Previously published in Privacy Laws and Business International, February 2021 (Issue 169)
On 17 November 2020, Canada’s then Industry Minister (Navdeep Bains) introduced a new Consumer Privacy Protection Act (CPPA), and a Personal Information and Data Protection Tribunal Act (Bill C-11) to replace the Personal Information Protection and Electronic Documents Act (PIPEDA). The bill is part of an ambitious plan to implement a Digital Charter, a broad policy framework designed to guide Canada’s overall policy on digital issues.
The Constitution grants the Government of Canada some defined and delimited powers. The CPPA, therefore, only covers those organizations to which PIPEDA applies — federally regulated companies in transportation, communications, banking, and any organization that transfers data across international and inter-provincial boundaries for a commercial purpose, as well as intra-provincial commerce in provinces that do not have substantially similar legislation. Only Quebec, Alberta, and British Columbia have passed such laws; Ontario is currently conducting a consultation exercise.
The EU granted Canada a partial adequacy assessment for those organizations covered by PIPEDA back in 2002. The Industry Science and Economic Development (ISED) ministry has been providing regular updates to the European Commission about its implementation and about associated privacy legal developments. So Canadian businesses have enjoyed some significant advantages as a result of the safe harbor provided by the adequacy designation. If the new Bills do not pass muster, then those advantages are lost, and one huge justification for privacy law reform is removed.
It is unclear when the new laws will pass. It is currently due for review by the Standing Committee on Access to Information, Privacy and Ethics (ETHI). The government has other priorities, and there is the lingering possibility of a national election later this year. We also understand from comments by ISED that an adequacy assessment of Canada’s data protection has already begun, based on PIPEDA and other existing laws.
Nevertheless, it is valuable to analyze the CPPA through an adequacy lens, even though any clear assessment is hampered by the problem of not knowing exactly what the test of adequacy will be going forward, and in what form the Bill will be proclaimed. The level of protection, we are told, must be “essentially equivalent” to be consistent with the jurisprudence of the European Court of Justice, in the so-called Schrems decisions. But the means by which that level of protection is achieved may differ from those employed within the EU. There must be the ‘core’ information privacy principles, but there must also be effective procedural and enforcement mechanisms: an independent supervisory authority, a good level of compliance, accountability mechanisms and appropriate redress mechanisms for the individual data subject. Thus, a country is not going to fail the test if the black letter of the law does not correspond exactly to the General Data Protection Regulation (GDPR). The analysis has to be contextual and holistic. Further, adequacy is just one of the legitimate tools in the broad and varied toolkit protecting the global flow of European data.
How does the CPPA strengthen privacy protection?
In the current law, PIPEDA, the essential information privacy principles were contained in the Model Code for the Protection of Personal Information, negotiated under the auspices of the Canadian Standards Association in the 1990s. Bill C-11 brings these essential privacy principles (accountability, limiting collection, use and disclosure, consent, retention and disposal, accuracy, security safeguards, openness and transparency, access and correction, and challenging compliance) into the body of the statute. It arguably offers a more readable and integrated set of rules for businesses and consumers alike. It still represents a made-in-Canada approach to personal data protection. But, let us be clear: it is a major reform.
The CCPA is still based on a model of individual consent, and in some respects borrows from the Privacy Commissioner of Canada’s recent Guidelines for obtaining Meaningful Consent. Like the GDPR, the Bill provides some clear requirements for valid consent, and prohibits making consent a condition for the provision of a product or service, and using deceptive practices for obtaining consent. And consent must be expressly obtained unless the organization establishes that implied consent is appropriate. Individuals can withdraw their consent at any time.
The Bill also borrows from the GDPR in providing for a version of the data portability requirement. Calling the concept “data mobility”, the Bill allows an individual to export their data from one organization to another, on condition that both organizations are subject to a ‘data mobility framework’ establishing appropriate standards and safeguards for interoperability to be specified by Regulation. The right to be forgotten is repackaged as a right of data disposal at the individual’s request. That disposal must also be communicated to any service provider, but that requirement only applies to personal information that it has collected from the individual (s. 55(1)) as opposed to the Right to be Forgotten (RTBF) in the GDPR which applies to the erasure of personal data concerning him or her. And we also see interesting provisions which mirror those in the GDPR about automated decision-making, requiring the organization to explain in clear language any prediction, recommendation or decision about the individual based on an automated decision-making system.
Most critically, Bill C-11 proposes several changes in enforcement mechanisms, giving the Privacy Commissioner the power to order compliance with the law and to recommend significant penalties. Those potential penalties can be as high as C$10 million or 3% of the organization’s gross global revenue. There are even tougher penalties for wilful violations of security breach disclosure rules, data retention requirements, re-identifying an individual using de-identified data, or sanctioning a whistleblower. The penalties, however, will actually be levied by a new Personal Information and Data Protection Tribunal which will hear appeals against the Privacy Commissioner’s orders and findings. An individual may bring a private right of action for damages if both Commissioner and Tribunal have found that the organization has contravened the Act. There are searching questions about whether this Tribunal will have the unintended consequence of delaying decisions and hindering the provision of quick and effective remedies under the law.
There is also a repackaging of accountability obligations in the form of a requirement to implement a privacy management program. The Commissioner may also approve codes of practices, and certification programs, which, when approved, effectively establish the legal obligations of the organization. We see a blend of new tools in the Commissioner’s toolkit.
What aspects of the CPPA will raise questions about Canadian adequacy?
Ascertaining “levels of protection” in this area of public policy is an inherently tricky and subjective process. There is no space for a detailed legal analysis. That said, I would identify a number of areas where questions about adequacy will probably be raised.
First, and contrary to the Privacy Commissioner’s pleas, Bill C-11 is not set within a human rights framework. The title, itself, the Consumer Privacy Protection Act signals the economic framing of the law. It is also very puzzling why the main legislation is framed this way, and the supplementary Bill setting up the tribunal is called the seemingly broader “Personal Information and Data Protection Tribunal Act.” The Government has argued that its jurisdiction is limited under the Constitution to regulating trade and commerce and that civil rights are issues of provincial concern. The Privacy Commissioner has questioned this judgement. In his 2018-19 Annual report, he argued forcefully for a rights-based approach to privacy reform in Canada, similar to that expressed in the GDPR. In the Commissioner’s view, privacy should be defined in its broadest sense, and recognised for its quasi-constitutional status as confirmed by the Supreme Court of Canada.
Of course, a broad human rights framework is not essential for a positive adequacy assessment by the EU. Nevertheless, the Commissioner has argued that, C-11 opens the door to new commercial uses of personal information without consent, but does not specify that such uses are conditional on privacy rights being respected. Businesses can indeed collect and use personal data without knowledge and consent for a variety of purposes, and they raise questions whether in total they are “essentially equivalent” to the “legitimate purposes” allowed in the GDPR. Some repeat consent exemptions in PIPEDA and are relatively uncontroversial. Others will be controversial. For instance, businesses are permitted (s. 18(2)e)) to use information if “obtaining the individual’s consent would be impracticable because the organization does not have a direct relationship with the individual. An organization may also transfer an individual’s personal information to a service provider without their knowledge and consent (s. 19) to reduce an organization’s risk (s. 18(2)b). An organization may also use information without an individual’s knowledge and consent for internal research and development purposes if it is de-identified before it is used (s. 21). It may also disclose without knowledge or consent to a range of public bodies if it is de-identified, and if it is for a “socially beneficial purpose” (s. 39).
Organizations are still subject to a wide range of accountability measures, and they must be open about their purposes. Further, the Bill is underpinned (s.5) by the test that an organization may collect, use and disclose personal information only for purposes that a reasonable person would consider appropriate in the circumstances. Still, there will vigorous debate about whether, or not, further legislative “guardrails” are required.
A second and related issue concerns the wide latitude to use personal data, provided it is “de-identified.” Critics have pointed out that de-identification is a complex and error-prone and evolving process, and that much in the exemptions of consent for these, and other, business operations will need to be carefully specified in regulation. It is questionable whether de-identification lines up with the concepts of anonymization/pseudonymization in the GDPR. It is also notable that abuses of these provisions are not further circumscribed by requirements for privacy impact assessments and privacy by design and by default. Organizations are, however, still obliged to be open and transparent about the type of personal information in its control. And there are penalties for using de-identified data, alone or in combination, to reidentify an individual.
A third issue that will likely raise questions is the absence of any definition in the Bill of sensitive forms of personal data, an additional content principle referenced by the European Data Protection Board (EDPB) in its adequacy referential. Organizations must consider the sensitivity of data in many of their obligations: developing its privacy management program (s. 9(2)); judging the risk of a data breach (s. 12(2)); determining whether express or implied consent are appropriate (s. 15(4); and establishing appropriate security safeguards and techniques of de-identification (s. 74). However, the Government has resisted making a list of special categories of sensitive information, as appear in Article 9 of the GDPR, leaving it to the judgment of the organization, and perhaps future regulation. It should also be recalled that the clear definition of, and protections for, sensitive forms of personal data was a reason for the rejection of Quebec’s application for an adequacy assessment back in 2014, and was also a key issue in the determination of Japanese adequacy. Neither is there any specific reference in the Bill to the protection of data about children.
A fourth issue of perennial concern in adequacy assessments will be the question of the onward transfer of personal data beyond Canadian borders. Nowhere in the CCPA is there a clear section on transborder data flows, as appears in the extensive Chapter 4 of the GDPR. The rules for onward transfers are dotted around several sections of the CCPA. In essence, the Bill retains the accountability or “organization-to-organization” approach of PIPEDA. The organization which transfers the data must ensure by contract or otherwise, that the service provider provides substantially the same protection of the personal information as provided under this Act. But, (s.19), an organization may transfer an individual’s personal information to a service provider without their knowledge or consent. There are no adequacy or safe harbor assessments to be conducted by the Canadian government. That arguably is a good thing, but it also precludes the kind of mutual adequacy recognition negotiated between Japan and the EU.
Fifth, there will be a lingering question about the definition of “commercial activity” defined in CPPA as “anyparticular transaction, act or conduct or any regular course of conduct that is of a commercial character, taking into account an organization’s objectives for carrying out the transaction, act or conduct, the context in which it takes place, the persons involved and its outcome. PIPEDA defined commercial activity as “any particular transaction, act or conduct or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists.” The Privacy Commissioner had issued guidance on how PIPEDA applies to charitable and non-profit organizations to the extent that they were engaged in such commercial activities. There may be no intention to alter the scope of PIPEDA, but these are complex and uniquely Canadian issues of jurisdiction difficult for overseas experts to comprehend. So, there will continue to be questions, in Canada and outside, about the limits of commercial activity, and therefore the scope of the Bill. (A related issue, and major disappointment, is that the bill does not explicitly apply to federal political parties).
The final huge issue relates to law enforcement and national security access to personal data, the essential problem that sank the EU-US Privacy Shield in the Schrems II decision of the European Court of Justice. As a member of the Five Eyes network, the question of redress against national security and intelligence services will be prominent in any analysis of Canadian adequacy, and that will lead to analysis of related Canadian laws, such as Security of Canada Information Disclosure Act and the Canadian Security Intelligence Service Act. The European Data Protection Board has laid out four interlinked “essential guarantees” that must be considered: clear, precise and accessible rules; necessity and proportionality; independent oversight; and effective remedies. Thus, the analysis of essential equivalence must venture way beyond the framework in the CCPA.
There is, however, a credible and independent oversight and redress mechanism in the form of the National Security and Intelligence Review Agency, which can also field complaints from non-Canadians. Until it is reformed, however, the Privacy Act does not allow for complaints to be logged by anyone who is not a citizen or a permanent resident. Furthermore, enforcement of the Privacy Act is currently based on an ombudsperson model, and the European Court of Justice rejected the USA Privacy Shield Ombudsperson as inconsistent with the system of redress enshrined in Article 47 of the EU Charter of Fundamental Rights. In terms of public sector access to personal data transferred from the EU, Canada is probably in a better position than is the USA. That said, there will no doubt be searching questions about how these provisions are implemented and enforced in practice.
In conclusion, I don’t know whether CPPA (and related privacy legislation) will pass the adequacy test, and I suspect that nobody else does either. But it is clear that the government drafted this legislation with one eye to Brussels, and that it will be a major disappointment if our adequacy judgment is rescinded, and the competitiveness of Canadian business is affected. But the overall consensus is that the Bill does not go as far as the GDPR in some significant respects. At the same time that is not the test of essential equivalence. Further, the Commission has signaled a willingness to consider “common values and shared objectives” as well as the pioneering role the third country plays in the field of privacy and data protection.”
A deeper question, of course, is whether or not the GDPR should be the model for the diffusion of global privacy rules. I would argue that the EU has learned and borrowed as much from countries like Canada over the years, as vice versa. I have also contended elsewhere that the Council of Europe’s Convention 108+ offers a more flexible, and exportable, set of standards and Canada should seriously consider accession. That said, the GDPR will provide important points of comparison, and perhaps leverage, in what will no doubt be a lengthy legislative and regulatory process. Canadian privacy experts and advocates will have their work cut out for them.