Bill C-27 has gone through a rushed Second Reading and been passed to the INDU Committee https://www.ourcommons.ca/Committees/en/INDU/StudyActivity?studyActivityId=12157763 to conduct public consultation and make recommended changes to the Bill.
The Bill deals with 3 separate but connected laws;
1 An Act to enact the Consumer Privacy Protection Act (CPPA) which is intended to update PIPEDA, passed in 1999. (think about the changes in computers and technology involving personal information since then!);
2. the Personal Information and Data Protection Tribunal Act (PIDPTA), a very convoluted enforcement structure that is likely to take 7 1/2 years + to enforce if all appeals are exhausted (we know Meta will do that as 7 1/2 years additional revenues and profits amount to a lot more than they are likely being fined.); and
3. Artificial Intelligence and Data Act, (AIDA) is Canada’s weak attempt to be one of the first AI Data Acts in the world. It seems the quality of the Act is superseded by the public sound bite it can generate. Many in the Privacy and Data Protection world believe this may have been “tacked on” to Bill C-27 to create urgency and divert attention from the rest of the weak efforts of Bill C-27. AIDA’s role in Bill C-27 is to create urgency to drive the Bill through Parliament without the usual scrutiny from the opposition parties.
The Office of the Privacy Commissioner made 15 recommendations in their submission to the INDU Committee regarding Bill C-27. They are:
Recommendation #1: Recognize privacy as a fundamental right.
This is a biggie. It seems this government believes granting fundamental data protection will “interfere with innovation, which is one of their key drivers. They are throwing a ton of money at it, but is it making a difference? Many experts like Dr. Min Basadur say no (listen to our interview in early July 2023)
One of the key issues the marketplace needs to ensure investments in effective innovation is CERTAINTY. Right now, under an unenforced PIPEDA and this proposed Bill C-27, there is no certainty in the markets. Is innovation merely a way to get grants and interest-free loans from the government, primarily the large institutions that the Liberals count on for their precious fundraising efforts?
At a time when the GDPR is trying to ensure protection for EU Data Subjects by declaring privacy as a fundamental right and challenging the business community on their agregious behaviour over the past 25 years, Canada stops short of declaring privacy a fundamental right. This alone should almost surely end our current status of “partial adequacy” with the EU. Do not be surprised when it is removed leaving us scrambling to join the new Data Privacy Framework between the EU and the US in order to continue to transfer PII between Canada and the EU.
Given the chance to truly update PIPEDA, to protect Canadian’s data online with a well enforced data protection law, and to set set practical groundrules for Artificial Intelligence (AI), Bill C-27 at best deserves a D- on the report card. It will include a lot of new obligations for all businesses while doing little to protect Canadian’s personal information online.
Recommendation #2: Protect children’s privacy and the best interests of the child.
One of the areas even the US is putting their shoulder into is the protection of children online. We believe it will be a priority for the Commission d’accès à l’information (CAI) when they start enforcing Law 25 this September 22, 2023. This new law set the tone for real protection of personal information in Canada. All organizations who maintain a National database fall into scope as 22.5% of Canada’s population reside in Quebec. There are many new obligations for all types of businesses of all sizes, including requiring meaningful consent to use personal information for specific purposes. Bereskin and Parr stated The amendments under Law 25 coming into effect September 2023 will require organizations to develop a detailed policy and practices plan, privacy impact assessments (PIAs), and prepare for new requirements regarding cross-border transfers, consent, outsourcing, retention and destruction, transparency, and increased penalties.
And that’s just the high level obligations.
Recommendation #3: Limit organizations’ collection, use and disclosure of personal information to specific and explicit purposes that take into account the relevant context.
In the past 25 years the business community has taken the stance that what they collect is theirs to use as they wish. It seems we collectively forgot (with Meta and Google taking the lead and the rest of us blindly following) there was an individual at the other end of that data. The new data protection and privacy laws like the GDPR, CPRA and Quebec’s Law 25 are restoring order and giving the individual a say in what can and cannot be done under what circumstances. Organizations must now tread carefully, always seeking specific consents and only collecting information that is truly useful to them. Consent Management Platforms are a must in order to manage this huge process cost effectively. No more catch-all statements like ” in order to serve you better”
Recommendation #4: Expand the list of violations qualifying for financial penalties to include, at a minimum, appropriate purposes violations.
Bill C-27 does little to protect Canadians online. It states that consent is required and continues to list 33 exceptions that basically allows companies like Meta to keep doing most of what they do today.
More important it limits which parts of the laws are enforceable using Administrative Monetary Penalties (AMPs), so while it is in the law there are no repercussions to organizations for conducting these activities. As we have seen from PIPEDA – no repercussions = no meaningful actions by organizations. So if Bill C-27 is meant to change business practices, it is destined to fall short.
Recommendation #5: Provide a right to disposal of personal information even when a retention policy is in place.
Again Bill C-27 stops short of telling organizations what is and is not acceptable when dealing with individual’s personal information. In my humble opinion, that is job #1of a data protection and privacy law!
Technically, if a retention policy is in place it could trump an individual’s request to delete their data. Yet another example of this Bill, as written, not protecting individual Canadian’s rights. A good law would have organizations obligated to delete personal information within a reasonable time of the person making the request. GDPR allows 30 days with an allowance for another 30 days in certain situations. Written notice to the individual is required in order to qualify for the extension.
Recommendation #6: Create a culture of privacy by requiring organizations to build privacy into the design of products and services and to conduct privacy impact assessments for high-risk initiatives.
Again this Bill does not go nearly far enough to undo the damage done over the past 25 years. The power must shift back to the individual. They must have a say in what is and is not OK regarding their PII. It really is simple. Many people will give consent if they trust the organization with their PII. Most organizations are currently not trustworthy.
Privacy by Design was created here in Canada by Ann Cavoukian, our former Ontario Privacy Commissioner and is embedded in the GDPR and several other data protection and privacy laws like Law 25. But our government stopped short in order to not place an “excessive burden on businesses”. If all organizations simply followed Privacy by Design principles we would likely not requires Bill C-27!
Recommendation #7: Strengthen the framework for de-identified and anonymized information.
This is an area that could have businesses using various methods of de-identification, proportionate to the risk to the individual. This allows businesses to aggregate this kind of data into Business Intelligence so they can act upon it without the risk of personal harm to the individual. This is a legitimate area that ISED could have acted in favour of all parties. Just be clear and consistent in defining these activities and enforcing them over the next few years.
Recommendation #8: Require organizations to explain, on request, all predictions, recommendations, decisions and profiling made using automated decision systems.
More and more, decisions like credit ratings, mortgage confirmations and other significant “business decisions” are being made with no human intervention. Once again, proportionality should be considered. Life-changing decisions should be lead by humans with automation supporting their efforts. The algorithms that drive these decisions have built in biases and are not always accurate nor fair. These new data protection and privacy laws are holding these organizations accountable and forcing them to be more transparent about their processes and the individual’s rights to appeal or correct errors that might tilt the decision. It is not clear in the current wording whether profiling would be considered automated decision making. This will cause chaos in the marketplace.
Recommendation #9: Limit the government’s ability to make exceptions to the law by way of regulations.
Bill C-27 and it’s 3 Acts are only 1/2 written, granting the government or their representatives to update regulations at will. This will hack away at the confidence of the marketplace, who never know what shoe will drop when. It is hard to set up new practices without clear ground-rules. This approach does not create certainty for organizations operating in Canada.
The way it is written now, a company can make the statement of purpose something like “to improve our service” and get away with doing whatever they think can improve their service. This is at best, thinking rooted in the 1990’s.
Recommendation #10: Provide that the exception for disclosure of personal information without consent for research purposes only applies to scholarly research.
Again, Acts like Law 25 defined this clearly. Bill C-27 left it open to interpretation such that an organization could “comply” to the wording of the law while trouncing on the spirit of it. PIPEDA and Law 25 both use the term “scholarly study”, which narrows the kind of research being done without explicit consent.
Recommendation #11: Allow individuals to use authorized representatives to help advance their privacy rights.
This is an easy one. For many reasons, some individuals are unable to protect their own privacy rights. With proper written permission, they should be able to appoint a representative to assist them.
Recommendation #12: Provide greater flexibility in the use of voluntary compliance agreements to help resolve matters without the need for more adversarial processes.
Bill C-27 restricts the Commissioner’s ability to order compliance agreements, slowing the process and placing unnecessary burdens on the OPC instead of the organization being investigated. This Bill must speed up enforcement procedures rather than impeding them.
Recommendation #13: Make the complaints process more expeditious and economical by streamlining the review of the Commissioner’s decisions.
As proposed, an organization can drag out a decision by the Office of the Privacy Commissioner (investigator) and the Data Protection Tribunal in the courts. While an appeal process is fair to all parties, this process can be significantly streamlined to reduce costs and time.
Recommendation #14: Amend timelines to ensure that the privacy protection regime is accessible and effective.
There are at least 3 mandatory timelines that can be tighten and help protect Canadian’s personal information; 1 Breach Reporting – it currently asks for reporting to the OPC “as soon as feasible after the organization determines that the breach has occurred.” rather than within 7 days after becoming aware of the breach; 2. Return of Records – the current language allows a strict timeline of “10 days upon request” which The OPC experience is far too limited, making it more difficult for the OPC to investigate; and 3. Prosecution of Summary Offences – records should not be returned until the proceedings have been concluded.
Recommendation #15: Expand the Commissioner’s ability to collaborate with domestic organizations in order to ensure greater coordination and efficiencies in dealing with matters raising privacy issues.
The OPC should have expanded powers of collaboration with other domestic and International bodies. Bill C-27 narrows their options instead of expanding them.
Based on this government’s track record of truly listening and taking recommended actions of the experts in the space, I would suggest we will see few of these recommendations come to be incorporated into the laws that finally get passed. Without these recommended changes, chances are good the EU will see Canada taking a huge step backwards regarding privacy and data protection and we will likely lose our “partial adequacy” status.
For a copy of the OPC’s submission to the INDU Committee –
Interesting to note the Second Reading was voted on April 24, 2023 and to date (July 21, 2023) there have been no meetings of the INDU Committee to address it.