Canada’s New Privacy Bill
- July 31, 2022
- Clayton Rice, Q.C.
Data protection laws are essential to governing the collection, use and disclosure of personal information by private sector organizations in the modern economic environment. On June 16, 2022, the Canadian government tabled a Bill designed to update the federal private sector privacy law, create a new tribunal and enact new rules governing artificial intelligence systems. I will review four aspects of the proposed legislation that may be of interest to criminal lawyers.
The proposed statute, Bill C-27, titled An Act to enact the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Act is designed to replace the outdated Personal Information Protection and Electronic Documents Act (PIPEDA). (here and here) It is a revised version of the predecessor Digital Charter Implementation Act, Bill C-11, that died on the order paper before the federal election in 2021. The previous Privacy Commissioner of Canada, Daniel Therrien, had called Bill C-11 “a step backwards” for privacy and issued recommendations for its reform. (here) The industry sector was also critical asserting that it would make the use of data for innovation too burdensome.
2. A Consent Based Regime
In the first of a series of posts to her blog titled Bill C-27’s Take on Consent: A Mixed Review, Professor Teresa Scassa of the University of Ottawa, Ottawa, Canada, commented that “[t]he challenge in privacy law reform has […] been to make consent meaningful, while at the same time reducing the consent burden and enabling greater use of data by private and public sector entities.” (here) Although consent is an important means by which individuals exercise control over their data, it is recognized that the consent burden has become too high for individuals who are confronted with impenetrable privacy policies. Although the Bill reaffirms that consent is the “default rule” for the collection, use or disclosure of personal information, it also creates a long list of exceptions.
Section 15(1) states that, unless otherwise provided, an organization must obtain an individual’s “valid consent” for the collection, use or disclosure of the individual’s personal information. An individual’s consent is only valid under s. 15(3) if the organization provides the individual with the following information:
- the purposes for the collection, use or disclosure of the personal information determined by the organization;
- the manner in which the personal information is to be collected, used or disclosed;
- any reasonably foreseeable consequences of the collection, use or disclosure;
- the specific type of personal information that is to be collected, used or disclosed; and,
- the names of any third parties or types of third parties to which disclosure may be made.
Section 15(4) is the “plain language” provision which imposes on an organization the obligation to provide information to an individual in language than an individual “would reasonably be expected to understand.” The section is a compromise between the existing law in s. 6.1 of PIPEDA that requires an understanding of the “nature, purpose and consequences” of the collection, use and disclosure, and Bill C-11 that removed the PIPEDA definition and replaced it with a list of information that must be provided to individuals prior to consent. Although the new provision would water down the standard by removing the requirement of an understanding of consequences, it is nonetheless preferable to the removal of the standard of understanding altogether. As Professor Scassa observed, the new provision has the virtue of ensuring that privacy policies for products or services “take into account the sophistication of their audience.”
Section 18 contains the exceptions. An organization may collect or use an individual’s personal information under s. 18(1) without their knowledge or consent for the purpose of a business activity if: (a) a reasonable person would expect the collection or use for such activity; and, (b) the personal information is not collected or used for the purpose of influencing the individual’s behaviour or decisions. The concept of “legitimate interest” has been added as an exception in s. 18(3) which permits an organization to collect or use personal information without knowledge or consent where it has a legitimate interest that “outweighs any potential adverse effect on the individual” provided the same test as in s. 18(1) is met. Bill C-27 has clawed back the controversial list of business activities for which no knowledge or consent was required in Bill C-11. Professor Scassa described the revision as a “positive development” because the worst has been removed.
3. De-identification and Anonymization
Bill C-27 clarifies Bill C-11 which conflated de-identified and anonymized information and made them both subject to privacy legislation that was inconsistent with the global approach to these persistent problems. Personal information is defined in Bill C-27 as “information about an identifiable individual”. The concept of identifiability is the threshold issue for the application of the law. If an individual can be identified directly or indirectly from data, either alone or in combination with other data, that data is “personal information”. In her second post on Bill C-27 titled Anonymization and De-identification in Bill C-27, Professor Scassa gives us the following simple example that typifies the kind of information law enforcement harvests in digital investigations. Although a postal code is not a direct identifier of a particular individual, in the context of a larger data set including other elements such as age and gender, the postal code can lead to identification of a specific individual and thus constitutes personal information. (here)
Bill C-11 defined “de-identify” to mean the modification of personal information to ensure that it does not identify an individual or could not be used for identification “in reasonably foreseeable circumstances”. The definition was criticized by private sector organizations who lobbied for an exemption from the law or a separate category of anonymized data. They argued that if data could not be linked to an identifiable individual then it is not personal data and should not be subject to data protection legislation. Bill C-27 now creates separate definitions for anonymized and de-identified data. Anonymize means to irreversibly and permanently modify personal information to ensure that no individual can be identified “whether directly or indirectly, by any means.” De-identify means to modify personal information so an individual cannot be directly identified from it “though a risk of the individual being identified remains.” Professor Scassa has suggested that the law should enable the Privacy Commissioner to play a role in determining what qualifies as “anonymization” to ensure the integrity of the provision.
The new Bill also contains two provisions that address government access to private data stored by the private sector. Section 35 deals with the sharing of private sector data for statistical and research purposes. The present law, contained in s. 7(3)(f) of PIPEDA, has a similar exception. Section 35 requires that three preconditions be met for disclosure without the knowledge or consent of the individual: (a) the disclosure is made for statistical, study or research purposes that cannot be achieved without disclosure; (b) it is impractical to obtain consent; and, (c) the organization informs the Privacy Commissioner before the information is disclosed. Section 39 deals with the use of personal data for “socially beneficial purposes” including purposes related to health, the improvement of public amenities or infrastructure and protection of the environment. In her third post titled Data Sharing for Public Good: Does Bill C-27 Reflect Lessons Learned from Past Public Outcry, Professor Scassa emphasized that s. 35 would enable the kind of data sharing involved in the StatsCan controversy in 2018 that I discussed in a previous post to On The Wire. (here and here)
4. The Right of Erasure
Bill C-27 contains a right of erasure that allows individuals to request that an organization delete information it retains about them. It is often called the right to be forgotten in European law that I also discussed in previous posts. (here and here) The right of erasure will only apply in three circumstances. Section 55(1) requires an organization to dispose of personal information if: (a) the information was collected, used or disclosed in contravention of the statute; (b) the individual has withdrawn their consent in whole or in part; and, (c) the information is no longer necessary for the continued provision of a product or service requested by the individual. However, s. 55(2) contains important exceptions including circumstances where: (a) disposal would result in the disposal of information about another individual which is not severable; (b) the reasonable terms of a contract prevent the organization from disposing of the information; and, (c) the organization requires the information for a legal defence or legal remedy.
In her third post titled Bill C-27 and the erasable right of erasure, Professor Scassa criticized the definition of “dispose” in Bill C-27. (here) Dispose means to permanently and irreversibly delete personal information or to anonymize it. The right of erasure is therefore not available where an organization chooses to anonymize personal information. Section 2(3) of Bill C-27 also removes the right of erasure where information is merely de-identified. “This seems like an internal contradiction in the legislation,” she said. “Disposal means deletion or rigorous anonymization – but, under s. 2(3), a company can just pseudonymize to avoid a request for disposal.” It appears that pseudonymized data may have to be eventually disposed of under temporal retention limits but anonymized data may be retained indefinitely.
Every organization that knowingly contravenes the following sections of the statute is liable to a fine of CDN$25 million or up to 5% of global revenue, whichever is higher:
- failure to report a security breach to the Privacy Commissioner under s. 58(1);
- failure to maintain records of security breaches under s. 60(1);
- failure to retain information for as long as necessary to allow an individual to exhaust any statutory recourse they have under s. 69;
- unauthorized use of de-identified information, alone or in combination with other information, to identify an individual under s. 75;
- an order of the Privacy Commissioner under s. 93(2) or that obstructs the Commissioner in investigating a complaint, conducting an inquiry or carrying out an audit; and,
- dismissal or discipline of an employee who discloses a contravention of the statute to the Privacy Commissioner under s. 127(1).
There are also administrative monetary penalties of up to CDN$10 million or 3% of global revenue for other specific violations of the statute. The administrative penalties apply to: (a) the establishment and implementation of a privacy management program; (b) failure to ensure equivalent protection for personal information transferred to a service provider; (c) failure to adequately specify purpose, consent or breach notification obligations imposed on a service provider; and, (d) transparency.
It appears that Bill C-27 is intended by the government to address the concerns of industry and privacy advocates about the predecessor Bill C-11. There are, however, significant aspects of Bill C-11 that remain unchanged. It is also important to emphasize that the new Bill has also added the Artificial Intelligence and Data Act. I have not discussed AIDA nor have I considered the provisions of Bill C-27 addressing the privacy rights of minors. Professor Scassa described the government’s response to children’s privacy as “modest” and probably rooted in “constitutional anxiety” over jurisdictional issues. The provinces determine the age of majority yet children have an intense interest in private sector data protection given their online presence and connection to the Internet of Things. (here) And, although the preamble to Bill C-27 recognizes the protection of privacy interests as essential to individual autonomy, dignity and fundamental rights, nowhere does the Bill actually define what “privacy” is other than in the context of personal information. Both the former Privacy Commissioner, Daniel Therrien, and his successor, Philippe Dufresne, have urged the government to recognize privacy as a “fundamental right” in the new Bill. (here)