Hear this story and other latest updates on our Privacy First Podcast Episode here:
Canada’s Bill C-11 proposes the creation of a new Consumer Privacy Protection Act and a Personal Information and Data Protection Tribunal Act to replace the 20-year-old Personal Information Protection and Electronic Documents Act (PIPEDA). The bill describes itself as implementing the federal government’s Digital Charter, a set of principles designed to guide federal digital and data policy.
The first thing to note about Bill C-11 is that it transforms the awkward, cobbled-together drafting of PIPEDA into a much better organized and smartly drafted legislative text. Not only does this improve the general accessibility of the law, it marks a level of maturity for data protection in Canada. PIPEDA was a set of legal rules grafted onto the Canadian Standards Association Model Code for the Protection of Personal Information. Legislation to protect personal data collected by the private sector was a hard sell in 2000, when it was introduced largely to help build consumer confidence around new online commerce. The adoption of the Model Code as the normative heart of the law was a compromise, as was the soft-touch oversight and enforcement model in which the privacy commissioner lacks order-making power.
Massive data security breaches are becoming routine. There are rising questions about the rights of individuals to know how their personal information is being used, to understand how it impacts them, and to have recourse against abuse.
New provisions in Bill C-11 that aim to tackle these challenges. The bill will require organizations to provide upfront a “general account” of their use of “any automated decision system to make predictions, recommendations or decisions about individuals that could have significant impacts on them.” (s. 62(1)(c)) The individual right of access to one’s personal information will also include a right to an explanation of any prediction, recommendation or decision made using an automated decision system. (s. 63(3)) There is also a kind of “right to erasure” – the right of individuals to ask organizations to delete the personal information they hold about them.
Bill C-11 also enables the creation of frameworks for “data portability” stemming from a new right expressed in the GDPR. As part of the rights of individuals to control their personal data, the idea is that they can “port” their data from one service provider to another. In practice, this is more complicated than it looks. The Canadian approach in C-11 is to enable data portability between companies in a particular sector or industry. Once data standards, safeguards and appropriate infrastructure are in place, individuals will be able to port data from one provider to another within the secure framework.
Another interesting exception will allow organizations to first de-identify (anonymize) personal information in their possession without the individual’s knowledge or consent, and then to use that information for internal research and development purposes. These provisions may prove more challenging to apply than anticipated, since it is not clear how such data could meet the definition of de-identified information if the organization also retains the data in identifiable form.
De-identified data can also be disclosed by an organization without knowledge or consent where it is for a “socially beneficial purpose,” which is a purpose “related to health, the provision or improvement of public amenities or infrastructure, the protection of the environment or any other prescribed purpose.” (s. 39).
New order-making powers and a new data tribunal that will be able to impose substantial fines for the breach of certain obligations are both welcome, although the Data Tribunal has raised some eyebrows. There are concerns it may add time and complexity to processes, and its impact will very much depend upon its composition. There is also a private right of action for individuals who have exhausted all recourse under the proposed Consumer Privacy Protection Act.
This long-awaited bill is more than just an update of PIPEDA; it is a reset – and a very interesting one. There is much to study, and there will no doubt be stakeholder disagreement over the scope and wording of a number of provisions. But this is a major and credible attempt to bring Canadian private sector data protection into step with the digital and data society.