Ever since the House of Commons adjourned for the summer recess, political reporters have been predicting the current Parliament will be dissolved for a fall election. If so, one of the casualties will be the much-needed overhaul of privacy legislation covering the private sector.
Although it was introduced eight months ago, for some reason the Liberal government hasn’t made its proposed Consumer Privacy Protection Act (CPPA, also known as Bill C-11) among its top orders of business. C-11 has been stuck in second reading since it was introduced last November.
It didn’t help that significant parts of the act aren’t supported by Privacy Commissioner Daniel Therrien.
But changing the current Personal Information Protection and Electronic Documents Act (PIPEDA) is necessary to bring it in line with the European Union General Data Protection Regulation (GDPR), which came into effect in May 2018. Any Canadian company that keeps personal information on EU residents has to provide protections roughly equivalent to the those in the GDPR. In introducing the legislation, the government stressed that the EU has made it clear Canada has to update PIPEDA.
Passage of C-11 is led by Innovation Minister François-Philippe Champagne. In a statement to IT World Canada, his department said “passing of Bill C-11 has been and continues to be a priority for the Government of Canada. The Government looks forward to hearing the views of all stakeholders on the Bill when it proceeds to Committee study in the House of Commons and in the Senate.”
However, if the House is dissolved all bills die, and that study of the CPPA by the access to information, privacy and ethics committee won’t happen.
A preview of what the committee would hear took place in May when Therrien testified on the proposed federal budget, and took the opportunity to comment on C-11. “In its current state,” he said, “the bill would represent a step back overall for privacy protection.”
In a lengthy and more detailed written explanation submitted to the committee the next day, Therrien explained why: “Provisions meant to give individuals more control give them less; because the increased flexibility given to organizations to use personal information without consent do not come with the additional accountability one would expect; because administrative penalties will not apply to the most frequent and important violations, those relevant to consent and exceptions to consent; and because my office would not have the tools required to manage its workload to prioritize activities that are most effective in protecting Canadians.”
One of his principal concerns is that the bill says businesses may collect or use an individual’s personal information without their knowledge or consent under certain circumstances.
Another is that the bill doesn’t clearly state that Canadian residents have a right to privacy.
“Bill C-11 maintains that privacy and commercial interests are competing interests that must be balanced,” the brief says. “In fact, the bill arguably gives more weight to commercial interests than the current law by adding new commercial factors to be considered in the balance, without adding any reference to the lessons of the past twenty years on technology’s disruption of rights.”
Therrien’s office then went on to make no fewer than 52 recommended changes to the bill’s wording.
Given that lack of support, small wonder the Liberals haven’t moved out of second reading, let alone sent it to the privacy committee.
Conservative party interest in the legislation is questionable. IT World Canada twice asked privacy committee chair Chris Warkentin for comment on the bill and received no response.
Meanwhile, tired of waiting for Ottawa to act, Ontario is on the road to approving its own private-sector privacy legislation, and Quebec is in the middle of updating its privacy law.
Bill is ‘awful’
Some privacy experts see no great loss if C-11 disappears.
“C-11 is awful and will hopefully die on the order papers — it’s a mess,” emailed former Ontario privacy commissioner Ann Cavoukian.
“I think it’s safe to say that the privacy profession in Canada is frustrated by the lack of progress in getting Bill C-11 passed, let alone to committee,” said Kris Klein, a member of the Ottawa boutique privacy law firm nNovation and managing director of the Canadian wing of the International Association of Privacy Professionals. “There are lots of important issues that need to be debated, many of which were tabled by the Privacy Commissioner a few weeks ago. It is imperative that the federal government move forward on this. There’s simply too much at stake, the least of which is the impending review by our European colleagues to evaluate the adequacy of our privacy regime in Canada.
“I think the entire Canadian privacy profession is left scratching their heads at the lack of political will expressed by our politicians,” Klein said. “It is frustrating. The fall will prove to be interesting, however. If Quebec moves forward (as the rumours are suggesting) and passes their new modern privacy legislation, more pressure will be on the feds to keep up. Moreover, the Ontario consultation [on its proposed provincial privacy law] ends on August 3, so it is conceivable that we get movement by the [Ontario] government, too – which will undoubtedly put more pressure on the feds.”
It wasn’t supposed to happen this way.
Based on Digital Charter
The CPPA is based on principles announced in the Liberal Digital Charter in May 2019 and a plank in the Liberals’ October 2020 election campaign.
C-11 (which, like PIPEDA, would apply to federally-regulated sectors like banks, telecom companies and transportation as well businesses in provinces that don’t have their own private sector privacy law) was introduced by then-Innovation Minister Navdeep Bains. He said it “would give Canadians more control and greater transparency in the manner in which companies handle their information.” It would do this by introducing important rules for consent, the right to delete information, data mobility and algorithmic transparency.
Commercial firms would be required to get ”meaningful consent from Canadians. This means individuals would get specific information in plain, simple language, not the 30-page legal document that no one reads. This, in turn, would allow individuals to make meaningful choices about the use of their personal information.”
Companies would have to be transparent about how they use personal information. Firms would have to acknowledge their use of automated systems, such as artificial intelligence, to make significant decisions or predictions about someone. Individuals would have the right to an explanation of a prediction or decision made by these systems.
There would be “clear, meaningful penalties for violations of the law, and regulations that support these principles so that Canadians can rest assured that their privacy will be protected.
The Office of the Privacy Commissioner would have broad order-making power, including the power to force an organization to stop collecting or using information and delete it.
The Privacy Commissioner would have the power to recommend to a new personal information and data protection tribunal administrative penalties of up to $10 million, or three per cent of global revenues, whichever is higher. The range of serious criminal offenses would also be expanded, with a new maximum fine of up to $25 million, or five per cent of global revenues, whichever is higher. The tribunal would have the final say.
When Bains finished, he pointed out that Goldy Hyder, the president and CEO of the Business Council of Canada, “spoke positively” about the bill. He also quoted University of Ottawa internet law professor Michael Geist calling the bill “Canada’s biggest privacy overhaul in decades.”
Lack of support
Indeed it is a big overhaul. But does it have support?
Within days of the introduction of the legislation there were reservations mixed with praise. Former Ontario privacy commissioner Ann Cavoukian said she was “so disappointed” and “baffled” the CPPA doesn’t mandate organizations use principles of Privacy By Design to protect personal data, as specified in the GDPR. A spokesperson for Bains replied that the bill is based on the 10 privacy principles that are at the core of PIPEDA and “align with and reflect the concepts at the heart of privacy by design.”
Cavoukian, who now heads the Global Privacy and Security by Design Centre in Toronto, was also “perplexed” that the Privacy Commissioner couldn’t directly levy fines, but had to go through the tribunal.
Teressa Scassa, University of Ottawa law professor and Canada Research Chair in Information Law and Policy said she was “very troubled” that the CPPA doesn’t follow the GDPR’s clear rules that oblige firms to ensure personal data sent out to a country for processing has appropriate safeguards.
A week later Scassa predicted during a webinar that “there will be a lot of push-back” from the private sector. Geist and privacy lawyer Alex Cameron of the Fasken law firm, weren’t optimistic that C-11 will pass at all.
Then on March 25 of this year Therrien issued his first public comment on the proposed act. “The government has set out important objectives for the bill, including increasing consumers’ control over their data, enabling responsible innovation, and establishing quick and effective remedies, including the ability to impose significant financial penalties,” he said. “I support these objectives. Unfortunately, my analysis of the bill’s provisions leads me to conclude that they would not be achieved,” he told a Quebec-based consumer group webinar.
Among his complaints:
–The creation of the tribunal would delay decisions and encourage businesses to launch appeals;
–some of the proposed exceptions to businesses for getting consent from consumers to use their personal data are too broad or ill-defined;
–new flexibility given to companies is not matched by increased accountability;
– while the bill says its purpose is to establish rules to govern the protection of personal information “in a manner that recognizes the right of privacy of individuals,” it doesn’t recognize privacy as a human right.
The future of the bill is still in question. If the Liberals decide not to call an election and send C-11 to committee, how willing will it be to adopt amendments that significantly change the act? In a minority Parliament it may have no choice. If there is an election and the Liberals win a minority, will they make C-11 more palatable? If they win a majority will they stand firm? What if the Conservatives or the NDP win?