I have written about national and international privacy protection policy for over 30 years. I am also an adviser to the Center for Digital Rights (CDR) which produced a comprehensive report on Bill C-27.[1] I commend that report to you, and especially the recommendation to set the bill within a human rights framework. As advocated by the Privacy Commissioner and many others, the bill should recognise privacy as a fundamental human right.
I would like to emphasize five specific areas for reform of the CPPA and suggest ways in which the bill can be bought into better alignment with Quebec’s new privacy legislation (Law 25).[2] I also think these are some of the areas where the bill is vulnerable when the European Commission comes to evaluate whether Canadian law continues to provide an “adequate level of protection.”
First, I believe Section 15 on consent is confusing to both consumers and to businesses; the CDR has suggested a comprehensive rewording. In particular, I question the continued reliance on implied consent in Section 15 (5) which states that consent must be “expressly obtained” unless it is “appropriate to rely on an individual’s implied consent.”
The bill enumerates those business activities to which consent is not required, including if the organization has a “legitimate interest that outweighs any potential adverse effect on the individual”—a standard that has been imported from the European General Data Protection Regulation (GDPR). But in the GDPR, consent means express consent: freely given, specific, informed, and unambiguous. If it is impossible to obtain express consent, then businesses can rely on other legal grounds to process personal data.
In the current version of the CPPA, businesses can have it both ways. They can declare that they have “implied consent” because of some inaction that a consumer allegedly took in the past because of not reading the legalese in a complex terms-of-service agreement. Or they can assert a legitimate interest in the personal data by claiming that there is no potential adverse effect on the individual. And that is a risk assessment performed by the business, rather than a judgment made about the human rights of individuals to control their personal information. There should be no room for “implied” consent in the CPPA. It is a dated idea that creates confusion for consumers, and, obviously—as in the case of the recent decision by the Privacy Commissioner on Home Depot—for businesses.[3]
Second, there is no section in the CPPA on international data transfers, particularly ironic given the emphasis on global flows of personal data in all the government’s explanatory material. I know of no other modern privacy law that fails to give businesses proper guidance on what they have to do if they want to process personal data offshore. The only requirement is for the organization to require the service provider (by contract or otherwise) to ensure a level of protection of the personal information “equivalent to that which the organization is required to provide under this Act” (Section 11(1)). This due diligence applies whether the business is transferring personal data to another province in Canada, or overseas to a country, that may or may not have strong privacy protection or indeed a record for the protection of human rights. This is particularly troubling because “an organization may transfer an individual’s personal information to a service provider without their knowledge or consent” (Sec. 19)
The Canadian government has never adopted a “safe harbor” approach or adequacy assessments like the EU (and I am not advocating that). But Quebec has, I believe, legislated an appropriate compromise under section 17 of Law 25 which requires businesses to do an assessment, including of the legal framework, when sending personal information outside Quebec.[4] As many Canadian businesses will have to comply with the Quebec legislation why not mirror this provision in C-27? It would add an important safeguard, and also give more reassurance to the European Commission when they come to assess the adequacy our legislation.
Third, the bill ignores important accountability mechanisms that were pioneered in Canada and exported to other jurisdictions, including Europe. Canada has a worthy reputation of pioneering privacy accountability measures (e.g. privacy impact assessments, and privacy by design) and exporting them to other jurisdictions, including Europe. It is, therefore, very strange that some of those measures do not appear in the CPPA. In particular, privacy impact assessments (PIAs) are an established instrument and a critical component of accountable personal data governance, and should be required in advance of product or service development – particularly where invasive technologies and business models are being applied, where minors are involved, where sensitive personal informationI is being collected, used, or disclosed, and when the processing is likely to result in a high risk to an individual’s rights and freedoms.
A fourth and related problem is the absence of any definition of “sensitive forms of personal data.” Organizations must consider the sensitivity of data in several provisions in the Bill, but it is nowhere defined.[5] With the exception of data on minors (s. 2.2), the judgement of sensitivity is left to the organization with the obvious risk that some sensitive data will not be regarded as such by businesses, and that interpretations will vary. The bill should define “sensitive information” as meaning “personal information for which an individual has a heightened expectation of privacy, or for which collection, use or disclosure creates a heightened risk of harm to the individual”, and enumerate a non-exhaustive list of categories.[6]
Finally, the absence of proper privacy standards for federal political parties (FPPs) is unjustifiable and untenable. The government is relying on the argument that the FPPs’ privacy practices are regulated under the Canada Elections Act (CEA),[7] and therefore there is no need to embrace them in C-27. However, the provisions in the CEA (only requiring a privacy policy) are a pale imitation of the privacy provisions in C-27. And it is increasingly obvious that businesses resent the fact that they have to comply with provisions from which the FPPs are exempted.
Moreover, the application of BC’s Personal Information Protection Act (PIPA) to provincial political parties, and now to federal political parties (under judicial review), means that there will be one set of rules in BC and another in other parts of the country. Canada is only one of a handful of democratic countries in which federal privacy law does not apply to political parties and to the sensitive information on political opinions they collect.[8] This is not an issue that will go away, given advances in technology (including artificial intelligence) and its use in modern digital campaigning.
_______________________________________________
[1] Center for Digital Rights, Not Fit for Purpose: Canada Deserves Much Better. Report on Bill C-27, Canada’s Digital Charter Implementation Act (October 2, 2023): https://centrefordigitalrights.org/files/document/2023-10-13/263-091316.pdf
[2] Quebec, An Act to Modernize legislative provisions as regards the protection of personal information (Law 25) (2022)
[3] Colin J. Bennett, “Privacy Czar’s Home Depot investigation exposes weaknesses in Ottawa’s new privacy bill,” The Hill Times, February 23, 2023.
[4] Quebec, Law 25. Sec. 17: “Before communicating personal information outside Québec, a person carrying on an enterprise must conduct a privacy impact assessment. The person must, in particular, take into account:
(1) the sensitivity of the information;
(2) the purposes for which it is to be used;
(3) the protection measures, including those that are contractual, that would apply to it; and
(4) the legal framework applicable in the State in which the information would be communicated, including the personal information protection principles applicable in that State.”
[5] Developing its privacy management program (s. 9(2)); judging the risk of a data breach (s. 12(2)); determining whether express or implied consent are appropriate (s. 15(5); and establishing appropriate security safeguards and techniques of de-identification (s. 74).
[6] The special categories typically included in other legislation (including the GDPR) are: (a) information revealing racial or ethnic origin, gender identity, sex life, sexual orientation, political opinions, group affiliation, or religious or philosophical beliefs; (b) genetic information; (c) biometric information; (d) financial information; (e) health information; and (f) location-tracking information.
[7] Canada Elections Act. S.C. 2000. C.9. s. 385(2)(k)
[8] This goal can easily be accomplished by (1) adding to subsection 6(1) of the CPPA, a new paragraph (c) that reads “(c) is collected, used or disclosed by a federal political party, a candidate, an electoral district association, or a nomination contestant in connection with electoral activities.”