Breaking News

Is Canada's Privacy Law Reform Dead?





Since the House of Commons has been adjourned for the summer break, political journalists have been predicting that the current parliament will be dissolved for the election. If so, one of the casualties would be the much-needed reform of the privacy law covering the private sector.

Although it was introduced eight months ago, for some reason the Liberal government hasn't made its proposed Consumer Privacy Protection Act (CPPA, also known as Bill C-11) into its top business orders. The C-11 has been stuck in a second reading since it was introduced last November.

It did not help that significant parts of the act are not supported by Privacy Commissioner Daniel Therian.

But changing the existing Personal Information Protection and Electronic Documents Act (PIPEDA) is necessary to bring it in line with the European Union General Data Protection Regulation (GDPR), which came into force in May 2018. Any Canadian company that holds personal information on the EU. Residents have to provide protection roughly equivalent to GDPR. In introducing the law, the government stressed that the EU has made it clear that Canada must update PIPEDA.

The route to C-11 is being led by Innovation Minister François-Philippe Champagne. In a statement to IT World Canada, his department said, "Passing Bill C-11 has been and will continue to be a priority for the Government of Canada. The House of Commons and Senate will proceed to committee studies on the Government Bill. Looking forward to hearing the views of all stakeholders.

However, if the House is dissolved all bills lapse, and the CPPA will not be studied until the Information, Privacy and Ethics Committee.

What the committee would hear was previewed in May when Therian testified on the proposed federal budget, and took the opportunity to comment on C-11. "In its current state," he said, "the bill would represent a step back towards privacy protections as a whole."

In a longer and more detailed written explanation submitted to the committee the next day, Therian explained why: "Provisions giving individuals more control give them less; as given to organizations using personal information without consent. The added flexibility does not come with the additional accountability that would be expected; because administrative penalties will not apply to the most frequent and significant violations that are relevant to consent and are exceptions to consent; and because my office has to prioritize those activities. would not have the necessary tools to manage their workloads that are most effective in protecting Canadians."

One of their major concerns is that the bill says businesses can collect or use a person's personal information in certain circumstances without their knowledge or consent.

Another is that the bill does not explicitly state that Canadian residents have a right to privacy.

"Bill C-11 states that confidentiality and commercial interests are competing interests that must be balanced," the brief states. "Indeed, the bill arguably gives more weight to commercial interests than the current law, adding new commercial factors to consider in balance, any reference to the lessons of the last twenty years on the dissolution of rights to technology." without connecting."

Therian's office made no less than 52 recommended changes to the wording of the bill.

Given that lack of support, it is little surprise that the Liberals did not opt ​​out of the second reading, let alone send it to the Privacy Committee.

The Conservative Party's interest in the law is questionable. IT World Canada asked two-time privacy committee chairman Chris Warkentin for comment on the bill and did not receive a response.

Meanwhile, tired of waiting for Ottawa to act, Ontario is well on its way to having its private sector privacy law approved, and Quebec is in the midst of updating its privacy law.

Bill is 'awful'
Some privacy experts don't see any major damage if the C-11 goes missing.

“The C-11 is terrible and expect the order to die on paper – it is a mess,” emailed Ann Cavockian, former Ontario privacy commissioner.

Chris Klein, a member of the Ottawa boutique privacy law firm Ennovation & Managing, said, "I think it's safe to say that the privacy profession in Canada is disappointed by the lack of progress in passing Bill C-11, let alone committee." " Director of the Canadian wing of the International Association of Privacy Professionals. “There are a number of important issues that need to be debated, many of which were raised by the Privacy Commissioner a few weeks ago. There is an imminent review by our European partners to evaluate the adequacy of our privacy regime in Canada.

"I think the entire Canadian privacy profession has been left scratching its head at the lack of political will expressed by our politicians," Klein said. “This is disappointing. The decline will prove interesting though. If Quebec moves forward (as the rumors are suggesting) and passes its new modern privacy law, the Fed will be under more pressure to keep up. In addition, the Ontario consultation [on their proposed provincial privacy law] expires on August 3, so it's conceivable that we also get agitation by the [Ontario] government - which will undoubtedly put more pressure on the Fed.

It shouldn't have been like this.

based on digital charter
The CPPA is based on principles announced in the Liberal Digital Charter in May 2019 and a placard in the Liberals' October 2020 election campaign.

The C-11 (which, like PIPEDA, would apply to banks, telecommunications companies and transport as well as businesses in provinces that do not have their own private sector privacy laws) was introduced by the then innovation minister Navdeep Bains. He said it would "give Canadians more control and more transparency in the way companies handle their information." It will do so by introducing key rules for consent, right to delete information, data mobility and algorithmic transparency.

Commercial firms "will need to obtain meaningful consent from Canadians. This means individuals will get specific information in simple, plain language, not a 30-page legal document that no one reads. This, in turn, allows individuals to access their own information." will allow us to make meaningful choices about the use of personal information."

Companies need to be transparent about how they use personal information. Firms have to acknowledge their use of automated systems such as artificial intelligence to make important decisions or predictions about someone. Individuals shall have the right to an explanation of the prediction or decision made by these systems.

“There will be clear, meaningful punishments for violations of the law and rules that support these principles so that Canadians can rest assured that their privacy will be protected.

The Office of the Privacy Commissioner shall have the power to make comprehensive orders, including the power to compel any organization to collect or use information and delete it.

The Privacy Commissioner will have the power to recommend an administrative penalty of $10 million, or three percent of global revenue, whichever is greater, to a new personal information and data protection tribunal. The threshold for serious criminal offenses will also be expanded, with a new maximum fine of up to $25 million, or five percent of global revenue, whichever is higher. The final decision of the Tribunal will be taken.

When Bains finished, he reported that Goldie Haider, the president and CEO of the Business Council of Canada, "spoke positively" about the bill. He also quoted Michael Geist, a professor of Internet law at the University of Ottawa, as calling the bill "Canada's biggest privacy overhaul in decades."

lack of support
Actually this is a big change. But is it supported?

Within a few days of the implementation of this law, along with the objection, there was praise as well. Former Ontario Privacy Commissioner Ann Cavokian said she was "very disappointed" and "surprised" that the CPPA does not force organizations to use the principles of privacy by design to protect personal data, as specified in the GDPR. . is. Bains' spokesperson responded that the bill is based on the 10 privacy principles that are at the core of PIPEDA and "align and reflect the concepts at the heart of privacy by design."

Cavosian, who is now head of global privacy and security by the Design Center in Toronto, was also "shocked" that the privacy commissioner could not directly impose fines, but had to go through the tribunal.

Teresa Skasa, University of Ottawa law professor and Canada Research Chair in Information Law and Policy, said she was "very upset" that the CPPA does not comply with the GDPR's clear rules that govern personal data sent to a country for processing. control the. Forces firms to ensure proper safeguards.

A week later, Skasa predicted during a webinar that there would be "a lot of pushback" from the private sector. Geist and privacy attorney Alex Cameron of Fasken Law Firm wasn't optimistic that the C-11 would pass at all.

Then on March 25 this year, Therian issued his first public comment on the proposed act. "The government has set out key objectives for the bill, which include increasing consumers' control over their data, enabling responsible innovation and establishing quick and effective measures, including the potential to impose significant financial penalties," he said. "I support these objectives. Unfortunately, my analysis of the bill's provisions leads me to the conclusion that they will not be achieved," he told the Quebec-based consumer group webinar.

Among his complaints:

- The creation of tribunals would delay decisions and encourage businesses to initiate appeals;

- Some proposed exceptions are too broad or mis-defined for businesses to obtain consent from consumers to use their personal data;

-The new flexibility given to companies is not matched by increased accountability;

- While the bill states that it aims to establish rules to govern the protection of personal information "in a manner that recognizes individuals' right to privacy," it does not recognize privacy as a human right is.

The future of the bill is still in question. If the Liberals decide not to call elections and send Committee C-11, how willing will they be to adopt amendments that significantly change the Act? There can be no alternative to this in a minority parliament. If there is an election and the liberals win in the minority, will they make the C-11 more palatable? Will they stand if they get a majority? What if the Conservatives or the NDP win?

No comments