The Personal Information Protection and Electronic Documents Act (“PIPEDA”) is federal legislation that governs personal information held by private sector organizations in the course of for-profit, commercial activities across Canada. It also applies to personal information of employees of federally-regulated businesses including banks, airlines and telecommunications companies. On November 17, 2020, the federal government introduced Bill C-11, which proposes the enactment of the Consumer Privacy Protection Act (“CPPA”) and the repeal of Part I of PIPEDA. Bill C-11 can only become law after it has been approved by both Houses of Parliament and has received Royal Assent.
On May 11, 2021, the Federal Privacy Commissioner of Canada, Daniel Therrien, released a submission to the House of Commons Standing Committee on Access to Information, Privacy and Ethics, which provides that the Commissioner believes that Bill C-11 “represents a step back overall from our current law and needs significant changes if confidence in the digital economy is to be restored.” The Commissioner emphasizes that Bill C-11, as drafted:
“would be a step back overall because the provisions meant to give individuals more control give them less; because the increased flexibility given to organizations to use personal information without consent do not come with additional accountability one would expect; because administrative penalties will not apply to the most frequent and important violations, those relevant to consent and exceptions to consent; and because [the Office of the Privacy Commissioner of Canada (“OPC”)] would not have the tools required to manage its workload to prioritize activities that are most effective in protecting Canadians.”
The Commissioner’s submission on Bill C-11 provides over 60 recommendations, which he believes are required to help ensure that organizations can responsibly innovate while recognizing and protecting the privacy rights of Canadians. The Commissioner’s recommended changes are categorized into the following three themes:
Weighting of Privacy Rights and Commercial Interests
- The Commissioner’s submission provides that Bill C-11 “arguably gives more weight to commercial interests than the current law by adding new commercial factors to be considered in the balance, without adding any reference to the lessons of the past twenty years on technology’s disruption of rights.”
- The submission further provides that “it would be normal and fair for commercial activities to be permitted within a rights framework, rather than placing rights and commercial interests on the same footing. Generally, it is possible to concurrently achieve both commercial objectives and privacy protection. This is how we conceive responsible innovation. However, when there is a conflict, we believe rights should prevail.”
- The Commissioner suggests 10 recommendations under this theme, including recommendations with respect to the inclusion of a human rights-based framework in the CPPA and amendments to the definitions of personal information, sensitive information and commercial activity.
- Of particular interest is the Commissioner’s reference to Dr. Teresa Scassa’s description of a human rights-based approach to privacy protection. Dr. Scassa describes a human rights-based approach to privacy as “one that places the human rights values that underlie privacy protection at the normative centre of any privacy legislation. . . . it acknowledges the nature and value of privacy as a human right so as to give privacy its appropriate weight in any balancing exercise.”
Specific Rights and Obligations
- The Commissioner suggests 22 recommendations under this theme, focused within three particular areas: consent and the exceptions thereto, organizational obligations, and individual data rights.
- Consent and the Exceptions Thereto
- The Commissioner suggests changes to ensure consent is informed and meaningful. The Commissioner also notes that while several new exceptions to consent are reasonable, there are two main concerns:“some exceptions are unreasonably broad; and the Bill fails to associate greater authority to use personal information with greater accountability by organizations for how they will use these permissions.” The Commissioner addresses these concerns by suggesting revisions with respect to the scope of socially beneficial purposes, publicly available personal information, de-identification of personal information and disclosure of personal information to law enforcement.
- Of particular interest is the Commissioner’s assertion that “[t]he CPPA does not speak to format, content structure, or accessibility. Each of these is a factor that contributes to an individual’s understanding of how their personal information is being used.”
- Organizational Obligations
- The Commissioner suggests changes in Bill C-11 with respect to accountability, trans-border data flows and service providers, safeguarding, breach reporting and domestic service providers.
- Of particular interests is the Commissioner’s suggestion that the accountability principle is not clearly defined in the CPPA, and that the legislation does not “provide protective measures such that the accountability of organizations is real and demonstrable.”
- Individual Rights
- The Commissioner suggests changes in Bill C-11 with respect to automated decision-making, the right to reputation and data mobility.
Quick and Effective Remedies and the Role of the Office of the Privacy Commissioner of Canada
- The Commissioner suggests a strong enforcement and oversight mechanism which should include access to quick and effective remedies for individuals and should provide the regulator with the legal mechanisms required to protect Canadians.
- The Commissioner suggests 20 recommendations under this theme, including recommendations with respect to remedies, the rules of procedure and evidence in investigations, special cases of breaches, compliance agreements, the Personal Information and Data Protection Tribunal, administrative monetary penalties, private right of action, the role of the regulator, the discretion to investigate, advising organizations on their privacy management programs, codes of practice and certification programs, amendments to rules which mandate the Commissioner to consider the size of the organization and other factors mentioned, demonstrable accountability and proactive inspections, proactive compliance audits, the prohibition on use of information provided by an organization, confidentiality and cooperation with other organizations and offences.
- Of particular interest is the commissioner’s recommendation with respect to the Personal Information and Data Protection Tribunal. Here, the Commissioner has stated that “[w]hile the OPC welcomes oversight and accountability for our actions, we respectfully suggest that the new Tribunal is both unnecessary to achieve greater accountability and fairness (the Federal Court already plays this role), and counter-productive in achieving quick and effective remedies. In fact, all objective indicators show overwhelmingly that the Tribunal would unnecessarily delay justice for consumers. . . . In summary, there is no need to add an administrative appeal to ensure fairness to business when the Federal Court already plays this role, and as, at any rate, the OPC has an exemplary record in this regard. Moreover, adding a level of appeal can only delay the ultimate resolution of cases.”
In light of the Commissioner’s submission to the Standing Committee, Bill C-11 could undergo changes before it is passed, especially given Commissioner Therrien’s recent reappointment on June 4, 2021 for a one-year term. Organizations should pay particular attention to developments regarding Bill C-11 as changes may be forthcoming.