Teresa Scassa - Blog

Displaying items by tag: data protection

 

This post is the third in a series that considers the extent to which the Digital Charter Implementation Act (Bill C-11) by overhauling Canada’s federal private sector data protection law, implements the principles contained in the government’s Digital Charter. This post addresses the fourth principle of the Charter: Transparency, Portability and Interoperability, which provides that “Canadians will have clear and manageable access to their personal data and should be free to share or transfer it without undue burden.”

Europe’s General Data Protection Regulation (GDPR) introduced the concept of data portability (data mobility) as part of an overall data protection framework. The essence of the data portability right in article 20 of the GDPR is:

(1) The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided [...]

In this version, the data flows from one controller to another via the data subject. There is no requirement for data to be in a standard, interoperable format – it need only be in a common, machine-readable format.

Data portability is not a traditional part of data protection; it largely serves consumer protection/competition law interest. Nevertheless, it is linked to data protection through the concept of individual control over personal information. For example, consider an individual who subscribes to a streaming service for audiovisual entertainment. The service provider acquires considerable data about that individual and their viewing preferences over a period of time. If a new company enters the market, they might offer a better price, but the consumer may be put off by the lack of accurate or helpful recommendations or special offers/promotions tailored to their tastes. The difference in the service offered lies in the fact that the incumbent has much more data about the consumer. A data mobility right, in theory, allows an individual to port their data to the new entrant. The more level playing field fosters competition that is in the individual’s interest, and serves the broader public interest by stimulating competition.

The fourth pillar of the Digital Charter clearly recognizes the idea of control that underlies data mobility, suggesting that individuals should be free to share or transfer their data “without undue burden.” Bill C-11 contains a data mobility provision that is meant to implement this pillar of the Charter. However, this provision is considerably different from what is found in the GDPR.

One of the challenges with the GDPR’s data portability right is that not all data will be seamlessly interoperable from one service provider to another. This could greatly limit the usefulness of the data portability right. It could also impose a significant burden on SMEs who might face demands for the production and transfer of data that they are not sufficiently resourced to meet. It might also place individuals’ privacy at greater risk, potentially spreading their data to multiple companies, some of which might be ill-equipped to provide the appropriate privacy protection.

These concerns may explain why Bill C-11 takes a relatively cautious approach to data mobility. Section 72 of the Consumer Privacy Protection Act portion of Bill C-11 provides:

72 Subject to the regulations, on the request of an individual, an organization must as soon as feasible disclose the personal information that it has collected from the individual to an organization designated by the individual, if both organizations are subject to a data mobility framework provided under the regulations. [My emphasis]

It is important to note that in this version of mobility, data flows from one organization to another rather than through the individual, as is the case under the GDPR. The highlighted portion of s. 72 makes it clear that data mobility will not be a universal right. It will be available only where a data mobility framework is in place. Such frameworks will be provided for in regulations. Section 120 of Bill C-11 states:

120 The Governor in Council may make regulations respecting the disclosure of personal information under section 72, including regulations

(a) respecting data mobility frameworks that provide for

(i) safeguards that must be put in place by organizations to enable the secure disclosure of personal information under section 72 and the collection of that information, and

(ii) parameters for the technical means for ensuring interoperability in respect of the disclosure and collection of that information;

(b) specifying organizations that are subject to a data mobility framework; and

(c) providing for exceptions to the requirement to disclose personal information under that section, including exceptions related to the protection of proprietary or confidential commercial information.

The regulations provide for frameworks that will impose security safeguards on participating organizations, and ensure data interoperability. Paragraph 120(b) also suggests that not all organizations within a sector will automatically be entitled to participate in a mobility framework; they may have to qualify by demonstrating that they meet certain security and technical requirements. A final (and interesting) limitation on the mobility framework relates to exceptions to disclosure where information that might otherwise be considered personal information is also proprietary or confidential commercial information. This gets at the distinction between raw and derived data – data collected directly from individuals might be subject to the mobility framework, but profiles or analytics based on that data might not – even if they pertain to the individual.

It is reasonable to expect that open banking (now renamed ‘consumer-directed finance’) will be the first experiment with data mobility. The federal Department of Finance released a report on open banking in January 2020, and has since been engaged in a second round of consultations. Consumer-directed finance is intended to address the burgeoning fintech industry which offers many new and attractive financial management digital services to consumers but which relies on access to consumer financial data. Currently (and alarmingly) this need for data is met by fintechs asking individuals to share account passwords so that they can regularly scrape financial data from multiple sources (accounts, credit cards, etc.) in order to offer their services. A regulated framework for data mobility is seen as much more secure, since safeguards can be built into the system, and participants can be vetted to ensure they meet security and privacy standards. Data interoperability between all participants will also enhance the quality of the services provided.

If financial services is the first area for development of data mobility in Canada, what other areas for data mobility might Canadians expect? The answer is: not many. The kind of scheme contemplated for open banking has already required a considerable investment of time and energy, and it is not yet ready to launch. Of course, financial data is among the most sensitive of personal data; other schemes might be simpler to design and create. But they will still take a great deal of time. One sector where some form of data mobility might eventually be contemplated is telecommunications. (Note that Australia’s comparable “consumer data right” is being unrolled first with open banking and will be followed by initiatives in the telecommunications and energy sectors).

Data mobility in the CPPA will also be limited by its stringency. It is no accident that banking and telecommunications fall within federal jurisdiction. The regulations contemplated by s. 120 go beyond simple data protection and impact how companies do business. The federal government will face serious challenges if it attempts to create data mobility frameworks within sectors or industries under provincial jurisdiction. Leadership on this front will have to come from the provinces. Those with their own private sector data protection laws could choose to address data mobility on their own terms. Quebec has already done this in Bill 64, which would amend its private sector data protection law to provide:

112 [. . .] Unless doing so raises serious practical difficulties, computerized personal information collected from the applicant must, at his request, be communicated to him in a structured, commonly used technological format. The information must also be communicated, at the applicant’s request, to any person or body authorized by law to collect such information.

It remains to be seen what Alberta and British Columbia might decide to do – along with Ontario, if in fact it decides to proceed with its own private sector data protection law. As a result, while there might be a couple of important experiments with data mobility under the CPPA, the data mobility right within that framework is likely to remain relatively constrained.

Published in Privacy

 

This post is the second in a series that considers the extent to which the Digital Charter Implementation Act, by overhauling Canada’s federal private sector data protection law, implements the principles contained in the government’s Digital Charter. It addresses the tenth principle of the Charter: Strong Enforcement and Real Accountability. This principle provides that “There will be clear, meaningful penalties for violations of the laws and regulations that support these principles.”

Canada’s current data protection law, the Personal Information Protection and Electronic Documents Act (PIPEDA) has been criticized for the relatively anemic protection it provides for personal information. Although complaints may be filed with the Commissioner, the process ends with a non-binding “report of findings”. After receiving a report, a complainant who seeks either a binding order or compensation must make a further application to the Federal Court. Recourse to Federal Court is challenging for unrepresented plaintiffs. Yet, awards of damages have been low enough to make it distinctly not worth anyone’s while to hire a lawyer to assist them with such a claim. As a result, the vast majority of cases going to the Federal Court have been brought by unrepresented plaintiffs. Damage awards have been low, and nobody has been particularly impressed. It is now far more likely that privacy issues – at least where data breaches are concerned – will be addressed through class action lawsuits, which have proliferated across the country.

Of course, the protection of personal information is not all about seeking compensation or court orders. In fact, through the complaints process over the years, the Commissioner has worked to improve data protection practices through a variety of soft compliance measures, including investigating complaints and making recommendations for changes. The Commissioner also uses audit powers and, more recently, compliance agreements, to ensure that organizations meet their data protection obligations. Nevertheless, high profile data breaches have left Canadians feeling vulnerable and unprotected. There is also a concern that some data-hungry companies are making fortunes from personal data and that weak legislative sanctions provide no real incentive to limit their rampant collection, use and disclosure of personal data. Public unease has been augmented by overt resistance to the Commissioner’s rulings in some instances. For example, Facebook was defiant in response to the Commissioner’s findings in relation to the Cambridge Analytica scandal. Even more recently, in an inquiry into the use of facial recognition technologies in shopping malls, the respondent politely declined to accept the Commissioner’s findings that certain of their practices were in breach of PIPEDA.

The Digital Charter Implementation Act is meant to address PIPEDA’s enforcement shortfall. It provides for the enactment of two statutes related to personal data protection: The Consumer Privacy Protection Act (CPPA) and the Personal Information and Data Protection Tribunal Act (the PIDPTA). A government Fact Sheet describes this combination as providing a “Comprehensive and accessible enforcement model”. The revamped version of PIPEDA, the CPPA would give the Commissioner the power to order an organization to comply with its obligations under the CPPA or to stop collecting or using personal information. This is an improvement, although the order-making powers are subject to a right of appeal to the new Tribunal created by the PIDPTA. At least the Tribunal will owe some deference to the Commissioner on questions of fact or of mixed law and fact – proceedings before the Federal Court under PIPEDA were entirely de novo.

Under the CPPA, the Commissioner will also be able to recommend that the Tribunal impose a fine. Fines are available only for certain breaches of the legislation. These are ones that involve excessive collection of personal information; use or disclosure of personal information for new purposes without consent or exception; making consent to personal data collection a condition of the provision of a product or service (beyond what is necessary to provide that product or service); obtaining consent by deception; improper retention or disposal of personal information; failure to dispose of personal information at an individual’s request; breach of security safeguards; or failure to provide breach notification. The fines can be substantial, with a maximum penalty of the higher of $10,000,000 or 3% of the organization’s gross global revenue for the preceding financial year. Of course, that is the upper end. Fines are discretionary and subject to a number of considerations, and fines are explicitly not meant to be punitive.

Within this structure, the Tribunal will play a significant role. It was no doubt created to provide greater distance between the Commissioner and the imposition of fines on organizations. In this respect, it is a good thing. The Commissioner still plays an important role in encouraging organizations to comply voluntarily with the legislation. This role is fairer and easier to perform when there is greater separation between the ombuds functions of the Commissioner and the ability to impose penalties. More problematically, the Tribunal will hear appeals of both findings and orders made by the Commissioner. The appeal layer is new and will add delays to the resolution of complaints. An alternative would be to have left orders subject to judicial review, with no appeals. In theory, going to the Tribunal will be faster and perhaps less costly than a trip to Federal Court. But in practice, the Tribunal’s value will depend on its composition and workload. Under the PIDPTA, the Tribunal will have only six members, not necessarily full-time, and only one of these is required to have experience with privacy. Decisions of the tribunal cannot be appealed, but they will be subject to judicial review by the Federal Court.

The CPPA also creates a new private right of action. Section 106 provides that an individual affected by a breach of the Act can sue for damages for “loss or injury that the individual has suffered”. However, in order to do so, the individual must first make a complaint. That complaint must be considered by the Commissioner. The Commissioner’s findings and order must either not be appealed or any appeal must have been dealt with by the Tribunal. Note that not all complaints will be considered by the Commissioner. The Commissioner can decline to deal with complaints for a number of reasons (see s. 83) or can discontinue an investigation (see s. 85). There is also a right of action for loss or injury where and organization has been convicted of an offence under the legislation. An offence requires an investigation, a recommendation, and consideration by the Tribunal. All of these steps will take time. It will be a truly dogged individual who pursues the private right of action under the CPPA.

Ultimately, then, the question is whether this new raft of enforcement-related provisions is an improvement? To better get a sense of how these provisions might work in practice, consider the example of the massive data breach at Desjardins that recently led to a Commissioner’s report of findings. The data breach was a result of employees not following internal company policies, flawed training and oversight, as well as certain employees going ‘rogue’ and using personal data for their own benefit. In the Report of Findings, the Commissioner makes a number of recommendations most of which have already been implemented by the organization. As a result, the Commissioner has ruled the complaint well-founded and conditionally resolved. Class action lawsuits related to the breach have already been filed.

How might this outcome be different if the new legislation were in place? A complaint would still be filed and investigated. The Commissioner would issue his findings as to whether any provisions of the CPPA were contravened. He would have order-making powers and could decide to recommend that a penalty be imposed. However, if his recommendations are all accepted by an organization, there is no need for an order. The Commissioner might, given the nature and size of the breach, decide to recommend that a fine be imposed. However, considering the factors in the legislation and the organization’s cooperation, he might decide it was not appropriate.

Assuming a recommendation were made to impose a penalty, the Tribunal would have to determine whether to do so. It must consider a number of factors, including the organization’s ability to pay the fine, any financial benefit derived by the organization from the activity, whether individuals have voluntarily been compensated by the organization, and the organization’s history of complying with the legislation. The legislation also specifically provides that “the purpose of a penalty is to promote compliance with this Act and not to punish.” (s. 94(6)) In a case where the organization was not exploiting the data for its own profit, took steps quickly to remedy the issues by complying with the Commissioner’s recommendations, and provided credit monitoring services for affected individuals, it is not obvious that a fine would be imposed. As for the private right of action in the legislation, it is not likely to alter the fact that massive data breaches of this kind will be addressed through class action lawsuits.

The reworking of the enforcement provisions may therefore not be hugely impactful in the majority of cases. This is not necessarily a bad thing, if the lack of impact is due to the fact that the goals of the legislation are otherwise being met. Where it may make a difference is in cases where organizations resist the Commissioner’s findings or where they act in flagrant disregard of data protection rights. It is certainly worth having more tools for enforcement in these cases. Here, the big question mark is the Tribunal – and more particularly, its composition.

But there may also be consequences felt by individuals as a result of the changes. The Commissioner’s findings – not just any orders he might make – are now subject to appeal to the Tribunal. This will likely undermine his authority and might undercut his ability to achieve soft compliance with the law. It is also likely to delay resolution of complaints, thus also delaying access to the private right of action contemplated under the legislation. It shifts power regarding what constitutes a breach of the legislation from the Commissioner to the new Tribunal. This may ultimately be the most concerning aspect of the legislation. So much will depend on who is appointed to the Tribunal, and the Bill does not require demonstrable privacy expertise as a general pre-requisite for membership. At the very least, this should be changed.

Published in Privacy
Monday, 21 December 2020 08:03

The Gutting of Consent in Bill C-11

 

Bill C-11, the bill to reform Canada’s private sector data protection regime, is titled the Digital Charter Implementation Act. The Digital Charter is a 10-point plan set out by the federal government to frame its digital agenda. This is the first of a series of posts that considers Bill C-11 in light of some of the principles of the Digital Charter.

A key pillar of the Digital Charter is “consent”. It states: “Canadians will have control over what data they are sharing, who is using their personal data and for what purposes, and know that their privacy is protected.” A “Fact Sheet” published about Bill C-11 explains: “Modernized consent rules would ensure that individuals have the plain-language information they need to make meaningful choices about the use of their personal information.” How well does this describe what Bill C-11 actually does?

It is now generally well accepted that individuals face an enormous consent burden when it comes to personal information. Personal data is collected from every digitally-enabled transaction; it is collected when we use online platforms and as we surf the internet; it is harvested from our phones, and from every app on our phones; home appliances are increasingly co-opted to harvest data about us; our cars collect and transmit data – the list is endless. There are privacy policies somewhere that govern each of these activities, but we do not have the time to read them. If we did, we would likely struggle to grasp their full meaning. And, in any event, these policies are basically take-it-or-leave-it. Add to this the fact that most people’s preoccupation is necessarily with the actual product or service, and not with the many different ways in which collected data might be used or shared. They are unlikely to be able to fully grasp how all this might at some future point affect them. Consent is thus largely a fiction.

How does Bill C-11 address this problem? It starts by requiring consent, at or before the time that personal information is collected. This consent must be “valid”, and validity will depend on plain language information being provided to the individual about the purpose for the collection, use or disclosure of the information, the way in which it will be collected, used or disclosed, any “reasonably foreseeable consequences” of this collection, use or disclosure, the specific type of personal information to be collected, and the names of any third parties or types of third parties with whom the information may be shared. It requires express consent, unless the organization “establishes that it is appropriate to rely on an individual’s implied consent”. The organization cannot make the provision of a product or service conditional on granting consent to the collection, use or disclosure of personal information, unless that information is necessary to the provision of the product or service. Consent cannot be obtained by fraud or deception. And, finally, individuals have the right to withdraw consent, on reasonable notice, and subject to a raft of other exceptions which include the “reasonable terms of a contract”.

It sounds good until you realize that none of this is actually particularly new. Yes, the law has been tightened up a bit around implied consent and the overall wording has been tweaked. But the basic principles are substantially the same as those in PIPEDA. Some of the tweaks are not necessarily for the better. The plain language list of information required for “valid consent” under Bill C-11 changes PIPEDA’s focus on the ability of the target audience for a product or service to properly grasp the nature, purposes and consequences of the collection, use and disclosure of personal data. By considering the target audience, the PIPEDA language is likely better adapted to things like protecting children’s privacy.

If, as the government seems to suggest, there is a new implementation of the “consent” principle in Bill C-11, it is not to be found in the main consent provisions. These are largely a rehash of PIPEDA, and, to the extent they are different, they are not obviously better.

What has changed – and ever so much for the worse – are the exceptions to consent, particularly the ones found in sections 18 to 21 of Bill C-11. These exceptions are not the long laundry-list of exceptions to consent that were already found in PIPEDA (those have all made their way into Bill C-11 as well). Sections 18 and 19, in particular, are new in Bill C-11, and they can only be seen as enhancing consent if you conceive of consent as a burden that should be largely eliminated.

Essentially, the government has tackled two different public policy issues in one set of provisions. The first issue is the consent burden described above. This can be summed up as: Privacy policies are too long and complex, and no one has time to read them. The legislative solution is to make them shorter by reducing the information they must contain. The second public policy goal is to make it easier for organizations to use the personal data they have collected in new ways without having to go back to individuals for their consent. The solution, though, is to carve out exceptions that address not just new uses of data already collected, but that are broad enough to include the initial collection of data. When these two solutions are combined, the result is quite frankly a data protection disaster.

A first problem is that these exceptions are not just to consent, but to knowledge and consent. In other words, not only does an organization not need to seek consent for the listed activities, it does not even need to inform the individual about them. It is very hard to hold an organization to account for things about which one has no knowledge.

The first set of exceptions to knowledge and consent in section 18 are for “business activities”. Perhaps recognizing that this provision creates a kind of open season on personal data, it begins with important limitations. The exception to knowledge and consent created by this provision is available only where the collection or use of the data is for one of the listed business activities; a reasonable person “would expect such a collection or use for that activity”; and “the personal information is not collected or used for the purpose of influencing the individual’s behaviour or decision.” These are important guard rails. But, as noted above, without knowledge of the collection, use or disclosure, it will be difficult to hold organizations to account.

The list of consent-free activities is open ended – it can be added to by regulation. No doubt this is to make the legislation more responsive to changing practices or circumstances, but it is a mechanism by which the list can expand and grow with relative ease. And some of the listed activities have the potential for dramatic privacy impacts. For example, organizations can collect or use personal data without an individual’s knowledge or consent to reduce their commercial risk. This suggests, shockingly, that financial profiling of individuals without their knowledge or consent is fair game. Organizations may also collect personal data without knowledge or consent “that is necessary for the safety of a product or service that the organization provides or delivers”. In an era of connected cars, appliances, medical devices, and home alarm systems, to give just a few examples, the kinds of information that might fall into this category could be surprising. Even more troubling, though, is the provision that allows for collection and use of personal data for activities “in the course of which obtaining the individual’s consent would be impracticable because the organization does not have a direct relationship with the individual.” No one knows what this really means – because it could mean all kinds of things. I will give just one example below.

The next exception, in section 19, allows an organization to transfer an individual’s personal information to a service provider without their knowledge or consent. Let’s say you go to a company’s website and you need customer service. There is a chatbot available on the site to assist you. The chatbot is part of a suite of digital customer services provided to the company by a service provider, and your personal information is transferred to them without your knowledge or consent to enable them to deliver these services. The service provider, on its own behalf, also wants to improve its chatbot AI by recording the chat transcripts, and possibly by collecting other data from you. Based on the exception mentioned above (where knowledge and consent would be impracticable because the service provider does not have a direct relationship with you), it can do this without your knowledge or consent. And you don’t even know about the service provider in the first place because of the exception in section 19. From a service point of view, it’s all very smooth and seamless. But let’s go back to the Digital Charter statement: “Canadians will have control over what data they are sharing, who is using their personal data and for what purposes, and know that their privacy is protected.” How are you feeling about this now?

In fairness, there are other provisions of the Act that govern transfers of data to service providers to ensure privacy protection and accountability. (I may draw a road map in a later post…you will need one to find these provisions which are scattered throughout the Bill). And, in fairness, there is a ‘transparency’ provision in s. 62(2)(b) that requires organizations to “make available” a “general account of how the organization makes use of personal information”. This explicitly includes “how the organization applies the exceptions to the requirement to obtain consent under this Act.” It is difficult to know what this might look like. But a “general account” being “made available” is not the same as a requirement to provide clear information and obtain consent at or before the time that the data is collected and used.

There are ways to reduce the consent burden and to facilitate legitimate uses of data already collected by organizations other than removing the requirements for knowledge or consent in a broad and potentially open-ended list of circumstances. One of these is the concept of “legitimate interests” in art. 6(1) of the EU’s GDPR. Of course, the legitimate interests of organizations under the GDPR are carefully balanced against the “interests or fundamental rights and freedoms of the data subject.” As noted in an earlier post, recognizing the human rights implications of data protection is something that the federal government is simply not prepared to do.

The bottom line is that Bill C-11, in its current form, does not enhance consent. Instead, it will directly undermine it. At the very least, section 18 must be drastically overhauled.

Published in Privacy

 

Bill C-11, the Act to reform Canada’s private sector data protection legislation – contains a new provision – one that has no equivalent in the current Personal Information Protection and Electronic Documents Act. Section 39 will permit the disclosure of an individual’s personal information without their knowledge or consent where that the disclosure is for “socially beneficial purposes.” This post examines the proposed exception.

In the course of their commercial activities, many private sector organizations amass vast quantities of personal data. In theory, these data could be used for a broad range of purposes – some of them in the public interest. There are a growing number of instances where organizations offer to share data with governments or with other actors for public purposes. For example, some organizations have shared data with governments to assist in their research or modeling efforts during the pandemic.

There may also be instances where data sharing is part of the quid pro quo for a company’s partnership with the public sector. Los Angeles County, for example, has sought to require data-sharing in exchange for licence to operate dockless scooter rental businesses. The ill-fated Sidewalk Toronto project raised issues around data collected in public spaces, including who would be able to access and use such data and for what purposes. This led to debates about “data trusts”, and whether an entity could be charged with the oversight and licensing of ‘smart city’ data.

It is into this context that the proposed exception for “socially beneficial purposes” is introduced. Section 39 of Bill C-11 reads:

39 (1) An organization may disclose an individual’s personal information without their knowledge or consent if

(a) the personal information is de-identified before the disclosure is made;

(b) the disclosure is made to

(i) a government institution or part of a government institution in Canada,

(ii) a health care institution, post-secondary educational institution or public library in Canada,

(iii) any organization that is mandated, under a federal or provincial law or by contract with a government institution or part of a government institution in Canada, to carry out a socially beneficial purpose, or

(iv) any other prescribed entity; and

(c) the disclosure is made for a socially beneficial purpose.

The first thing to note about this provision is that it reflects a broader ambivalence within the Bill about de-identified data. The ambivalence is evident in the opening words of section 39. An organization “may disclose an individual’s personal information without their knowledge or consent” if it is first de-identified. Yet, arguably, de-identified information is not personal information. Many maintain that it should therefore be usable outside of the constraints of data protection law, as is the case under Europe’s General Data Protection Regulation. Canada’s government is no doubt sensitive to concerns that de-identified personal information poses a reidentification risk, leaving individuals vulnerable to privacy breaches. Even properly de-identified data could lead to reidentification as more data and enhanced computing techniques become available. Bill C-11 therefore extends its regulatory reach to deidentified personal data, even though the Bill contains other provisions which prohibit attempts to re-identify de-identified data, and provide potentially stiff penalties for doing so (sections 75 and 125).

The Bill defines “de-identify” as “to modify personal information – or create information from personal information – by using technical processes to ensure that the information does not identify an individual or could not be used in reasonably foreseeable circumstances, alone or in combination with other information, to identify an individual”. The idea that it would include information created from personal information makes the definition surprisingly broad. Consider that in the early days of the pandemic, a number of companies – including Google and Fitbit – released data about mobility – in the form of charts – as we moved into lockdown. These visualizations might well fit the category of ‘information created from personal information’. If this is so, the release of such data – if Bill C-11 were passed in its current form – might constitute a breach, since according to section 39, the disclosure without knowledge or consent must be to a specified entity and must also be for a socially beneficial purpose. Perhaps Bill C-11 intends to restrain this self-publishing of data visualizations or analyses based on personal information. It is just not clear that this is the case – or that if it is, it would not violate the right to freedom of expression.

Under section 39, de-identified data may be disclosed without knowledge or consent to specific actors, including government or health care institutions, public libraries and post-secondary institutions. Data may also be disclosed to any other “prescribed entity”, thus allowing other entities to be added to the list by regulation. In the current list, the most interesting category – in light of debates and discussions around data trusts – is “any organization that is mandated, under a federal or provincial law or by contract with a government institution or part of a government institution in Canada, to carry out a socially beneficial purpose”. This category allows for a range of different kinds of “data trusts” – ones created by law or by contract. They may be part of government, operating under a mandate from government, or engaged by contract with government. Such arrangements must be for a “socially beneficial purpose”, which is defined in subsection 39(2) as “a purpose related to health, the provision or improvement of public amenities or infrastructure, the protection of the environment or any other prescribed purpose.”

While a data trust-type exception to facilitate data sharing is intriguing, the proposed definition of “socially beneficial purpose” may be too limiting. Consider a private sector company that wishes to provide de-identified data from personal fitness devices to a university for research purposes. If these data are used for health-related research there is no problem under section 39. But what if a social scientist seeks to examine other phenomena revealed by the data? What if a business scholar seeks to use the data to understand whether counting steps leads to more local shopping or dining? If the research is not about health, the provision or improvement of public amenities or infrastructure, or the protection of the environment, then it does not appear to fall within the exception. This might mean that some researchers can use the data and others cannot. There is a separate exception to the requirements of knowledge or consent for research or statistical purposes, but it is not for de-identified personal information and is more complex in its requirements as a result.

There are also some rather odd potential consequences with this scheme. What if a short-term rental company is willing to share de-identified data with a provincial government that is looking for better ways to target its tourism marketing efforts? Or perhaps it seeks to use the data to better regulate short term accommodation. It is not clear that either of these purposes would fit within the “improvement of public amenities or infrastructure” category of a socially beneficial purpose. And, although Bill C-11 sets out to regulate what private sector companies do with their data and not what data provincial or municipal governments are entitled to use, it does seem that these provisions could limit the access of provincial public sector actors to data that might otherwise be made available to them. By allowing private sector actors to share de-identified data without knowledge or consent in some circumstances, the implication is that such data cannot be shared in other circumstances – even if appropriate safeguards are in place.

Finally, it seems as if the de-identification of the data and a reference to socially beneficial purposes are the only safeguards mandated for the personal data under this scheme. The wording of section 39 suggests that shared data cannot simply be made available as open data (since it can only be shared with a specific entity for a specific purpose). Yet, there is no further requirement that the new custodians of the data – the public sector or prescribed entities – allow access to the data only under licenses that ensure that any downstream use is for the prescribed socially beneficial purposes – or that impose any other necessary limitations. For entities such as post-secondary institutions, public libraries, and ‘data trusts’, use by third parties must surely be contemplated. Section 39 should therefore require appropriate contractual terms for data-sharing.

Overall, the concept behind s. 39 of Bill C-11 is an important one, and the effort to facilitate data sharing by the private sector for public purposes in privacy-friendly ways is laudable. It is also important to consider how to place limits on such sharing in order to protect against privacy breaches that might flow from re-identification of de-identified data. However, section 39 as drafted raises a number of questions about its scope, not all of which are easily answered. It would benefit from a better definition of ‘de-identify’, a more flexible definition of a socially beneficial purposes, and a further requirement that any data sharing arrangements be subject to appropriate contractual limitations. And, even though individual knowledge of the sharing arrangements may not be feasible, there should be some form of transparency (such as notice to the Commissioner) so that individuals know when their de-identified personal data is being shared, by whom, and for what socially beneficial purposes.

Published in Privacy

 

The federal government’s new Bill C-11 to reform its antiquated private sector data protection law has landed on Parliament’s Order Paper at an interesting moment for Ontario. Earlier this year, Canada’s largest province launched a consultation on whether it should enact its own private sector data protection law that would apply instead of the federal law to intraprovincial activities.

The federal Personal Information Protection and Electronic Documents Act was enacted in 2000, a time when electronic commerce was on the rise, public trust was weak, and transborder flows of data were of growing economic importance. Canada faced an adequacy assessment under the European Union’s Data Protection Directive, in order to keep data flowing to Canada from the EU. At the time, only Quebec had its own private sector data protection law. Because a federal law in this area was on a somewhat shaky constitutional footing, PIPEDA’s compromise was that it would apply nationally to private sector data collection, use or disclosure in the course of commercial activity, unless a province had enacted “substantially similar” legislation. In such a case, the provincial statute would apply within the province, although not to federally-regulated industries or where data flowed across provincial or national borders. British Columbia and Alberta enacted their own statutes in 2004. Along with Quebec’s law, these were declared substantially similar to PIPEDA. The result is a somewhat complicated private sector data protection framework made workable by co-operation between federal and provincial privacy commissioners. Those provinces without their own private sector laws have seemed content with PIPEDA – and with allowing Ottawa picking up the tab for its oversight and enforcement.

Twenty years after PIPEDA’s enactment, data thirsty technologies such as artificial intelligence are on the ascendance, public trust has been undermined by rampant overcollection, breaches and scandals, and transborder data flows are ubiquitous. The EU’s 2018 General Data Protection Regulation (GDPR) has set a new and higher standard for data protection and Canada must act to satisfy a new adequacy assessment. Bill C-11 is the federal response.

There are provisions in Bill C-11 that tackle the challenges posed by the contemporary data environment. For example, organizations will have to provide upfront a “general account” of their use of automated decision systems that “make predictions, recommendations or decisions about individuals that could have significant impacts on them” (s. 62(1)(c)). The right of access to one’s personal information will include a right to an explanation of any prediction, recommendation or decision made using an automated decision system (s. 63(3)). There are also new exceptions to consent requirements for businesses that seek to use their existing stores of personal information for new internal purposes. C-11 will facilitate some sharing of de-identified data for “socially beneficial purposes”. These are among the Bill’s innovations.

There are, however, things that the Bill does not do. Absent from Bill C-11 is anything specifically addressing the privacy of children or youth. In fact, the Bill reworks the meaning of “valid consent”, such that it is no longer assessed in terms of the ability of those targeted for the product or service to understand the consequences of their consent. This undermines privacy, particularly for youth. Ontario could set its own course in this area.

More importantly, perhaps, there are some things that a federal law simply cannot do. It cannot tread on provincial jurisdiction, which leaves important data protection gaps. These include employee privacy in provincially regulated sectors, the non-commercial activities of provincial organizations, and provincial political parties. The federal government clearly has no stomach for including federal political parties under the CPPA. Yet the province could act – as BC has done – to impose data protection rules on provincial parties. There is also the potential to build more consistent norms, as well as some interoperability where necessary, across the provincial public, health and private sectors under a single regulator.

The federal bill may also not be best suited to meet the spectrum of needs of Ontario’s provincially regulated private sector. Many of the bill’s reforms target the data practices of large corporations, including those that operate transnationally. The enhanced penalties and enforcement mechanisms in Bill C-11 are much needed, but are oriented towards penalizing bad actors whose large-scale data abuses cause significant harm. Make no mistake – we need C-11 to firmly regulate the major data players. And, while a provincial data protection law must also have teeth, it would be easier to scale such a law to the broad diversity of small and medium-sized enterprises in the Ontario market. This is not just in terms of penalties but also in terms of the compliance burden. Ontario’s Information and Privacy Commissioner could play an important role here as a conduit for information and education and as a point of contact for guidance.

Further, as the failed Sidewalk Toronto project demonstrated, the province is ripe with opportunities for public-private technology partnerships. Having a single regulator and an interoperable set of public and private sector data protection laws could offer real advantages in simplifying compliance and making the environment more attractive to innovators, while at the same time providing clear norms and a single point of contact for affected individuals.

In theory as well, the provincial government would be able to move quickly if need be to update or amend the law. The wait for PIPEDA reform has been excruciating. It it is not over yet, either. Bill C-11 may not be passed before we have to go to the polls again. That said, timely updating has not been a hallmark of either BC or Alberta’s regimes. Drawbacks of a new Ontario private sector data protection law would include further multiplication of the number of data protection laws in Canada, and the regulatory complexity this can create. A separate provincial law will also mean that Ontario will assume the costs of administering a private sector data protection regime. This entails the further risk that budget measures could be used by future governments to undermine data protection in Ontario. Still, the same risks – combined with considerably less control – exist with federal regulation. There remains a strong and interesting case for Ontario to move forward with its own legislation.

Published in Privacy

 

It’s been a busy privacy week in Canada. On November 16, 2020 Canada’s Department of Justice released its discussion paper as part of a public consultation on reform of the Privacy Act. On November 17, the Minister of Industry released the long-awaited bill to reform Canada’s private sector data protection legislation. I will be writing about both developments over the next while. But in this initial post, I would like to focus on one overarching and obvious omission in both the Bill and the discussion paper: the failure to address privacy as a human right.

Privacy is a human right. It is declared as such in international instruments to which Canada is a signatory, such as the Universal Declaration of Human Rights and the International Convention on Civil and Political Rights. Data protection is only one aspect of the human right to privacy, but it is an increasingly important one. The modernized Convention 108 (Convention 108+), a data protection originating with the Council of Europe but open to any country, puts human rights front and centre. Europe’s General Data Protection Regulation also directly acknowledges the human right to privacy, and links privacy to other human rights. Canada’s Privacy Commissioner has called for Parliament to adopt a human rights-based approach to data protection, both in the public and private sectors.

In spite of all this, the discussion paper on reform of the Privacy Act is notably silent with respect to the human right to privacy. In fact, it reads a bit like the script for a relationship in which one party dances around commitment, but just can’t get out the words “I love you”. (Or, in this case “Privacy is a human right”). The title of the document is a masterpiece of emotional distancing. It begins with the words: “Respect, Accountability, Adaptability”. Ouch. The “Respect” is the first of three pillars for reform of the Act, and represents “Respect for individuals based on well established rights and obligations for the protection of personal information that are fit for the digital age.” Let’s measure that against the purpose statement from Convention 108+: “The purpose of this Convention is to protect every individual, whatever his or her nationality or residence, with regard to the processing of their personal data, thereby contributing to respect for his or her human rights and fundamental freedoms, and in particular the right to privacy.” Or, from article 1 of the GDPR: “This Regulation protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.” The difference is both substantial and significant.

The discussion paper almost blurts it out… but again stops short in its opening paragraph, which refers to the Privacy Act as “Canada’s quasi-constitutional legal framework for the collection, use, disclosure, retention and protection of personal information held by federal public bodies.” This is the romantic equivalent of “I really, really, like spending time with you at various events, outings and even contexts of a more private nature.”

The PIPEDA reform bill which dropped in our laps on November 17 does mention the “right to privacy”, but the reference is in the barest terms. Note that Convention 108+ and the GDPR identify the human right to privacy as being intimately linked to other human rights and freedoms (which it is). Section 5 of the Bill C-11 (the Consumer Privacy Protection Act) talks about the need to establish “rules to govern the protection of personal information in a manner that recognizes the right to privacy of individuals with respect to their personal information and the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances.” It is pretty much what was already in PIPEDA, and it falls far short of the statements quoted from Convention 108+ and the GDPR. In the PIPEDA context, the argument has been that “human rights” are not within exclusive federal jurisdiction, so talking about human rights in PIPEDA just makes the issue of its constitutionality more fraught. Whether this argument holds water or not (it doesn’t), the same excuse does not exist for the federal Privacy Act.

The Cambridge Analytica scandal (in which personal data was used to subvert democracy), concerns over uses of data that will perpetuate discrimination and oppression, and complex concerns over how data is collected and used in contexts such as smart cities all demonstrate that data protection is more than just about a person’s right to a narrow view of privacy. Privacy is a human right that is closely linked to the enjoyment of other human rights and freedoms. Recognizing privacy as a human right does not mean that data protection will not not require some balancing. However, it does mean that in a data driven economy and society we keep fundamental human values strongly in focus. We’re not going to get data protection right if we cannot admit these connections and clearly state that data protection is about the protection of fundamental human rights and freedoms.

There. Is that so hard?

Published in Privacy

 

The BC Court of Appeal has handed down a decision that shakes up certain assumptions about recourse for privacy-related harms in that province – and perhaps in other provinces as well.

The decision relates to a class action lawsuit filed after a data breach. The defendant had stored an unencrypted copy of a database containing customer personal information on its website. The personal information included: “names, addresses, email addresses, telephone numbers, dates of birth, social insurance numbers, occupations, and, in the case of credit card applicants, their mothers' birth names.” (at para 4) This information was accessed by hackers. By the time of this decision, some of the information had been used in phishing scams but the full extent of its use is still unknown.

As is typical in privacy class action lawsuits, the plaintiffs sought certification on multiple grounds. These included: “breach of contract, negligence, breach of privacy, intrusion upon seclusion, beach of confidence, unjust enrichment and waiver of tort.” (at para 6) The motions judge certified only claims in contract, negligence, and the federal common law of privacy.

The defendants appealed, arguing that the remaining grounds were not viable and that the action should not have been certified. They also argued that a class action lawsuit was not the preferable procedure for the resolution of the common issues. While the plaintiffs cross-appealed the dismissal of the claim for breach of confidence, they did not appeal the decision that there was no recourse for breach of privacy or the tort of intrusion upon seclusion under BC law.

This post focuses what I consider to be the three most interesting issues in the case. These are: whether there is recourse for data breaches other than via data protection legislation; whether the tort of breach of privacy exists in B.C.; and whether there is a federal common law of privacy.

1. Is PIPEDA a complete code

The defendants argued that the class action lawsuit was not the preferred procedure because the federal Personal Information Protection and Electronic Documents Act (PIPEDA) constituted a “complete code in respect of the collection, retention, and disclosure of personal information by federally-regulated businesses, and that no action, apart from the application to the Federal Court contemplated by the Act can be brought in respect of a data breach.” (at para 18) Justice Groberman, writing for the unanimous Court, noted that while it was possible for a statute to constitute a complete code intended to fully regulate a particular domain, it is not inevitable. He observed that the Ontario Court of Appeal decision in Hopkins v. Kay had earlier determined that Ontario’s Personal Health Information Protection Act (PHIPA) did not constitute a complete code when it came to regulating personal health information, allowing a lawsuit to proceed against a hospital for a data breach. In Hopkins, the Ontario Court of Appeal noted that PHIPA was primarily oriented towards addressing systemic issues in the handling of personal health information, rather than dealing with individual disputes. Although there was a complaints mechanism in the statute, the Commissioner had the discretion to decline to investigate a complaint if a more appropriate procedure were available. Justice Groberman noted that PIPEDA contained a similar provision in s. 12. He observed that “[t]his language, far from suggesting that the PIPEDA is a complete code, acknowledges that other remedies continue to be available, and gives the Commissioner the discretion to abstain from conducting an investigation where an adequate alternative remedy is available to the complainant.” (at para 28) In his view, PIPEDA is similarly oriented towards addressing systemic problems and preventing future breaches, and that “[w]hile there is a mechanism to resolve individual complaints, it is an adjunct to the legislative scheme, not its focus.” (at para 29) He also found it significant that PIPEDA addressed private rather than public sector data protection. He stated: “[w]ithin a private law scheme, it seems to me that we should exercise even greater caution before concluding that a statute is intended to abolish existing private law rights.” (at para 30) He concluded that nothing in PIPEDA precluded other forms of recourse for privacy harms.

2. Do common law privacy torts exist in BC?

In 2012 the Ontario Court of Appeal recognized the privacy tort of intrusion upon seclusion in Jones v. Tsige. However, since British Columbia has a statutory privacy tort in its Privacy Act, the motions judge (like other BC judges before him) concluded that the statutory tort displaced any possible common law tort in BC. Justice Groberman was clearly disappointed that the plaintiffs had chosen not to appeal this conclusion. He stated: “In my view, the time may well have come for this Court to revisit its jurisprudence on the tort of breach of privacy.” (at para 55) He proceeded to review the case law usually cited as supporting the view that there is no common law tort of breach of privacy in BC. He distinguished the 2003 decision in Hung v. Gardiner on the basis that in that case the judge at first instance had simply stated that he was not convinced by the authorities provided that such a tort existed in BC. On appeal, the BCCA agreed with the judge’s conclusion on an issue of absolute privilege, and found it unnecessary to consider any of the other grounds of appeal.

The BCCA decision in Mohl v. University of British Columbia is more difficult to distinguish because in that case the BCCA stated “[t]here is no common-law claim for breach of privacy. The claim must rest on the provisions of the [Privacy] Act.” (Mohl at para 13) Nevertheless, Justice Groberman indicated that while this statement was broad, “it is not entirely clear that it was intended to be a bold statement of general principle as opposed to a conclusion with respect to the specific circumstances of Mr. Mohl's case. In any event, the observation was not critical to this Court's reasoning.” (at para 62)

Justice Groberman concluded that “The thread of cases in this Court that hold that there is no tort of breach of privacy, in short, is a very thin one.” (at para 64) He also noted that the privacy context had considerably changed, particularly with the Ontario Court of Appeal’s decision in Jones v. Tsige. He stated:

It may be that in a bygone era, a legal claim to privacy could be seen as an unnecessary concession to those who were reclusive or overly sensitive to publicity, though I doubt that that was ever an accurate reflection of reality. Today, personal data has assumed a critical role in people's lives, and a failure to recognize at least some limited tort of breach of privacy may be seen by some to be anachronistic. (at para 66)

He indicated that the Court of Appeal might be inclined to reconsider the issue were it to be raised before them, although he could not do so in this case since the plaintiffs had not appealed the judge’s ruling on this point.

3. There is no federal common law of privacy

However keen Justice Groberman might have been to hear arguments on the common law tort of privacy, he overturned the certification of the privacy claims as they related to the federal common law of privacy. He characterized this approach as ‘creative’, but inappropriate. He noted that while common law principles might evolve in areas of federal law (e.g. maritime law), in cases where there was shared jurisdiction such as in privacy law, there was no separate body of federal common law distinct from provincial common law. He stated “there is only a single common law, and it applies within both federal and provincial spheres.” (at para 76) More specifically, he stated:

Where an area of law could be regulated by either level of government, it is not sensible to describe the situation in which neither has enacted legislation as being a situation of either "federal" or "provincial" common law. It is simply a situation of the "common law" applying. The plaintiffs cannot choose whether to bring their claims under "federal" or "provincial" common law as if these were two different regimes. (at para 86)

Because the claim advanced by the plaintiff had nothing to do with any specific area of federal jurisdiction, Justice Groberman rejected the idea that a cause of action arose under “federal” common law.

Overall, this decision is an interesting one. Clearly the Court of Appeal is sending strong signals that it is time to rethink recourse for breach of privacy in the province. It may now be that there is both a statutory and a common law action for breach of privacy. If this is so, it will be interesting to see what scope is given to the newly recognized common law tort. “Complete code” arguments have arisen in other lawsuits relating to breach of privacy; the BCCA’s response in this case adds to a growing body of jurisprudence that rejects the idea that data protection laws provide the only legal recourse for the mishandling of personal data. Finally, a number of class action lawsuits have asserted the “federal common law of privacy”, even though it has been entirely unclear what this is. The BCCA suggests that it is a fabrication and that no such distinct area of common law exists.

Published in Privacy

 

This is a copy of my submission in response to the Elections Canada consultation on Political Communications in Federal Elections. The consultation closes on August 21, 2020. Note that this submission has endnotes which are at the end of the document. Where possible these include hyperlinks to the cited sources.

16 August 2020

I appreciate the invitation to respond to Election Canada’s consultation on the overall regulatory regime that governs political communications in federal elections. I hold the Canada Research Chair in Information Law and Policy at the University of Ottawa, where I am also a law professor. I provide the following comments in my capacity as an individual.

The consultation raises issues of great importance to Canadians. My comments will focus on Discussion Paper 3: The Protection of Electors’ Personal Information in the Federal Electoral Context.[1]

Concerns over how political parties handle personal information have increased steadily over the years. Not surprisingly, this coincides with the rise of big data analytics and artificial intelligence (AI) and the capacity of these technologies to use personal data in new ways including profiling and manipulating. Discussion Paper 3 hones in on the Cambridge Analytica scandal[2] and its implications for the misuse of personal data for voter manipulation. This egregious case illustrates why, in a big data environment, we need to seriously address how voter personal data is collected, used and disclosed.[3] The potential misuse of data for voter manipulation is an expanding threat.[4] Yet this kind of high-profile voter manipulation scandal is not the only concern that Canadians have with how their personal information is handled by political parties. Additional concerns include lax security;[5] unwanted communications;[6] targeting based on religion, ethnicity or other sensitive grounds;[7] data sharing;[8] lack of transparency,[9] and voter profiling.[10] In addition, there is a troubling lack of transparency, oversight and accountability.[11] All of these are important issues, and they must be addressed through a comprehensive data protection regime.[12]

Public concern and frustration with the state of data protection for Canadians when it comes to political parties has been mounting. There have been reports and studies,[13] op-eds and editorials,[14] privacy commissioner complaints,[15] a competition bureau complaint,[16] and even legal action.[17]

There is a growing gulf between what Canadians expect when it comes to the treatment of their personal data and the obligations of political parties. Canadians now have two decades of experience with the Personal Information Protection and Electronic Documents Act (PIPEDA)[18] which governs the collection, use, and disclosure of personal data in the private sector. Yet PIPEDA does not apply to political parties, and there is a very wide gap between PIPEDA’s data protection norms and the few rules that apply to federal political parties. There is also considerable unevenness in the regulatory context for use of personal data by political parties across the country. For example, B.C.’s Personal Information Protection Act (PIPA)[19] already applies to B.C. political parties, and while there have been some problems with compliance,[20] the democratic process has not been thwarted. A recent interpretation of PIPA by the B.C. Privacy Commissioner also places federal riding offices located in B.C. under its jurisdiction.[21] This means that there are now different levels of data protection for Canadians with respect to their dealings with federal parties depending upon the province in which they live and whether, if they live in B.C., they are interacting with their riding office or with the national party itself.. Further, if Quebec’s Bill 64 is enacted, it would largely extend the province’s private sector data protection law to political parties. Ontario, which has just launched a consultation on a new private sector data protection law for that province is considering extending it to political parties.[22] Internationally, The EU’s General Data Protection Regulation (GDPR)[23] applies to political parties, with some specially tailored exceptions. Frankly put, it is becoming impossible to credibly justify the lack of robust data protection available to Canadians when it comes to how their personal data is handled by political parties. Lax data protection is neither the rule in Canada, nor the norm internationally.

There are points at which Discussion Paper 3 is overly defensive about the need for political parties to collect, use and disclose personal information about voters in the course of their legitimate activities. This need is not contested. But for too long it has gone virtually unrestrained and unsupervised. To be clear, data protection is not data prohibition. Data protection laws explicitly acknowledge the need of organizations to collect, use and disclose personal information.[24] Such laws set the rules to ensure that organizations collect, use, and disclose personal data in a manner consistent with the privacy rights of individuals. In addition, they protect against broader societal harms that may flow from unrestrained uses of personal data, including, in the political context, the manipulation of voters and subversion of democracy.

1. Information provided to parties by Elections Canada

Discussion Paper 3 sets out the current rules that protect electors’ personal information. For the most part, they are found in the Canada Elections Act (CEA).[25] In some instances, these rules provide less protection than comparable provincial election laws. For example, security measures, including the use of fictitious information in lists of electors to track unauthorized uses are in place in some jurisdictions, but not at the federal level. Discussion Paper 3 notes that while such measures are not part of the CEA, best practices are provided for in Elections Canada guidelines.[26] These guidelines are not mandatory and are insufficient to protect electors’ information from deliberate or unintentional misuse.

The CEA also contains new provisions requiring political parties to adopt privacy polices and to publish these online. While such privacy policies offer some improved degree of transparency, they do not provide for adequate enforcement or accountability. Further, they do not meet the threshold, in terms of prescribed protections, of the fair information principles that form the backbone of most data protection laws including PIPEDA.

There are some matters that should be addressed by specific provisions in the CEA. These relate to information that is shared by the CEA with political parties such as the list of electors. The CEA should maintain accountability for this information by imposing security obligations on parties or candidates who receive the list of electors. It would be appropriate in those circumstances to have specific data breach notification requirements relating to the list of electors contained in the CEA. However, with respect to the wealth of other information that political parties collect or use, they should have to comply with PIPEDA and be accountable under PIPEDA for data breaches.

2. Fair Information Principles Approach

Discussion Paper 3 takes the position that fair information principles should be applied to political parties, and frames its questions in terms of how this should be accomplished. There are two main options. One is to craft a set of rules specifically for political parties which might be incorporated into the CEA, with oversight by either the Privacy Commissioner and/or the Chief Electoral Officer. Another is to make political parties subject to PIPEDA, and to add to that law any carefully tailored exceptions necessary in the political context. The latter approach is better for the following reasons:

· The data protection landscape in Canada is already fragmented, with separate laws for federal and provincial public sectors; separate laws for the private sector, including PIPEDA and provincial equivalents in B.C., Alberta and Quebec; and separate laws for personal health information. There is a benefit to simplicity and coherence. PIPEDA can be adapted to the political context. There are many obligations which can and should be the same whether for private sector organizations or political parties. If particular exceptions tailored to the political context are required, these can be added.

· Political parties in BC (including federal riding associations) are already subject to data protection laws. Quebec, in Bill 64, proposes to make political parties subject to their private sector data protection law. The same approach should be followed federally.

· It is expected that PIPEDA will be amended in the relatively short term to bring it into line with the contemporary big data context. Creating separate norms in the CEA for political parties risks establishing two distinct privacy schemes which may not keep up with one another as the data context continues to evolve. It is much simpler to maintain one set of norms than to have two sets of privacy norms that are initially similar but that diverge over time.

 

3. Fair Information Principles: Specific Provisions

Discussion Paper 3 considers certain of the Fair Information Principles and how they apply to political parties. This discussion seems to assume in places that the solution will be to introduce new provisions in the CEA, rather than applying PIPEDA to political parties, subject to certain exceptions. For example, the first question under Accountability asks “Besides publishing their privacy policies, what other requirements could parties be subject to in order to make them accountable for how they collect, use and disclose personal information?”[27] As noted above, my view is that political parties should be subject to PIPEDA. The “other requirements” needed are those found in PIPEDA. There is no need to reinvent the wheel for political parties.

On the issue of data breaches, I note with concern that Discussion Paper 3 takes an overly cautious approach. For example, it states, presumably referring to PIPEDA, that “There are also penalties for organizations that knowingly fail to report a breach, which could be ruinous for a smaller party.”[28] In the first place, these penalties are for knowingly failing to report a breach, not for experiencing a breach. A party that experiences a data breach that creates a real risk of serious harm to an individual (the reporting threshold) and does not report it, should not complain of the fines that are imposed for this failure. Secondly, the amounts set out in the legislation are maximum fines and courts have discretion in imposing them. In any event, a class action law suit following a data breach is much more likely to be the ruination of a smaller party; liability for such a data breach could be mitigated by being able to demonstrate not only that the party complied with data protection norms but that it also responded promptly and appropriately when the breach took place. In my view, the data breach notification requirements can and should be applied to political parties.

Discussion Paper 3 also floats the idea of a voluntary code of practice as an alternative to parties being subject to data protection laws. It states: “A voluntary code may be more palatable to political parties than legislated change, while at the same time moving towards increasing electors’ privacy”.[29] It is fair to say that ‘soft’ guidance with no enforcement is always more palatable to those to whom it would apply than real obligations. However, we are long past the time for a gentle transition to a more data protective approach. Political parties have embraced big data and data analytics and now collect, use, and disclose unprecedented amounts of personal information. They need to be subject to the same data protection laws as other actors in this environment. While those laws may need a few carefully tailored exceptions to protect the political process, on the whole, they can and should apply.

It would be wasteful, confusing, and unsatisfactory to create a parallel regime for data protection and political parties in Canada. Given their embrace of the big data environment and their expanding use of personal data, these parties should be held to appropriate and meaningful data protection norms, with oversight by the Privacy Commissioner of Canada. Federal political parties should be subject to PIPEDA with some carefully tailored exceptions.



[1] Elections Canada, Discussion Paper 3: The Protection of Electors’ Personal Information in the Federal Electoral Context, May 2020, online: https://www.elections.ca/content.aspx?section=res&dir=cons/dis/compol/dis3&document=index&lang=e.

[2] See, e.g.: Office of the Privacy Commissioner of Canada, PIPEDA Report of Findings #2019-004: Joint investigation of AggregateIQ Data Services Ltd. by the Privacy Commissioner of Canada and the Information and Privacy Commissioner for British Columbia, November 26 2019, online: https://www.priv.gc.ca/en/opc-actions-and-decisions/investigations/investigations-into-businesses/2019/pipeda-2019-004/.

[3] Cherise Seucharan and Melanie Green, “A B.C. scandal has pulled back the curtain on how your online information is being used”, November 29, 2019, online: https://www.thestar.com/vancouver/2019/11/29/heres-how-companies-and-political-parties-are-getting-their-hands-on-your-data.html.

[4] Brian Beamish, 2018 Annual Report: Privacy and Accountability for a Digital Ontario, Office of the Information and Privacy Commissioner of Ontario, June 27, 2019, at p. 30, online: https://www.ipc.on.ca/wp-content/uploads/2019/06/ar-2018-e.pdf. Office of the Information and Privacy Commissioner of British Columbia, “Investigation Report P19-01: Full Disclosure: Political parties, campaign data, and voter consent”, February 6, 2019, online: https://www.oipc.bc.ca/investigation-reports/2278.

[5] Joan Bryden, “Elections Canada chief warns political parties are vulnerable to cyberattacks”, 4 February 2019, Global News, online: https://globalnews.ca/news/4925322/canada-political-parties-cyberattack-threat/; Office of the Information and Privacy Commissioner of British Columbia, “Investigation Report P19-01: Full Disclosure: Political parties, campaign data, and voter consent”, February 6, 2019, at 6 (noting the number of complaints received relating to lax security practices), and pp. 27-31 (outlining security issues), online: https://www.oipc.bc.ca/investigation-reports/2278.

[6] Office of the Information and Privacy Commissioner of British Columbia, “Investigation Report P19-01: Full Disclosure: Political parties, campaign data, and voter consent”, February 6, 2019, at 22, online: https://www.oipc.bc.ca/investigation-reports/2278. Note that the complaint that led to the ruling that that province’s Personal Information Protection Act applied to federal riding associations in B.C. was based on an unconsented to use of personal data. See: OIPC BC, Courtenay-Alberni Riding Association of The New Democratic Party of Canada, Order No. P19-02, 28 August 2019, online: https://www.oipc.bc.ca/orders/2331.

[7] See, e.g.: Michael Geist, “Why Political Parties + Mass Data Collection + Religious Targeting + No Privacy Laws = Trouble”, October 11, 2019, online: http://www.michaelgeist.ca/2019/10/why-political-parties-mass-data-collection-religious-targeting-no-privacy-laws-trouble/; Sara Bannerman, Julia Kalinina, and Nicole Goodman, “ Political Parties’ Voter Profiling Is a Threat to Democracy”, The Conversation, 27 January 2020, online: https://thetyee.ca/Analysis/2020/01/27/Political-Parties-Profiling-Democracy/.

[8] See: Office of the Information and Privacy Commissioner of British Columbia, “Investigation Report P19-01: Full Disclosure: Political parties, campaign data, and voter consent”, February 6, 2019, at 25, online: https://www.oipc.bc.ca/investigation-reports/2278.

[9] Colin Bennett, “They’re spying on you: how party databases put your privacy at risk”, iPolitics, September 1, 2015, online: https://ipolitics.ca/2015/09/01/theyre-spying-on-you-how-party-databases-put-your-privacy-at-risk/

[10] Colin J. Bennett, “Canadian political parties are gathering more and more data on voters all the time. It’s time we regulated what data they glean, and what they can do with it”, Policy Options, 1 February 2013, online: https://policyoptions.irpp.org/magazines/aboriginality/bennett/.

[11] See, e.g.: Yvonne Colbert, “What's in your file? Federal political parties don't have to tell you”, CBC, 30 July 2019, online: https://www.cbc.ca/news/canada/nova-scotia/privacy-federal-political-parties-transparency-1.5226118; Katharine Starr, “Privacy at risk from Canadian political parties, says U.K. watchdog”, CBC, 10 November 2018, online: https://www.cbc.ca/news/politics/uk-information-commissioner-canadian-parties-data-privacy-1.4898867.

[12] Federal, Provincial and Territorial Privacy Commissioners of Canada support meaningful privacy obligations for political parties. See: Securing Trust and Privacy in Canada’s Electoral Process: Resolution of the Federal, Provincial and Territorial Information and Privacy Commissioners, Regina, Saskatchewan, September 11-13, 2018, online: https://www.priv.gc.ca/en/about-the-opc/what-we-do/provincial-and-territorial-collaboration/joint-resolutions-with-provinces-and-territories/res_180913/.

[13] See, e.g.: Colin J. Bennett and Robyn M. Bayley, “Canadian Federal Political Parties and Personal Privacy Protection: A Comparative Analysis”, March 2012, online: https://www.priv.gc.ca/en/opc-actions-and-decisions/research/explore-privacy-research/2012/pp_201203/; Colin Bennett, “Data Driven Elections and Political Parties in Canada: Privacy Implications, Privacy Policies and Privacy Obligations”, (April 12, 2018). Canadian Journal of Law and Information Technology, Available at SSRN: https://ssrn.com/abstract=3146964; Colin J. Bennett, “Privacy, Elections and Political Parties: Emerging Issues For Data Protection Authorities”, 2016, online: https://www.colinbennett.ca/wp-content/uploads/2016/03/Privacy-Elections-Political-Parties-Bennett.pdf; House of Commons, Standing Committee on Access to Information, Privacy and Ethics, Democracy Under Threat: Risks and Solutions in the Era of Disinformation and Data Monopoly (December 2018), online: <https://www.ourcommons.ca/Content/Committee/421/ETHI/Reports/RP10242267/ethirp17/ethirp17-e.pdf>, archived: https://perma.cc/RV8T-ZLWW.

[14] See, e.g.: Samantha Bradshaw, “Data-protection laws must be extended to political parties”, Globe and Mail, 22 March 2018, online: https://www.theglobeandmail.com/opinion/article-data-protection-laws-must-be-extended-to-political-parties/; Michael Morden, “Politicians say they care about privacy. So why can political parties ignore privacy law?”, Globe and Mail, 29 May 2019, online: https://www.theglobeandmail.com/opinion/article-politicians-say-they-care-about-privacy-so-why-can-political-parties/; Colin Bennett, “Politicians must defend Canadians’ online privacy from Big Tech – and from politicians themselves”, Globe and Mail, 26 December 2019, online: https://www.theglobeandmail.com/opinion/article-politicians-must-defend-canadians-online-privacy-from-big-tech-and/; Sabrina Wilkinson, “Voter Privacy: What Canada can learn from abroad”, OpenCanada.org, 4 October 2019, online: https://www.opencanada.org/features/voter-privacy-what-canada-can-learn-abroad/ Fraser Duncan, “Political Parties and Voter Data: A Disquieting Gap in Canadian Privacy Legislation”, Saskatchewan Law Review, June 21 2019, online: https://sasklawreview.ca/comment/political-parties-and-voter-data-a-disquieting-gap-in-canadian-privacy-legislation.php; Colin Bennett, “They’re spying on you: how party databases put your privacy at risk”, iPolitics, September 1, 2015, online: https://ipolitics.ca/2015/09/01/theyre-spying-on-you-how-party-databases-put-your-privacy-at-risk/.

[15] See: Office of the Information and Privacy Commissioner of British Columbia, “Investigation Report P19-01: Full Disclosure: Political parties, campaign data, and voter consent”, February 6, 2019, at 25, online: https://www.oipc.bc.ca/investigation-reports/2278; OIPC BC, Courtenay-Alberni Riding Association of The New Democratic Party of Canada, Order No. P19-02, 28 August 2019, online: https://www.oipc.bc.ca/orders/2331.

[16] See: Rachel Aiello, “Major political parties under competition probe over harvesting of Canadians' personal info”, CTV News 15 January 2020, online: https://www.ctvnews.ca/politics/major-political-parties-under-competition-probe-over-harvesting-of-canadians-personal-info-1.4768501.

[17] Rachel Gilmore, “Privacy group going to court over alleged improper use of voters list by Liberals, Tories and NDP”, CTV News, 10 August 2020, online: https://www.ctvnews.ca/politics/privacy-group-going-to-court-over-alleged-improper-use-of-voters-list-by-liberals-tories-and-ndp-1.5058556.

[19] SBC 2003, c 63, http://canlii.ca/t/52pq9.

[20] Investigation Report P19-01: Full Disclosure: Political parties, campaign data, and voter consent”, February 6, 2019, at 22, online: https://www.oipc.bc.ca/investigation-reports/2278.

[21] OIPC BC, Courtenay-Alberni Riding Association of The New Democratic Party of Canada, Order No. P19-02, 28 August 2019, online: https://www.oipc.bc.ca/orders/2331.

[22] Ministry of Government and Community Services, “Ontario Private Sector Privacy Reform: Improving private sector privacy for Ontarians in a digital age”, 13 August 2020, online: https://www.ontariocanada.com/registry/showAttachment.do?postingId=33967&attachmentId=45105.

[23] L119, 4 May 2016, p. 1–88; online: https://gdpr-info.eu/.

[24] See, e.g., PIPEDA, s. 3.

[26] Elections Canada, Guidelines for the Use of the List of Electors, https://www.elections.ca/content.aspx?section=pol&document=index&dir=ann/loe_2019&lang=e.

[27] Elections Canada, Discussion Paper 3: The Protection of Electors’ Personal Information in the Federal Electoral Context, May 2020, at 11, online: https://www.elections.ca/content.aspx?section=res&dir=cons/dis/compol/dis3&document=index&lang=e.

[28] Ibid at 16.

[29] Ibid at 17.

Published in Privacy

 

The Ontario Government has just launched a public consultation and discussion paper to solicit input on a new private sector data protection law for Ontario.

Currently, the collection, use and disclosure of personal information in Ontario is governed by the Personal Information Protection and Electronic Documents Act (PIPEDA). This is a federal statute overseen by the Privacy Commissioner of Canada. PIPEDA allows individual provinces to pass their own private sector data protection laws so long as they are ‘substantially similar’. To date, Quebec, B.C. and Alberta are the only provinces to have done so.

Critics of this move by Ontario might say that there is no need to add the cost of overseeing a private sector data protection law to the provincial budget when the federal government currently bears this burden. Some businesses might also balk at having to adapt to a new data protection regime. While many of the rules might not be significantly different from those in PIPEDA, there are costs involved simply in reviewing and assessing compliance with any new law. Another argument against a new provincial law might relate to the confusion and uncertainty that could be created around the application of the law, since it would likely only apply to businesses engaged in intra-provincial commercial activities and not to inter-provincial or international activities, which would remain subject to PIPEDA. Although these challenges have been successfully managed in B.C., Alberta and Quebec, there is some merit in having a single, overarching law for the whole of the private sector in Canada.

Nevertheless, there are many reasons to enthusiastically embrace this development in Ontario. First, constitutional issues limit the scope of application of PIPEDA to organizations engaged in the collection, use or disclosure of personal information in the course of commercial activity. This means that those provinces that rely solely on PIPEDA for data protection regulation have important gaps in coverage. PIPEDA does not apply to employees in provincially regulated sectors; non-commercial activities of non-profits and charities are not covered, nor are provincial (or federal, for that matter) political parties. The issue of data protection and political parties has received considerable attention lately. B.C.’s private sector data protection law applies to political parties in B.C., and this has recently been interpreted to include federal riding associations situated in B.C. Bill 64, a bill to amend data protection laws in Quebec, would also extend the application of that province’s private sector data protection law to provincial political parties. If Ontario enacts its own private sector data protection law, it can (and should) extend it to political parties, non-commercial actors or activities, and provide better protection for employee personal data. These are all good things.

A new provincial law will also be designed for a digital and data economy. A major problem with PIPEDA is that it has fallen sadly out of date and is not well adapted to the big data and AI environment. For a province like Ontario that is keen to build public trust in order to develop its information economy, this is a problem. Canadians are increasingly concerned about the protection of their personal data. The COVID-19 crisis appears to have derailed (once again) the introduction of a bill to amend PIPEDA and it is not clear when such a bill will be introduced. Taking action at the provincial level means no longer being entirely at the mercy of the federal agenda.

There is something to be said as well for a law, and a governance body (in this case, it would be the Office of the Ontario Information and Privacy Commissioner) that is attuned to the particular provincial context while at the same time able to cooperate with the federal Commissioner. This has been the pattern in the other provinces that have their own statutes. In Alberta and B.C. in particular, there has been close collaboration and co-operation between federal and provincial commissioners, including joint investigations into some complaints that challenge the boundaries of application of federal and provincial laws. In addition, Commissioners across the country have increasingly issued joint statements on privacy issues of national importance, including recently in relation to COVID-19 and contact-tracing apps. National co-operation combined with provincial specificity in data protection could offer important opportunities for Ontario.

In light of this, this consultation process opens an exciting new phase for data protection in Ontario. The task will not simply to be to replicate the terms of PIPEDA or even the laws of Alberta and B.C. (all of which can nonetheless provide useful guidance). None of these laws is particularly calibrated to the big data environment (B.C.’s law is currently under review), and there will be policy choices to be made around many of the issues that have emerged in the EU’s General Data Protection Regulation. This consultation is an opportunity to weigh in on crucially important data protection issues for a contemporary digital society, and a made-in-Ontario statute.

Published in Privacy

On April 15, 2020 Facebook filed an application for judicial review of the Privacy Commissioner’s “decisions to investigate and continue investigating” Facebook, and seeking to quash the Report of Findings issued on April 25, 2019. This joint investigation involving the BC and federal privacy commissioners was carried out in the wake of the Cambridge Analytica scandal.

The Report of Findings found that Facebook had breached a number of its obligations under the federal Personal Information Protection and Electronic Documents Act (PIPEDA) and B.C.’s Personal Information Protection Act (PIPA). [As I explain here, it is not possible to violate both statutes on the same set of facts, so it is no surprise that nothing further has happened under PIPA]. The Report of Findings set out a series of recommendations. It also contained a section on Facebook’s response to the recommendations in which the commissioners chastise Facebook. The Report led to some strongly worded criticism of Facebook by the federal Privacy Commissioner. On February 6, 2020, the Commissioner referred the matter to Federal Court for a hearing de novo under PIPEDA.

The application for judicial review is surprising. Under the Federal Courts Act, a party has thirty days from the date of a decision affecting it to seek judicial review. For Facebook, that limitation ran out a long time ago. Further, section 18.1 of the Federal Courts Act provides for judicial review of decision, but a Report of Findings is not a decision. The Commissioner does not have the power to make binding orders. Only the Federal Court can do that, after a hearing de novo. The decisions challenged in the application for judicial review are therefore the “decisions to investigate and to continue investigating” Facebook.

In its application for judicial review Facebook argues that the complainants lacked standing because they did not allege that they were users of Facebook or that their personal information had been impacted by Cambridge Analytica’s activities. Instead, they raised general concerns about Facebook’s practices leading to the Cambridge Analytica scandal. This raises the issue of whether a complaint under PIPEDA must be filed by someone directly affected by a company’s practice. The statute is not clear. Section 11(1) of PIPEDA merely states: “An individual may file with the Commissioner a written complaint against an organization for contravening a provision of Division 1 or 1.1 or for not following a recommendation set out in Schedule 1.” Facebook’s argument is that a specific affected complainant is required even though Facebook’s general practices might have left Canadian users vulnerable. This is linked to a further argument by Facebook that the investigation lacked a Canadian nexus since there was no evidence that any data about Canadians was obtained or used by Cambridge Analytica.

Another argument raised by Facebook is that that the investigation amounted to a “broad audit of Facebook’s personal information management practices, not an investigation into a particular PIPEDA contravention” as required by Paragraph 11(1) of PIPEDA. Facebook argues that the separate audit power under PIPEDA has built-in limitations, and that the investigation power is much more extensive. They argue, essentially, that the investigation was an audit without the limits. Facebook also argues that the report of findings was issued outside of the one-year time limit set in s. 13(1) of PIPEDA. In fact, it was released after thirteen rather than twelve months.

Finally, Facebook argues that the investigation carried out by the Commissioner lacked procedural fairness and independence. The allegations are that the sweeping scope of the complaint made against Facebook was not disclosed until shortly before the report was released and that as a result Facebook had been unaware of the case it had to meet. It also alleges a lack of impartiality and independence on the part of the Office of the Privacy Commissioner in the investigation. No further details are provided.

The lack of timeliness of this application may well doom it. Section 18.1 of the Federal Courts Act sets the thirty-day time limit from the date when the party receives notice of the decision it seeks to challenge; the decision in this case is the decision to initiate the investigation, which would have been communicated to Facebook almost two years ago. Although judges have discretion to extend the limitation period, and although Facebook argues it did not receive adequate communication regarding the scope of the investigation, even then their application comes almost a year after the release of the Report of Findings. Perhaps more significantly, it comes two and a half months after the Commissioner filed his application for a hearing de novo before the Federal Court. The judicial review application seems to be a bit of a long shot.

Long shot though it may be, it may be intended as a shot across the bows of both the Office of the Privacy Commissioner and the federal government. PIPEDA is due for reform in the near future. Better powers of enforcement for PIPEDA have been on the government’s agenda; better enforcement is a pillar of the Digital Charter. The Commissioner and others have raised enforcement as one of the major weaknesses of the current law. In fact, the lack of response by Facebook to the recommendations of the Commissioner following the Report of Findings was raised by the Commissioner as evidence of the need for stronger enforcement powers. One of the sought-after changes is the power for the Commissioner to be able to issue binding orders.

This application for judicial review, regardless of its success, puts on the record concerns about procedural fairness that will need to be front of mind in any reforms that increase the powers of the Commissioner. As pointed out by former Commissioner Jennifer Stoddart in a short article many years ago, PIPEDA creates an ombuds model in which the Commissioner plays a variety of roles, including promoting and encouraging compliance with the legislation, mediating and attempting early resolution of disputes and investigating and reporting on complaints. Perhaps so as to give a degree of separation between these roles and any binding order of compliance, it is left to the Federal Court to issue orders after a de novo hearing. Regardless of its merits, the Facebook application for judicial review raises important procedural fairness issues even within this soft-compliance model, particularly since the Commissioner took Facebook so publicly to task for not complying with its non-binding recommendations. If PIPEDA were to be amended to include order-making powers, then attention to procedural fairness issues will be even more crucial. Order-making powers might require clearer rules around procedures as well as potentially greater separation of functions within the OPC, or possibly the creation of a separate adjudication body (e.g. a privacy tribunal).

Published in Privacy
<< Start < Prev 1 2 3 4 5 Next > End >>
Page 1 of 5

Canadian Trademark Law

Published in 2015 by Lexis Nexis

Canadian Trademark Law 2d Edition

Buy on LexisNexis

Electronic Commerce and Internet Law in Canada, 2nd Edition

Published in 2012 by CCH Canadian Ltd.

Electronic Commerce and Internet Law in Canada

Buy on CCH Canadian

Intellectual Property for the 21st Century

Intellectual Property Law for the 21st Century:

Interdisciplinary Approaches

Purchase from Irwin Law