is “reasonable” because the consumer has never known anything different. The logic underpins the surreptitious and creeping surveillance that privacy protection law is supposed to curtail.
An addition of a further guardrail in terms of fairness obliges a constant assessment and reassessment of the use of new technologies to process personal data. Just because an organization has always collected personal data does not mean that is appropriate and fair in perpetuity. The concept is also at the heart of the “principle-based” approach to privacy law – the “fair information principles” (FIPS). I cannot see how the addition of a stipulation that the purposes should be objectively fair and appropriate to the average citizen should be controversial in any way.
Privacy by Design and Privacy Impact Assessments
The paper asks whether privacy by design or privacy impact assessments should, in some circumstances, be mandatory (p. 30). I believe they should be a part of any modern privacy management program. Of course, they do not mean the same thing, even though they are closely related.
The GDPR (Art. 25) imposes obligations on data controllers to implement technical and organizational measures to implement data minimisation and other data protection principles. Also, the controller shall ensure that “by default, only personal data which are necessary for each specific purpose are processed.” This obligation extends to the amount of personal data processed, the extent of processing, the period of storage, and accessibility. Quebec’s Bill 64 requires enterprises to ensure that the parameters of the technological products or services they use to collect personal information provide “the highest level of confidentiality by default, without any intervention by the person concerned.”
I regard these as common-sense measures to implement the principle of data minimisation and send a strong message to organizations that if they can provide their services without processing masses of PII, then they should. It is a valuable principle that counters the “surveillance by design” paradigm that drives contemporary “surveillance capitalism.”
The paper proposes (p. 5) that organizations must consider whether there are less intrusive means of achieving those purposes at a comparable cost and with comparable benefits.” But this section is within the context of the definition of appropriate purposes. It doesn’t address the question of whether, given an appropriate and specified purpose, it is actually necessary to process PII to fulfill that purpose in the first place. A measure obliging privacy by design and by default would bolster some of the existing protections in the Bill for uses of de-identified information, reducing the chances and incentives for re-identification. A privacy by design and default requirement would arguably reduce the volume of PII that may be captured in the first place.
Privacy Impact Assessments (PIAs) already form a central part of corporate privacy management programs. As a critical component of demonstrable accountability, they would seem a natural requirement, and squarely in the interests of the responsible corporation. The Ontario law should therefore require PIAs as part of its stipulations about the need for a privacy management program. I believe this can be down without imposing huge compliance costs on SMEs – even though it should be remembered that some SMEs can engage in some highly intrusive surveillance. PIAs would not only strengthen the provisions on the transfer of PII to service providers.
The GDPR (article 35) includes a requirement for an organization to conduct a data protection impact assessment (DPIA) where the processing is likely to result in a “high risk to the rights and freedoms of natural persons.” The assessment is particularly necessary when new technologies are being deployed. Each DPA in Europe is giving guidance on the particular interpretation of these words. I would refer you to the recent guidance by the UK ICO under the new UK GDPR. I think this guidance reflects the kind of approach that could be adopted in Canada and Ontario.
Under specified conditions (large scale personal data processing, new business models, sensitive data) where there is a high risk to the privacy of the individual, organizations should be required to do a PIA – and not just a legal compliance checklist, but a more comprehensive analysis of the broader risks to the individual. Organizations should be ready to demonstrate that they have done this analysis, if requested by the Commissioner.
Quebec’s Bill 64 (Sec. 103) also includes a requirement for PIAs to be conducted when an enterprise communicates personal information outside Quebec, considering: the sensitivity of the information; the purposes for which it is to be used; the protection measures; the legal framework applicable in the state and degree of equivalency to Quebec law. Although this probably goes too far, the requirement for PIAs (assessing the overall legal framework) is beneficial. It tells the organization to do due diligence – not only about the service provider, but also about the jurisdiction itself.
Enhanced Consent and the Legitimate Uses of Personal Data
As stated above, I am generally in favor of the “alternatives to consent” approach rather than the “consent with exceptions” approach to data protection law. I believe the former forces organizations to provide clearer justifications for the processing of personal data. It also allows for a strengthening of consent, such that consent actually means consent. I believe this approach is broadly consistent with that in the GDPR. If an organization is relying on consent, then it has to be “freely given, specific, informed, and unambiguous.” And there is no place for implied consent in this model (see comment below).
I would point out that the stipulations for the validity of consent in Bill C-11 (Section 15(3)) are incomplete. The Privacy Commissioner has pointed out the importance of reinstating the important words in Section 6.1 of PIPEDA: “the consent of an individual is only valid if it is reasonable to expect that an individual to whom the organization’s activities are directed would understand the nature, purpose, and consequences of the collection, use or disclosure of the personal information to which they are consenting.” I believe that Ontario should fix this weakness in C-11.
I am puzzled by this statement: “Before turning to those alternatives, it must be noted that, as is the case under existing Canadian privacy laws, Ontario is considering allowing organizations to rely on implied consent under certain circumstances, taking into account the sensitivity of the personal information involved and the reasonable expectations of the individual” (p. 17). The point about the inclusion of alternative legal grounds for processing is that implied consent should be unnecessary. A stronger consent requirement means that it should never be implied, but always “freely given, specific, informed, and unambiguous.” I believe that the traditional distinction between express and implied consent should be abandoned. The reliance on implied consent has legitimated the capture of far too much personal data and fuelled the surveillance economy.
Thus, the critical questions are raised in the section on legitimate grounds for processing that would not require consent – but would, of course, require transparency and accountability. I support the exclusion of the exemption in C-11 concerning: “an activity in the course of which obtaining the individual’s consent would be impracticable because the organization does not have a direct relationship with the individual.” I am also uneasy about the “any other prescribed activity” exemption. Beyond that, it seems to me that the existing list is sufficiently exhaustive.
Protecting Children and Youth
I strongly support the proposal for separate provisions on children and youth, and believe it is a glaring weakness in C-11. I would also note that many corporate privacy policies include special sections on marketing to children. The Canadian marketing association also has special guidance in marketing to children and teens.19 This should not be a controversial reform. There will be debate about the correct age threshold for which parental consent is required. More critical, in my judgement, is the accountability requirement that organizations have considered the level of maturity in developing their rules for transparency and consent. Thus, organizations should write notices in ways that a child might understand, and do the appropriate due diligence to ensure that the consent is meaningful. The Privacy Commissioner of Canada put it this way in his guidance on meaningful consent: “For minors able to provide meaningful consent, consent can only be considered meaningful if organizations have reasonably taken into account their level of maturity in developing their consent processes and adapted them accordingly.”
On the question of the “no-go zone”, obviously most people would find the tracking of kids for the purposes of profiling, monitoring or influencing their behavior highly offensive. And I fully support the idea. I think the larger question is whether or not Ontario wants to specify these restrictions in the law, or leave it to the later interpretation of the “reasonable person” test which would evolve over time. And this may not be the only “no-go-zone.” Again, the OPC guidance on consent offers important indications of further practices that would be “no-go-zones” under Section 5(3) of PIPEDA.
Conclusion
In summary, I am impressed with the thought that has gone into this document and have recommended that policymakers in other jurisdictions consider its provisions very carefully. The enactment of private-sector privacy legislation in Ontario is of paramount importance for individual Ontarians and Canadians, as well as for businesses.