Wiertz Sebastien - Privacy by Sebastien Wiertz (CC BY 2.0) https://flic.kr/p/ahk6nh
The Canadian government yesterday introduced the Consumer Privacy Protection Act (technically Bill C-11, the Digital Charter Implementation Act), which represents a dramatic change in how Canada will enforce privacy law. I quickly posted a summary of the some of the key provisions yesterday, noting the need for careful study. That post focused on six issues: the new privacy law structure, stronger enforcement, new privacy rights on data portability and algorithmic transparency, standards of consent, bringing back PIPEDA privacy requirements, and codes of practice. This post raises ten questions that will likely emerge as pressure points with stakeholders on both sides raising concerns about their implications.
Canada’s GDPR Moment: Why the Consumer Privacy Protection Act is Canada’s Biggest Privacy Overhaul in Decades
Canada’s privacy sector privacy law was born in the late 1990s at a time when e-commerce was largely a curiosity and companies such as Facebook did not exist. For years, the privacy community has argued that Canada’s law was no longer fit for purpose and that a major overhaul was needed. The pace of reform has been frustrating slow, but today Innovation, Science and Industry Minister Navdeep Bains introduced the Consumer Privacy Protection Act (technically Bill C-11, the Digital Charter Implementation Act), which represents a dramatic change in how Canada will enforce privacy law. The bill repeals the privacy provisions of the current Personal Information Protection and Electronic Documents Act (PIPEDA) and will require considerable study to fully understand the implications of the new rules.
This post covers six of the biggest issues in the bill: the new privacy law structure, stronger enforcement, new privacy rights on data portability, de-identification, and algorithmic transparency, standards of consent, bringing back PIPEDA privacy requirements, and codes of practice. These represent significant reforms that attempt to modernize Canadian law, though some issues addressed elsewhere such as the right to be forgotten are left for another day. Given the changes – particularly on new enforcement and rights – there will undoubtedly be considerable lobbying on the bill with efforts to water down some of the provisions. Moreover, some of the new rules require accompanying regulations, which, if the battle over anti-spam laws are a model, could take years to finalize after lengthy consultations and (more) lobbying.
Facial recognition technologies seem likely to become an increasingly commonplace part of travel with scans for boarding passes, security clearance, customs review, and baggage pickup just some of the spots where your face could become the source of screening. Tamir Israel, staff lawyer at CIPPIC, the Samuelson-Glushko Canadian Internet Policy and Public Interest Clinic at the University of Ottawa, recently completed a major study on the use of facial recognition technologies at the border. He joins me on the LawBytes podcast to discuss the current use of the technologies, how they are likely to become even more ubiquitous in the future, and the state of Canadian law to ensure appropriate safeguards and privacy protections.
As the second wave of COVID-19 seems to have arrived in many countries, the importance of measures such as social distancing, masks, testing, and tracing takes on increased importance. In Canada, the COVID Alert App is another important part of that toolkit. The app has been downloaded more than 4.5 million times and has been used to alert users to a potential exposure to the virus nearly 1,700 times. Despite the potential benefits, there remain many skeptics. Ann Cavoukian, a three-time Ontario privacy commissioner and one of Canada’s best known privacy experts, joins the LawBytes podcast this week to talk about the exposure notification and how it addresses potential privacy concerns.
Earlier this summer, I posted on why I installed the COVID Alert App, the national exposure notification app designed to provide Canadians with an alert if they may have been exposed to COVID-19. The post discusses the privacy safeguards that have been built into the app, the reviews from both the federal and Ontario provincial privacy commissioners, and points to previous Lawbytes podcasts (Edwards, Clayton, Kosseim) that discuss the use of technology to help counter the spread of the virus. While there were some concerns (notably the ongoing concerns with social inequities), I concluded that the safeguards combined with the public health benefits were enough to justify installation (Apple, Android).