Two privacy experts have mixed feelings about the proposed new federal privacy regime for the private sector.
On the one hand, former Ontario privacy commissioner Ann Cavoukian and University of Ottawa law professor Teresa Scassa are very pleased with the privacy commissioner’s new order-making powers and ability to levy fines, as well as the greater control over personal data collected by firms.
Cavoukian said she was “delighted” with those sections.
But the two privacy experts have concerns about other parts of the proposed Consumer Privacy Protection Act (CPPA), which would replace the Personal Information Protection and Electronic Documents Act (PIPEDA).
Cavoukian said she is “so disappointed” and “baffled” the CPPA doesn’t mandate organizations use principles of Privacy By Design to protect personal data, as specified in the European Union’s General Data Protection Regulation (GDPR). “That model of prevention is missing here.”
Article 25 of the GDPR says the person appointed by an organization to be the data controller “shall implement appropriate technical and organizational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed.” That applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility.
In 2018 the House of Commons Access to Information, Privacy and Ethics committee recommended Privacy By Design principles be included in the overhaul of PIPEDA, she noted.
UPDATE: Asked about this, a spokesperson for Innovation Minister Navdeep Bains said the CPPA is based on the 10 privacy principles that were at the core of PIPEDA. Those principles align with and reflect the concepts at the heart of privacy by design; including end-to-end security, visibility and transparency, and respect for user privacy. “In essence, if organizations are complying with the CPPA, they are building privacy into their practices and procedures, and therefore their products and services.
“In particular, a key focus of privacy by design is for organizations to implement technical and organizational measures to ensure they meet their privacy obligations and protect personal information. The CPPA advances this goal by strengthening the requirement for organizations to implement a privacy management program to ensure compliance with their obligations under the law. Under the CPPA, the Privacy Commissioner would also be able to review organizations’ privacy management programs to provide them with guidance.”
Like PIPEDA, the CPPA would apply to federally-regulated firms (banks, airlines, telecom and transportation companies) as well as businesses in provinces and territories that don’t have their own private-sector data privacy laws (currently, only British Columbia, Alberta and Quebec have their own laws).
Cavoukian says she also doesn’t understand why the CPPA would give the Privacy Commissioner only the power to recommend fines for breaches of the act. The final decision on the amount of a fine, if any, would be in the hands of a proposed Personal Information and Data Protection Tribunal. The Tribunal would also hear appeals of the commissioner’s orders to firms to protect personal data better. Members of the tribunal would be appointed by the government, similar to the Competition Bureau Tribunal.
Some argue the government doesn’t want to make the privacy commissioner judge and jury and would prefer to split the two roles. But Cavoukain noted when she was Ontario’s privacy commissioner she had the power to levy fines directly. So do to the privacy commissioners in B.C. and Alberta, she added. Firms could appeal those fines to the courts.
“I’m just perplexed by it,” she said of the Tribunal. “I fear it might weaken the order-making power you’ve just given the commissioner.”’
In a statement, the Retail Council of Canada said it has some concerns about the proposed fine and order-making powers. Cavoukian would have none of it. “If privacy is strongly protected there is no cause for concern because there won’t be any fines. Go with the law, do what you should be doing to protect your customers’ privacy and avoid any guilty findings.”
The privacy commissioner would have the power to recommend fines of up to 3 per cent of a firm’s global revenue or CA$10 million, whichever is greater, for most offences under the act. However, in serious cases — such as obstruction of an investigation — the commissioner could recommend fines of up to 5 per cent of a firm’s global revenue or CA$25 million, whichever is greater.
As for the ability to compel firms to follow the act, Cavoukian said she had a similar power when she was Ontario’s privacy czar. “I rarely had to use it – that’s a stick. The organization you’re dealing with knows you have the stick and so they’re much more likely to sit at the table and work things out. Then it becomes a win-win, instead of you having to make them do things.”
Cavoukian, who now heads the Global Privacy & Security by Design Centre in Toronto, also said she likes that the CPPA encourages businesses to have strong data security. Section 57 says an organization “must protect personal information through physical, organizational and technological security safeguards. The level of protection provided by those safeguards must be proportionate to the sensitivity of the information.”
Scassa, who in addition to being a law professor is Canada Research Chair in Information Law and Policy, likes that the proposed law gives individuals the right to challenge firms on how they use artificial intelligence and automated decision-making software systems. Affected persons can ask for an explanation of how a decision was made and what data was used.
She is also pleased individuals would have the right to demand organizations erase personal data on them held by firms, and some right to demand firms move their personal data to another business, although the law proposes regulations will be set for different sectors.
But Scassa said she is “very troubled” the CPPA doesn’t follow the GDPR’s clear rules obliges firms to ensure personal data sent out to a country for processing has appropriate safeguards. The GDPR says firms must ensure the foreign country’s privacy laws are similar to the regulation. “This bill, as far as I can tell, has only a smattering of references to the outsourcing of Canadians’ data for processing,” she said. “There’s not a lot of substance there. I don’t think it’s very clear. So I am concerned about the extent to which Canadians’ data is protected when it’s outsourced to third parties, including outside the country.”
Scassa noted Section 11 of the CPPA says where an organization transfers personal data to a service provider it has to ensure by contract or other agreement that the provider gives substantially the same protection as required under the CPPA. But, she said, it doesn’t talk about data sent outside Canada.
One thing data privacy officers and privacy lawyers will appreciate, Scassa said, is that the proposed CPPA is much better organized than PIPEDA and will make it easier for experts to find the sections they need.
Privacy Commissioner Daniel Therrien, whose office has long called for PIPEDA to be updated, issued a statement saying he still wants to have a detailed look at the proposed law before publicly commenting. “Bill C-11 is a complex and substantial piece of legislation,” he said. “We recognize that some of the elements we had recommended appear in the legislation tabled today. However, before offering more detailed comments, we will need to carefully assess how its several components work together and how well they would improve protections for the privacy rights of Canadians.
“We look forward to presenting our views to Parliament as it undertakes its study of this important bill.”
Imran Ahmad, a cybersecurity and privacy lawyer at Blakes, Cassels and Graydon, said Canadian organizations will have to spend time to reassess their privacy practices and implement new processes and protocols to ensure compliance if the proposed law passes. They will also have to be mindful of the cost of non-compliance which, for the first time, he said, “is going to be significant in Canada.”
The Canadian Federation of Independent Businesses (CFIB) also expressed concerns. “Hopefully, the Digital Charter Implementation Act (Bill C-11) introduced today will make it easier for SMEs to comply with all these privacy rules,” Jasmin Guenette, vice-president of national affairs said. “But the devil is in the detail. At this point, there are more questions than answers about this new bill and we will have to see what changes will be made as it goes through normal legislative procedures.
“How will this new law play out with provinces with their own privacy laws? How long will businesses have to comply? What kind of exemptions could be added to the Bill in the next couple of months and how will the new administrative privacy tribunal work? It’s also important to remind policymakers that the priority is to have an environment where it’s easier for small businesses to operate, not the opposite. And it’s also important not to add costs and red tape on small businesses, especially now as they are already facing huge challenges because of COVID-19. The focus of the government should remain to adopt policies that will ensure a strong and speedy recovery.”
It’s not necessarily all bad for businesses. “The law is intended to work for businesses for all businesses of all sizes, and has taken into account the needs of small businesses, ” an ISED department official told reporters in a technical briefing on Tuesday. “We know overly-prescriptive laws often favour large businesses in terms of compliance because they are the ones that can best afford the legal support. That is why the law is based on what worked well with PIPEDA. It continues to include many mechanisms for businesses to work with the privacy commissioner and seek guidance to make sure they are on the right path.”
The is story has been updated from the original to include comments from Innovation, Science and Economic Development that CPPA is based on privacy by design principles.