Jasmine Samra
Counsel
Article
18
Following its second reading, Bill C-27, the Digital Charter Implementation Act, 2022, has been referred to the House of Commons Standing Committee on Industry and Technology (the "Standing Committee"). Bill C-27 would repeal the current federal privacy law, Part I of the Personal Information Protection and Electronic Documents Act (PIPEDA), and enact the Consumer Privacy Protection Act (CPPA), the Personal Information and Data Protection Tribunal Act (PIDPTA), and the Artificial Intelligence and Data Act (AIDA).
In May, the Standing Committee published the Privacy Commissioner of Canada's submission to parliamentary debates on federal privacy.[1] The Office of the Privacy Commissioer (OPC) has stated that Bill C-27 brings needed modernization to privacy and in many ways is an improvement over PIPEDA and Bill C-11, the federal government's prior attempt at privacy reform.
Bill C-27 considers several concerns and recommendations by the OPC, such as:
However, the OPC believes that Bill C-27 can be further improved to better protect Canadians privacy rights, promote innovation, and avoid reliance on regulations. The Privacy Commissioner of Canada, Philippe Dufresne, has stated his vision of privacy recognizes:
The OPC states that "These three pillars reflect the reality that Canadians want to be active and informed digital citizens, able to fully participate in society and the economy without having to choose between this participation and their fundamental privacy rights."[2]
The OPC has made 15 recommendations to Parliament which it considers would enhance Bill C-27 and ensure that individual privacy rights are protected while at the same time supporting the digital economy.
Recommendation #1: Recognize privacy as a fundamental right.
The OPC recommends that the preamble in Bill C-27 does not go far enough as it only recognizes the protection of a privacy "interest." The OPC states that the preamble should instead go a step further and recognize privacy as a fundamental right, rather than just an "interest" as this would align with international human rights and the jurisprudence from the Supreme Court of Canada.
Recommendation #2: Protect children's privacy and the best interests of the child.
While the CCPA introduces measures to protect minors, the OPC views such measures as insufficient in protecting children as they do not prohibit the uses of personal information that could be potentially harmful. The OPC recommends amending the preamble to Bill C-27 to explicitly state that "the processing of personal information should respect children's privacy and the best interests of the child." In the OPC's opinion, this would encourage organizations to build privacy for children into product design and ensure the best interest of children will be considered when developing new technologies.
Recommendation #3: Limit organizations' collection, use and disclosure of personal information to specific and explicit purposes that take into account the relevant context.
Section 12 of the CPPA establishes a framework for organizations to determine the reasonableness of collecting, using, and disclosing personal information. The OPC raises concerns about this approach, as the assessment of the appropriateness of purpose may vary depending on context. While a list of factors outlined in section 12 is helpful, the OPC suggests that it should be non-exhaustive to allow for consideration of other relevant contextual factors. Furthermore, the OPC highlights that unlike PIPEDA, the CPPA is silent on an organizations purpose for processing personal information, which is required to be "explicitly specified." This could lead to overly broad and ambiguous purposes being identified by organizations. The OPC recommends section 13 of the CPPA to require that organizations collect, use and disclose personal information for the purposes that are specific and explicit.
Recommendation #4: Expand the list of violations qualifying for financial penalties to include, at a minimum, appropriate purposes violations.
Bill C-27 creates a list of violations eligible for administrative monetary penalties ("AMPs") that currently do not exist under PIPEDA. The OPC believes that a breach of section 12, which requires organizations to only collect, use and disclose personal information in a manner and for purposes that a reasonable person would consider appropriate in the circumstance, should be eligible for AMPs.
Recommendation #5: Provide a right to disposal of personal information even when a retention policy is in place.
Currently, the CPPA permits organizations to deny disposal of personal information if the information is scheduled to be disposed of according to a retention policy as long as the individual is informed of the remaining period for which the personal information will be retained.[3] The OPC is concerned that organizations with lengthy or inappropriate retention policies can deny disposal of personal information by just notifying an individual of the remaining retention period. The OPC, in various investigations, has found circumstances of organizations with excess or inappropriate retention periods. The OPC recommends a right to disposal of personal information regardless of whether an organization has a retention policy.
Recommendation #6: Create a culture of privacy by requiring organizations to build privacy into the design of products and services and to conduct privacy impact assessments for high-risk initiatives.
The OPC recommends privacy by design should be included in accountability provisions of the CPPA. The CPPA should explicitly require organizations to apply privacy by design into the design of products and services. Further, the accountability provisions of the CPPA should also require organizations to conduct privacy impact assessments (PIAs) on higher-risk activities.
Recommendation #7: Strengthen the framework for de-identified and anonymized information.
The OPC supports the new framework for de-identification and anonymization in Bill C-27 but believes there is a need for stronger protections. The OPC recommends explicit language in section 74 of the CPPA be included to require organizations to account for the risk of re-identification when applying de-identification measures. As anonymized information would fall out of the scope of the CPPA, the OPC believes that the threshold for anonymizing personal information should be high to prevent inadequate practices and the reference to "generally accepted best practices" in the definition of anonymized should be removed.
Recommendation #8: Require organizations to explain, on request, all predictions, recommendations, decisions and profiling made using automated decision systems.
The OPC supports the new obligations on organizations using automated decision-making (ADM) systems but raises concerns about their limited scope. As drafted, section 63(3) of Bill C-27 limits the general accountability of the use of any ADM systems that make predictions, recommendations, or decisions to only ADM systems that could have a "significant impact" on individuals. This would limit algorithmic transparency requirements of ADM systems, and for example, would not apply to online advertising, personalized news feeds and other digital environments. The OPC recommends removing the qualifier "significant impact."
Further, the OPC recommends ADM systems that profile individuals should be expressly set out in the draft legislation similar to other jurisdictions such as Quebec, the European Union and California.
Recommendation #9: Limit the government's ability to make exceptions to the law by way of regulations.
Currently, the CPPA includes provisions allowing the collection and use of personal information without the knowledge or consent of individuals for defined business activities, provided that the business activities do not influence an individual's behavior or decisions. The Governor in Council can add any other activities through regulation. The OPC points out that the CPPA lacks the requirement that prescribed business activities also be necessary to achieve a specific purpose.[4] This could potentially lead to activities being added by regulations that are too broad. Another area of concern for the OPC is that the Governor General has the authority to make regulations specifying activities that would be excluded from the CPPA.[5] The OPC believes if a collection or use is exempt that an organization should remain subject to the other obligations under the CPPA.
Recommendation #10: Provide that the exception for disclosure of personal information without consent for research purposes only applies to scholarly research.
It is the OPC's position that the disclosure of personal information outside an organization without knowledge or consent, in certain circumstances, when the disclosure is for statistics, study or research purposes is too broad.[6] Unlike other jurisdictions such as Quebec, there are no additional safeguards such as the requirement of PIA before a disclosure for research without consent. Reintroducing the qualifier "scholarly" before "study" as was included in Bill-C11 would narrow the exception to consent; otherwise, the provision "study" could be interpreted very broadly to include commercial research.
Recommendation #11: Allow individuals to use authorized representatives to help advance their privacy rights.
Bill C-11 explicitly allowed individuals to authorize any other person, in writing, to be their representative. This has been removed in Bill C-27. The OPC recommends reinserting this section to ensure clarity and avoid introducing potential new barriers limiting individuals to exercise their rights.[7]
Recommendation #12: Provide greater flexibility in the use of voluntary compliance agreements to help resolve matters without the need for more adversarial processes.
In the OPC's opinion, the use of compliance agreements under the CPPA is more restrictive than PIPEDA as compliance agreements can only be used "in the course of an investigation."[8] This would result in a compliance agreement no longer being available as an enforcement tool in situations such as an inquiry or in response outside of an investigation. The limitation on compliance agreements would reduce the OPC's flexibility and may lead to lengthy and expensive proceedings. Additionally, the enforcement of compliance agreements is also delayed under the CPPA. Currently, if the OPC believes an organization is not complying with a compliance agreement, it can immediately apply to the court for an order requiring an organization to comply with a compliance agreement. Under the proposed CPPA, this can only occur once the OPC has conducted an inquiry. Further, the CPPA should clarify that payments of AMPs and all other negotiated measures are possible terms within a compliance agreement.
Recommendation #13: Make the complaints process more expeditious and economical by streamlining the review of the Commissioner's decisions.
The OPC suggests that the current review process proposed under the CPPA may be time-consuming and costly. To streamline the process, the OPC recommends that the Personal Information and Data Protection Tribunal decisions be judicially reviewable directly by the Federal Court of Appeal instead of the Federal Court. Another option could involve granting the OPC the authority to issue AMPs, and having reviews of the OPC's decisions conducted by the Federal Court instead of the Tribunal
Recommendation #14: Amend timelines to ensure that the privacy protection regime is accessible and effective.
The OPC highlights three timeline issues in the CPPA :
1) Breach Reporting: The OPC recommends that both organizations and service providers should report a privacy breach to the OPC without unreasonable delay, not no more than seven calendar days after the organization or service provider becomes aware of the breach. [9]
2) Return of Records: Currently section 99(2) requires the OPC to return any record or thing an organization provided as part of an investigation, inquiry or audit within 10 days upon request. The OPC recommends records be returned on completion of the investigation, inquiry or audit.[10]
3) Prosecution Summary Offences: In addition to large fines, section 128 of the CPPA sets out offences punishable either as a summary conviction offence or as indictable offence such as for contravening breach reporting requirements, failing to retain person information that is subject to an access request or re-identifying an individual from de-identified information. Indictable offences have no limitation period. However, in the case of summary conviction offences the Criminal Code of Canada imposes a 12-month limitation period. Currently, the prosecutor and defendants would need to agree to an extension. The current limitation period for summary convictions should allow for an extension of the limitation period as prosecution usually occurs well into or after an OPC investigation.
Recommendation #15: Expand the Commissioner's ability to collaborate with domestic organizations in order to ensure greater coordination and efficiencies in dealing with matters raising privacy issues.
The CPPA provides the OPC the ability to collaborate internationally but limits collaboration with domestic authorities. The OPC recommends expanding the ability for collaboration to include regulators such as the new AI and Data Commissioner.[11]
The Standing Committee is scheduled to commence study of Bill C-27 in the coming fall. It will be interesting to see how or whether the Standing Committee will address the OPC's recommendations and the subsequent changes that are implemented. One area to closely monitor is the treatment of de-identified and anonymized data. The OPC is recommending a more stringent threshold of no real risk of re-identification for anonymized while businesses are advocating for a standard of no reasonably foreseeable risk of re-identification. A standard of no reasonable foreseeable risk to re-identification would better align with new privacy laws in Quebec. Stay tuned for further developments.
[1] https://www.priv.gc.ca/en/opc-actions-and-decisions/submissions-to-consultations/sub_indu_c27_2304/
[2] https://www.priv.gc.ca/en/opc-news/speeches/2023/sp-d_20230525/
[3] Section 55(2)(f) CPPA
[4] Section 18(2) CPPA
[5] Section 122(1) CPPA
[6] Section 35 CPPA
[7] Section 4 CPPA
[8] Section 87 CPPA
[9] Sections 58 and 61 CPPA
[10] Section 99(2) of CPPA
[11] Sections 118 and 119 of CPPA
NOT LEGAL ADVICE. Information made available on this website in any form is for information purposes only. It is not, and should not be taken as, legal advice. You should not rely on, or take or fail to take any action based upon this information. Never disregard professional legal advice or delay in seeking legal advice because of something you have read on this website. Gowling WLG professionals will be pleased to discuss resolutions to specific legal concerns you may have.