So (/checks calendar) 4 weeks ago now, on November 17, the Federal Government (well the Minister of Innovation, Science and Economic Development Canada) introduced Bill C-11, aka An Act to enact the Consumer Privacy Protection Act and the Personal Information and Data Protection Tribunal Act and to make consequential and related amendments to other Acts, aka the Digital Charter Implementation Act, 2020. Yes it is all of those things. The biggest upgrade of Canadian privacy law ever! ANWAY, as I no longer have the excuse that I am busy teaching I better finally write about it. Oh crap, I just realized today at 3 P.M. my students’ final essays are due and I will have to start grading. Better get to this post!
Maybe I was also procrastinating because all of my much smarter colleagues have already written about it and told you what’s in it – Michael Geist, Éloïse Gratton, Barry Sookman, the gang at McCarthy Tétrault, the gang at Fasken, etc., etc. You don’t need me to probably inaccurately tell you what’s in it when you have those people to do it right. But telling you what’s not in it? I am sure I can get that right!
Before we get into what’s not in the law, I guess I should do a quick rundown of what Bill C-11 actually does so we all know what I am talking about. First, it takes the “PIP” out of PIPEDA (the Personal Information Protection and Electronic Documents Act), leaving only the EDA part. Regular readers of mine will know how much I think PIPEDA sucks, so frankly this is good news to just start fresh. The PIP part of PIPEDA will now be covered by the all-new Consumer Privacy Protection Act (the “CPPA”, not to be confused with the CCPA, California’s privacy law, yeesh). In addition, the Bill creates the Personal Information and Data Protection Tribunal Act (the PIDPTA I guess?), which, like its name suggests, creates a new privacy tribunal. I volunteer to serve!
For the quick rundown of what’s actually in the new Acts, let’s go to the bullet points!
- The “10 Principles” of data protection (what companies are supposed to do, and can’t do) that had been in PIPEDA’s Schedule 1 are now integrated into the body of the CPPA (for the most part);
- Fixes the biggest flaw of PIPEDA, its lack of enforcement. The Privacy Commissioner will have the power to make actual, enforceable orders (“stop doing that bad thing!”) and will be able to recommend to the Data Protection Tribunal that significant fines be imposed (the Tribunal will be the one actually finally deciding on the fines) for non-compliance of the CPPA. And it’s like, a lot of money dude, up to $25,000,000 or 5% of the organization’s gross global revenue for certain violations. Whoa!
- In addition to imposing fines, individuals can also sue companies for violations of the CPPA, what we lawyers call a “private right of action”. I’ll come back to this point later;
- Adds some new privacy rights for individuals, including a right of data portability, sort of a “right to de-identification” of data, and a right to know if a company used any “automated decision system” on your personal information, and what that system does;
- The whole “you need my consent” to collect, use and disclose my personal information basis of PIPEDA remains, though there are numerous additional exceptions as to when consent is not required. I’ll come back to this too;
- Yada yada.
OK enough of that boring stuff, go read those other smarter people if you want details. Let’s get to the point of this post. What is not in the Bill, or more specifically the proposed CPPA, that could have been? That should have been? Let’s explain and editorialize!
Data protection by design and by default / Privacy by design
This principle is at the core of the GDPR, the European General Data Protection Regulation which in some ways (ok maybe all the ways) is considered the gold standard of privacy legislation. It is literally the title of its Article 25. It means that the overarching principle of the whole data collection and use process is that organizations must use appropriate measures to protect information, and only collect the minimal information for the purposes they need it for. “Privacy by design” means that an organization must have privacy as its guiding principle – it means they should be thinking about privacy long before data is collected.
Now, the new CPPA does have both a “protecting information” clause (section 57) and a “limiting collection, use and disclosure” clause (sections 13 and 14 combined). But these are far from the overarching principles. And in fact, the “limiting use” clause is subject to a significant exception. The organization that said it is only using your personal info for purpose X that they told you when they collected the info can then go ahead and use it for purpose Y if it is being used for certain business activities, and a “reasonable person” would think it was ok (see CPPA section 18). That is hardly a secure “privacy by design and default” principle.
In 2018, there was a big important government report called the “Report of the Standing Committee on Access to Information, Privacy and Ethics” (that we pros call the “ETHI Report”). I wrote about it here. The ETHI Report was all about how privacy law in Canada, specifically PIPEDA, should be reformed (duh!). The actual title of the ETHI Report? “Towards Privacy by Design: Review of The Personal Information Protection And Electronic Documents Act“. I guess we’re still moving “towards” it.
Privacy as a human right
Go read another one of my much smarter colleagues Teresa Scassa’s take on this topic. Your average Canadian thinks that there is a “right to privacy” written in Canadian law… somewhere. There is not! The Canadian Charter of Rights and Freedoms has a “right to life, liberty and security of the person” and a “right to be secure against unreasonable search or seizure” but these are not a pure “right to privacy”, which is why privacy is often referred to as a “quasi-constitutional right” in Canada. But it took a long circuitous route to get there. The Quebec Charter does better – “Every person has a right to respect for his private life.”
The CPPA mentions the right to privacy, but it’s practically in passing:
5. The purpose of this Act is to establish… rules to govern the protection of personal information in a manner that recognizes the right of privacy of individuals with respect to their personal information and the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances.
What a waffling statement. We “recognize” the right to privacy but that’s about it, and we’ll put it up against what seems to be an equal right for organizations to collect, use and disclose personal information. Meh.
As Teresa points out, the right to privacy is enshrined in all sorts of international treaties to which Canada is a signatory, like the Universal Declaration of Human Rights (from 1948!). The Charter of Fundamental Rights of the European Union even specifies individuals have a “right to the protection of personal data concerning him or her”. WOW! Section 1 (section ONE, like, the first one!) of the GDPR says the GDPR “protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data”. Now that’s a statement.
In last year’s Report from the Privacy Commissioner, he said that any new privacy legislation should recognize privacy as a human right. He should know, he’s the privacy commissioner! Epic fail here.
A broader application
People may think that PIPEDA applies to anyone collecting personal information. It does not! It only applies to organizations collecting, using and disclosing personal information in the course of their commercial activities. That is relatively narrow when you think about it. The application in the new CPPA? EXACTLY THE SAME. Literally, the same words are repeated (section 4 PIPEDA, section 6 CPPA).
So who does that leave out? Well, anyone not involved in “commercial activities”! A big complaint about PIPEDA for example was that it did not apply to political parties. They have no “commercial activities” (well, as defined in the law ;-p), so they are not covered by any privacy legislation. That’s bad! There are any other number of organizations out there collecting your personal information that also are not involved in “commercial activities”. Did you know they can do what they want with your personal info, under the current law and what will be the new one? You do now!
Because I seem to be comparing everything to the GDPR, you should know that the GDPR has a much broader application; there is no “commercial activity” requirement at all.
Maybe a move beyond consent?
As mentioned in the bullet points the whole system of needing “consent” from individuals to collect, use and disclose personal information has been retained from PIPEDA. The ETHI Report I mentioned earlier said we should stick with it so I guess we should be thankful?
The CPPA adds a bunch of exceptions where consent is not required, and many of these are certainly designed to help business, because frankly consent is unworkable in a lot of cases. They recognize that! The big one is the section 18 I mentioned above.
Maybe there is a better way? The GDPR recognizes consent yes, but then also groups a bunch of others into something called “necessity” – necessary for performance of a contract, necessary for compliance of a legal obligation, etc. It’s not like the new CPPA ignores this – the word “necessary” appears eight times in the “exceptions” to consent. Why didn’t you just word it that way then?
I mentioned the CCPA above, the California privacy law which is also very recent and very “tough”, the strictest privacy law in the USA (which is not saying much, but still). Did you know under the CCPA business can just go ahead and collect personal information without explicit opt-in consent? It’s true! Maybe there is another way. We just have decided to not think about it.
A true Right to be Forgotten
I am not going to get into why I think the RTBF is important, you can read this post of mine from last year for that. Does the new CPPA have a RTBF? It does not. Some people say it does, because of this section:
55 (1) If an organization receives a written request from an individual to dispose of personal information that it has collected from the individual, the organization must, as soon as feasible, dispose of the information, unless…
Don’t worry about what comes after the “unless”. The people who say this is a RTBF are wrong. Do you see why? Well I bolded it for you. It only applies to personal information collected from the individual, in comparison to the GDPR’s RTBF (which is actually called the Right to Erasure):
The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay…
“Collected from” and “concerning” is a HUGE FUCKING DIFFERENCE. The ETHI Report, as well as I think the last 3 Commissioner’s Reports all made clear we should have a true RTBF, not to mention a de-indexing right (asking Google to stop linking) and we have none of that here. We have a “right to dispose” which is essentially the same as the right to delete that existed under PIPEDA (though admittedly under PIPEDA it was limited to information that was “inaccurate or incomplete”). The CPPA also says that an “organization must not retain personal information for a period longer than necessary”, but that is in PIPEDA too. There has been no real advancement on this front at all.
A true Private Right of Action
So yes I mentioned in the bullet points that the CPPA has a private right of action. What I did not mention is that it has a HUGE fucking caveat. Let’s go to the text:
106 (1) An individual who is affected by an act or omission by an organization that constitutes a contravention of this Act has a cause of action against the organization for damages for loss or injury that the individual has suffered as a result of the contravention if
(a) the Commissioner has made a finding under paragraph 92(1)(a) that the organization has contravened this Act and
(i) the finding is not appealed and the time limit for making an appeal under subsection 100(2) has expired, or
(ii) the Tribunal has dismissed an appeal of the finding under subsection 102(1); or
(b) the Tribunal has made a finding under subsection 102(1) that the organization has contravened this Act.
You see that “if” I bolded? That sucks. It means that you can only sue for violations of the CPPA if the Commissioner or Tribunal has already found that the organization violated the CPPA. Yegads. You know how long that will take? You know how limited that would be? The Commissioner and the Tribunal will have very limited resources. Probably only a few organizations will have investigations to get us to the point of one of the Commissioner or Tribunal determining that the organization has violated the law.
Of course for comparison, let’s go the GDPR (Article 79):
Without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority pursuant to Article 77, each data subject shall have the right to an effective judicial remedy where he or she considers that his or her rights under this Regulation have been infringed as a result of the processing of his or her personal data in non-compliance with this Regulation
Translation: sue anyone, any time, no need to stop at the privacy authorities first. Now that’s a private right of action! Oh, and furthermore also too, GDPR Article 78 says you can go to court if you didn’t like what the privacy authority said if you did indeed choose to go to them first. So many options!
Superterriffic happy hour analysis – Why are all these misses important?
It’s a good question, thanks for asking. You’ll note how I focused a lot on what the CPPA does not have compared to the GDPR. It’s because the GDPR allows you to freely transfer personal data of Europeans to a non-Euro country if that country has a “an adequacy decision”, meaning that the Euro privacy authorities have determined that the country’s privacy laws have an “adequate level of protection” for personal data. Canada got an adequacy decision in 2001 (we got it under the old European data protection law, but it is still valid). It’s very valuable! The Americans don’t have one. It makes it much easier to do business with Europe.
It’s long been believed that once the European authorities got around to really looking at PIPEDA again (and the GDPR provides for ongoing monitoring of the issue), they would cancel our adequacy decision in a heartbeat. Reforming PIPEDA was necessary to prevent that from happening. If the new CPPA is missing a bunch of stuff that the GDPR does have, our adequacy decision may still be toast. That would be bad.
That’s the limited, practical answer as to why this may be important. The broader, more “policy” answer is that we had an opportunity to really fix privacy and data protection law in this country, to really state once and for all how important and central it is to today’s world and economy and our lives, and we came up short. I am not denying the new laws will fix some of the major weaknesses of PIPEDA (ABOUT F*ING TIME); we just could have, and maybe should have, done more.
Now, I have yet to point out (and should!) that this is only a bill, it was only just introduced for its “first reading”, and there are a lot of things that will happen before it becomes law, and that changes can still be made. So maybe some of these holes will be fixed. But I doubt it.