At time of writing, bill C-27, “An Act to enact the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Act and to make consequential and related amendments to other Acts " is in second reading. As this is effectively the second kick at the can for reviewing Canada’s privacy law, I’ve taken a bit of an interest to watching how this bill progresses. Privacy and law are piquing my interest at this point in my career and so the purpose of this blog is to cover some interesting aspects as it relates to this bill. I’m hoping to write more on this subject in the future.
One of the main purposes of a bill in the second reading phase is to ensure that the scope and principal of the bill is aligned with the will of Canadians. So it’s only fitting that we start here. This bill was sponsored by the Minister of Innovation, Science and Industry, and seems to be one of the main initiatives under the Canada’s digital charter. One of the main pillars of that charter was to build a foundation of trust. From their website:
Canadians increasingly rely on digital technology to connect with each other, to work and innovate. That’s why the Government of Canada is committed to making sure Canadians can benefit from the latest technologies, knowing that their privacy is safe and secure, and that companies are acting responsibly.
Canadians must be able to trust that their personal information and that of their children is protected, that their data will not be misused, and that organizations operating in this space communicate in a simple and straightforward manner with their users. This trust is the foundation on which our digital and data-driven economy will be built.
Canada’s Digital Charter sets out principles to ensure that privacy is protected, data-driven innovation is human-centered, and Canadian organizations can lead the world in innovations that fully embrace the benefits of the digital economy.
Honestly, I’m not sure many can disagree with the above statements as to the purpose of bill C-27. In the bill itself, the pre-amble section expands a bit on what is included in the bill. It seems to focus on three core areas. The first centers around the individual. Individuals want to have trust in the digital/data-drive economy and want to ensure that while they are allowed to participate, their information is protected from threats such as data loss and inherent biases in automated decision systems. Protection, of course, comes in the forms of reporting and monitoring of the private sector for compliance with the law and ensuring that the law has enough teeth to make businesses feel like protection of private data is important.
The second core area is from the viewpoint of private enterprises within Canada. The bill seeks to level the playing field between actors in Canada and those in leading privacy jurisdictions. It seeks to clarify what is required by law, and ensure that business are aware of their responsibilities. The bill recognizes that Canada is a trading nation, and seeks to ensure that Canadian standards are consistent with other international standards. The goal ultimately is to help Canadian businesses participate safely in the data economy.
The last core area is from the viewpoint of government. While this bill does not technically apply to government organizations governed by the Privacy Act, it does codify access to personal information for government uses (aka: in the public interest).
To that end, bill c-27 is actually broken down into three parts. The first part, termed the Consumer Privacy Protection Act, is an update to PIPEDA. The second part establishes the tribunal, and discusses processes and penalties for non-compliance. This part is effectively the teeth of the overall bill. The last part is the Artificial Intelligence and Data Act, and seeks to regulate artificial intelligence systems and prohibit certain conduct that may result in serious harm (to individuals).
It is important to note that Bill C-27 takes a pretty wide view of what personal information is, defining it as “any information about an identifiable individual”. This can be read in contrast to the definition of de-identified data, which means “to modify personal information so that an individual cannot be directly identified from it, though a risk of the individual being identified remains” and anonymized data, which means “to irreversibly and permanently modify personal information … to ensure that no individual can be identified from the information, whether directly or indirectly, by any means”
Being completely honest, I found reading this bill to be extremely confusing and hard. I think that this is because, from a privacy perspective, there are three main viewpoints. That of the individual, that of the organization, and that of the government. The bill is written with all three of these viewpoints inter-twined together. So, rather than going through it like that, I am going to attempt to separate out the bill by viewpoint. Let’s see if this works.
Individuals engage with many services on a daily basis. It is understood, during the course of using a service, that individuals exchange some personal information in order to successfully use a service. The bill is written to protect the individual, and makes it clear that organizations should only capture personal information about individuals that is necessary to provide the service. When this information is “reasonable” to collect, no act of consent is required on behalf of the service. In all cases, organizations must provide documentation on the types/purpose of information captured.
Individuals have rights over their data. One of the key parts of this bill is that individuals have the right to request what information an organization has about them. Organizations have to comply with these requests in a timely manner and disclose whether it has any personal information about the individual, how it has used the information, and whether it has disclosed the information. The organization is also required to give the individual access to the information it has about them. Further, the organization is required to provide the names/types of 3rd parties that the information has been disclosed to, and also provide a list of automated decision making systems the information has been used by (along with justification of why a decision was made).
Another key data right that individuals have is over the mobility of their personal information. If organizations are subject to a data mobility framework, individuals may request organizations to disclose their personal information to another organization. The definition of “data mobility framework” is purposely left vague, likely for future consideration.
The last key data right to discuss is the right to request disposal of personal information. While there are exceptions to this, generally, organizations must delete data as soon as feasible.
If individuals feel that a company has violated terms within the act, they may file a complaint with the Commissioner. The commissioner can then, if they feel like it, conduct an investigation.
Bill C-27 makes the assumption that business need some level of access to personal information in order to perform services on behalf of individuals. While this assumption is probably invalid in most cases, that discussion is outside the scope of this blog post. Bill C-27 states that organizations “..may collect, use, or disclose personal information only in a manner and for purposes that a reasonable person would consider appropriate in the circumstances..”. Organizations wanting to capture personal information must make a business justification to do so, and they need to consider the following when creating their justification: - The sensitivity of the personal information itself - If the data is actually required for business needs - The effectiveness of collection mechanisms for this personal information - If there are less intrusive means with comparable costs/benefits - Individual loss of privacy is proportionate to the benefits they receive, also considering the measures the organization has taken to mitigate the impacts of the loss of privacy
A key part of the act is that organizations must determine what information they need in advance of collecting this information. So effectively, organizations need to plan data collection and ensure justification documentation is in place. Any changes (termed “new purpose”) must be recorded by the organization prior to using/disclosing information for that purpose.
Consent to data collection is generally a large part of privacy orientated law. In the case of Bill C-27, consent need to be captured but there are several exceptions to this rule. The biggest one is for “business activity”. Effectively the bill reads that if a company privately documents the reasons for data capture, it doesn’t need to publicly state them if they can prove that a “reasonable” person would think that this data capture is required. The following points are considered “business activities” for the purpose of the act:
Another interesting exception is that of legitimate interest. Effectively, an organization can collect information about an individual if they have legitimate interest that outweighs any potential adverse effect on the individual resulting from the collection and/or use. This collection must be in-line with what a reasonable person would expect and must not be used for the purposes of influencing the individual’s behaviour or decisions.
Personally, the exception clauses seem extremely broad, and favour the organization over the individual. Having worked with several business (big and small), I can tell you that organizations never have the individuals best interest at heart and always aim to do the minimums required when it comes to data security. I see organizations getting the best lawyers they can to ensure that they don’t need to obtain consent, rather than being up front with individuals about the data they capture and the reasons for that capture. Organizations do have to have a commitment to openness and transparency, so they do need to make public the personal information they do capture and the justifications for doing so.
Once information is captured, organizations have a duty to protect that data. This includes ensuring the accuracy of the personal information and also establishing security safeguards to prevent data loss. The language used in the act here is loose, only requiring safeguards that are “proportional” to the sensitivity of the information. Organizations also have a duty to report if they have a breach of any of their security safeguards, but only the breach creates a “real risk of significant harm” to an individual.
Once information has served its purpose, organizations have a duty to dispose of the personal information. This disposal must take into account other laws and contracts that may govern the use/retention of the data.
Bill C-27 does not apply to any organization covered under the privacy act. So for the most part, government is exempt from this act. What this act does do, however, is codify capabilities by government agencies to compel private organizations to capture personal information on their behalf. I’m not going to review this in detail but most of the provisions use the tired/old adage of “in the interest of national security”.
What is interesting is that what organizations will need to do to track/comply with this law when compelled by government organizations to capture/disclose data without consent. For example, generally, organizations must disclose the 3rd parties to which individual data has been disclosed to. In certain cases, during active “investigations” for example, organizations are actually prohibited from disclosing this information. I think there is a lot here to unpack in terms of processes organizations must have to comply with these requests. This may be the subject of a future post.
In conclusion, I’m pretty torn about this bill. On the one hand, we drastically need to update our privacy laws here in Canada. It is apparent that companies will not take action of their own accord to safeguard the privacy of Canadians. This is true even for Canadian companies. On the other hand, this bill feels very loose with regards to actual controls. The honour system it is based on seems inherently flawed, and it’ll be interesting to see how long it will take to see action when complaints are brought to the attention of the commissioner. The next step for this bill, should it pass, is to be referred to committee where I’m sure there will be lots of debate on the various clauses in the act. If you are worried about privacy, and you should be, you should also take a keen interest in this bill and it’s evolution.
Hopefully you enjoyed this post!
Shamir is a Microsoft Most Valuable Professional (MVP – Azure) and has extensive experience building solutions in the cloud, from strategy to deployment to automation