Privacy commissioners from Alberta, B.C., and Quebec say the proposed overhaul of Canada’s federal privacy law shouldn’t add an appointed privacy tribunal to hear appeals of certain decisions made by the national privacy commissioner.
Instead, they argued Tuesday before the House of Commons industry committee, any objections or appeals should go straight to a court — as they do now both federally and in the three provinces that have their own privacy laws covering the private sector.
The commissioners echoed the argument of the current Privacy Commissioner Philippe Dufresne and the former Commissioner Daniel Therien that the proposed creation of a new Personal Information and Data Protection Tribunal will be a waste of time and money.
The data privacy tribunal was added when the proposed Consumer Protection Privacy Act (CPPA) increased the powers of the federal Privacy Commissioner to issue compliance orders and recommend multi-million dollar fines for violating the CPPA. If businesses don’t like the decision of the tribunal they could then appeal to the Federal Court.
But firms can now go directly to the Federal Court if they don’t like certain rulings of the Privacy Commissioner under the current law. Critics say inserting the privacy tribunal between the Privacy Commissioner and the Federal Court will only cause delays in respecting privacy law.
The CPPA is part of Bill C-27, which includes legislation creating the tribunal and the Artificial Intelligence and Data Act (AIDA) for regulating high-risk AI systems.
“It is critical that when privacy regulators are able to ensure that, when fines are necessary for multi-jurisdictional violations, they are levied in a co-ordinated, proportionate and non-overlapping way,” B.C. privacy commissioner Michael McEvoy told MPs. “That is not simply possible under Bill C-27, which strips away power from the federal Privacy Commissioner to levy fines and instead puts it in the hands of a third party (the tribunal) that would not be in a position to co-ordinate matters with other authorities.”
“If a party were concerned about an imposed fine, a direct referral to the court system is more than adequate to ensure administrative oversight.”
While McEvoy agreed some organizations might consider a fine a cost of doing business, the CPPA also gives the federal privacy commissioner another new weapon: The ability to issue orders to firms to “stop doing what you are doing.”
Also testifying were Diane Poitras, president of the Commission d’accès à l’information du Québec and Diane McLeod, Information and Privacy Commissioner of Alberta.
McEvoy also said the federal political parties should also have to comply with the data collection rules of the CPPA. Poitras and McEvoy noted that provincial political parties have to follow their provincial privacy laws.
The Liberal government has proposed the Elections Act be changed to require federal political parties to have privacy policies for the collection of personal data. That was described as inadequate by Dufresne.
McLeod said C-27 is “an important step in modernizing Canada’s privacy sector privacy law.” But she worried about a proposed exemption for businesses from getting consent for personal data collection under certain circumstances. The proposed exemption (S.18) says an organization may collect or use an individual’s personal information without their knowledge or consent if the collection or use is made for an activity in which the organization has a legitimate interest that outweighs any potential adverse effect on a person. There are two conditions: A reasonable person would expect the collection or use of personal data for such an activity; and the personal information is not collected or used to influence an individual’s behaviour or decisions.
Worries about how this exemption will be used by firms has also been raised by other witnesses.
Hearings on C-27 will resume in January.