The federal privacy commissioner has come out with his most pointed criticisms of the proposed overhaul of privacy legislation covering the private sector.
In a speech Thursday during a virtual conference hosted by the Quebec-based consumer publication Option consommateurs, Privacy Commissioner Daniel Therrien said key parts of the proposed Consumer Privacy Protection Act (CPPA, also known as Bill C-11) won’t increase consumers’ control over their data. He suggested quick and effective remedies for violating the law and encouraged innovation.
In particular, he said the government wants to increase consumer data control by adopting some of the guidelines his office proposed in 2018 to ensure consumers give meaningful consent for the use of their personal data. But the CPPA “leaves out an important facet of our current legislation, the idea that meaningful consent requires that the person giving it understands the consequences of what they are consenting to.
“Moreover, the privacy notices that serve as the basis for consent would still be allowed to use vague, if not obscure, language to describe the purposes for which companies intend to use a person’s data.”
While legislation in other jurisdictions requires organizations to identify “specified, explicit and legitimate” purposes for the use of consumer data, this isn’t in the proposed C-11.
“In my opinion, this would result in less consumer control than under the current law,” Therrien said.
The CPPA would give the privacy commissioner the power to make compliance orders, but give the power to levy fines recommended by the commissioner to a new Data Protection Tribunal. The tribunal would also hear appeals against OPC decisions.
“We believe that this tribunal, which does not exist in this form anywhere else, would create unnecessary delays for consumers,” said Therrien. “The courts are perfectly capable of reviewing the legality of OPC decisions. Worse, it would encourage companies to choose the route of appeal rather than finding common ground with the OPC when we are about to issue an unfavourable decision.
“We believe that the addition of this tribunal would only delay access to justice for consumers.”
Bill C-11 lists only a few violations of the CPPA that justify administrative penalties. The list, Therrien noted, does not include obligations related to the form or validity of consumer consent for handling data, nor the numerous exceptions to consent, “which are at the core of protecting personal information.”
It also does not include violations to the principle of accountability, he added, which is supposed to be an important counterbalance to the increased flexibility given to organizations in the processing of data.
Therrien praised Quebec’s proposed overhaul of its privacy legislation, Bill 64, which he said allows the privacy commissioner to levy fines and has no limit on offences subject to administrative penalties.
Steps in the wrong direction
The OPC believes the current principle of accountability of business is weakened in the proposed act. Therrien said it defines accountability descriptively as the set of procedures that companies choose to put in place.
“This is in fact a form of self-regulation,” he said.
The proposed CPPA allows firms some exceptions in obtaining consent from consumers for how their personal data is used. But some of the exceptions are too broad or ill-defined to foster responsible innovation, said Therrien, adding the new flexibility given to companies is not matched by increased accountability;
He repeated his call for enshrining the right to privacy as a human right. “This is because we have seen time and again how digital technologies have been used to violate these rights.”
The CPPA says the purpose of the act is to create “rules to govern the protection of personal information in a manner that recognizes the right of privacy of individuals with respect to their personal information.” In the past, Therrien has said a right to privacy should be enforceable.
“We believe that with important amendments, the bill could become a solid legislative text that effectively protects the privacy of Canadians,” Therrien concluded.
He said he looks forward to meeting with new Innovation Minister François-Philippe Champagne to discuss possible amendments to the act.
The CPPA would replace the current Personal Information Protection and Electronic Documents Act (PIPEDA). While introduced last September the legislation still has no date set yet before the House of Commons’ Ethics and Privacy Committee for debate.
Former Ontario privacy commissioner Ann Cavoukian said Therrien’s comments about C-11 were “right on the mark.”
“I believe he’s pointing to an overhaul” of C-11, she added. “The commissioner would never use that terminology. He wouldn’t think that appropriate. But given all the weaknesses in C-11 that he has gone to great lengths to outline you’d have to do a total re-write of the bill.”
Now head of the Global Privacy and Security by Design Centre, Cavoukian particularly supported Therrien’s criticism of the proposed tribunal. “If you have order-making powers as a commissioner, that’s your stick. Whoever you’re dealing with is aware of that. When I was commissioner I would much rather use a carrot [than a stick]. It brought [firms] to the table so we could engage in an informal resolution” of disputes. So I didn’t use an order most of the time.”
And businesses could still appeal to a court, she noted.
The issues the commissioner flags are significant, which suggests the law should be overhauled, said Teresa Scassa, Canada research chair in information law and policy at the University of Ottawa law school.
“At the same time, one could argue that what he proposes could fit within the way the bill is currently framed – maybe on the high-end of tweaking. To give one example, he critiques the administrative penalties section for being limited to only a narrow list of breaches of the legislation. This list could be extended without a major overhaul of the Bill. Similarly, the Commissioner is not challenging the idea of making consent a central element of the bill; rather, he has serious concerns about how consent is framed as well as the exceptions to consent.
“The bigger issue lying behind the overhaul-or-tweaking discussion is the balance arrived at in this legislation. The law essentially balances the privacy rights of individuals against the interests of organizations in being able to collect, use and disclose personal information. This interest is heightened in the data economy by organizations’ driving thirst for data. The Commissioner’s remarks clearly indicate that in his view the balance has been struck in a way that favours collection and use of personal data over the protection of privacy and other values. Viewed in this way, it is a call for an overhaul.”
(This story has been updated from the original to add comments from Ann Cavoukian and Theresa Scassa)