The Canadian government yesterday introduced the Consumer Privacy Protection Act (technically Bill C-11, the Digital Charter Implementation Act), which represents a dramatic change in how Canada will enforce privacy law. I quickly posted a summary of the some of the key provisions yesterday, noting the need for careful study. That post focused on six issues: the new privacy law structure, stronger enforcement, new privacy rights on data portability and algorithmic transparency, standards of consent, bringing back PIPEDA privacy requirements, and codes of practice. This post raises ten questions that will likely emerge as pressure points with stakeholders on both sides raising concerns about their implications.
1. Are the business exceptions too broad?
The CPPA features many exceptions to the general principle of mandating consent for the collection, use and disclosure of personal information. Of particular concern is Section 18, which covers “business activities”. The provision states:
An organization may collect or use an individual’s personal information without their knowledge or
consent if the collection or use is made for a business activity described in subsection (2) and
(a) a reasonable person would expect such a collection or use for that activity; and
(b) the personal information is not collected or used for the purpose of influencing the individual’s behaviour or decisions.
In other words, no knowledge or consent is required for certain data collection categorized as business activities. What is covered? While most of subsection (2) is devoted to network security, safety or delivery of a service, (2)(e) covers:
an activity in the course of which obtaining the individual’s consent would be impracticable because the organization does not have a direct relationship with the individual
It is one thing to cover direct activities arising out of relationship between an individual and a commercial organization. But to cover activities with no direct relationship? That would seemingly invite all sorts of problems, not the least of which includes online tracking activities where the bill would potentially remove the need for knowledge or consent.
The concerns about exceptions do not end there given lingering concerns about how existing exceptions have been used by law enforcement and some companies with respect to personal information. This will be a big issue for both business and privacy groups.
2. Do the de-identification provisions undermine the bill?
The Public Interest Advocacy Centre was out quickly with tough criticism of the bill, arguing that the de-identification provisions hollow out consumer privacy and that the bill should be withdrawn. At issue are provisions that provides an express right to use personal information without an individual’s knowledge or consent to de-identify the information. De-identified information plays an important role in a data economy, but many individuals simply do not want their data used, whether identifiable or not. The balance the bill seeks to strike is to create some limitations on de-identification and to feature very tough penalties should organizations re-identify the de-identified data. This represents a major tension between modern data-based commercial activities and privacy safeguards that will no doubt be the subject of much debate in the coming months.
3. Are complainants stuck if the Privacy Commissioner refuses to conduct an inquiry into a complaint?
The bill contains several provisions establishing rules for complaints, investigations by the Privacy Commissioner, appeals, and potential reviews by the new Personal Information and Data Protection Tribunal. There is a potential concern that complainants may find themselves largely shut out of the process should the Privacy Commissioner decline to conduct an inquiry. Section 88(1) says that the Commissioner may conduct an inquiry after investigating a complaint. The permissive approach suggests that the Commissioner is not required to conduct an inquiry for all complaints. While that makes sense – some complaints may not be worthy of an inquiry that requires a decision and findings – there still should be an avenue of appeal for complainants to the Tribunal. At the moment, the right of appeal in section 100 is limited to findings, orders or decisions, meaning that declining to investigate leaves complainants with no recourse other than judicial review.
4. Is the Tribunal going to be a problem for effective privacy protection?
The Tribunal will play a significant role in privacy enforcement under the new law, conducting reviews of Privacy Commissioner decisions with the power to increase or decrease potential penalties. In fact, the Tribunal could replace the Privacy Commissioner’s order with its own order. This additional administrative layer is enormously powerful in the Canadian privacy law framework. There is considerable uncertainty about who will be on the Tribunal, how it will conduct hearings, how long the process will take, and a myriad of other issues. Further, Tribunal decisions will still be subject to judicial review, suggesting that the process will add considerable time to the privacy complaint process.
There are some obvious immediate fixes that might address some of the uncertainty concerns. For example, the legislation requires that only one of the three to six Tribunal members have information and privacy law experience. That is a very low bar, particularly when compared other similar tribunals where most members arrive with expertise. Indeed, the value of a specialized tribunal is the subject matter expertise and the potential lack of experts on the privacy tribunal is a source of concern.
5. Does the bill go far enough?
Privacy legislation always involves some measure of balance, particularly federal legislation that must be constitutionally grounded in commercial activities. Once hearings begin on the bill, it is likely that many will argue that the bill misses the mark in how it strikes the balance. Business groups will argue – as they have in the past – that there are significant costs and new compliance uncertainty with a law that is broadly applicable to all commercial organizations. Further, the private right of action is sure to face opposition, much as it did with Canada’s anti-spam legislation.
Meanwhile, privacy groups will lament the missed opportunities to bring political parties into the scope of Canadian privacy law, toughen consent provisions, address the right to be forgotten, add data localization rules, and expand protections against data misuse.
Beyond the specific provisions, there is the purpose of the law itself. While the government has added references to cross-border data dimensions, the law remains a commercial privacy law (as noted, arguably for constitutional reasons). Yet the Privacy Commissioner of Canada has called for a human rights centered approach that is absent from the bill.
6. Is the international scope going to withstand inevitable opposition?
The CPPA takes an expansive approach with respect to its global applicability. Section 6(2)(a) states:
For greater certainty, this Act applies in respect of personal information
(a) that is collected, used or disclosed interprovincially or internationally by an organization;
The international applicability makes sense in a globalized environment, but will likely face opposition from some groups who argue that it represents over-reach.
7. Will business oppose greater transparency on cross-border data flows?
The CPPA provides more specificity on what is required to meet openness and transparency requirements. While much of the attention will focus on the use of automated decision systems, there is another provision that emphasizes cross-border data transfers:
In fulfilling its obligation under subsection (1), an organization must make the following information available:
(d) whether or not the organization carries out any international or interprovincial transfer or disclosure of personal information that may have reasonably foreseeable privacy implications;
Those disclosures seem fair, but the business community may not agree. The Privacy Commissioner’s consultation on cross-border transfers was very controversial. While much of the concern focused on consent requirements, even the increased disclosure requirements may generate opposition.
8. Will SMEs support the bill?
The CPPA applies to all commercial organizations, no matter how big or small. That has been the case for Canadian privacy law for two decades, but the more explicit requirements could lead to claims that the regulatory costs are too burdensome. For example, Section 9(1) explicitly requires a privacy management program:
9 (1) Every organization must implement a privacy management program that includes the organization’s policies, practices and procedures put in place to fulfil its obligations under this Act, including policies, practices and procedures respecting
(a) the protection of personal information;
(b) how requests for information and complaints are received and dealt with;
(c) the training and information provided to the organization’s staff respecting its policies, practices and procedures; and
(d) the development of materials to explain the organization’s policies and procedures put in place to fulfil its obligations under this Act.
While this is not new – theoretically all organizations were required to do this under the Accountability principle – the explicit inclusion of these requirements may garner attention.
9. Are plain language policy requirements anything new?
The government emphasized that the bill requires “plain language” disclosures for the purposes of obtaining consent. While this is the first time that requirement is found in the legislation, privacy commissioners have emphasized plain language policies for many years. Moreover, whether plain language or lengthy, dense legalese, few bother to read the policies. Far more important are strict provisions around personal information use, penalties for misuse, and an effective enforcement system.
10. Does the legislation leave too much to regulations?
The CPPA introduces several new privacy rights but leaves many of the details to future regulations. These include the new data portability right, the rules on codes of conduct, business activity exceptions, what information is subject to the publicly available information exception, and what records must be kept in case of a security breach. Given the problems with regulations under the anti-spam legislation (which delayed the law by many years) and the security breach disclosure rules, leaving some key issues to later regulations could delay implementation of new rights by many years.