Teresa Scassa - Blog

Displaying items by tag: Bill c27

This is the second in a series of posts on Bill C-27’s proposed Artificial Intelligence and Data Act (AIDA). The first post looked at the scope of application of the AIDA. This post considers what activities and what data will be subject to governance.

Bill C-27’s proposed Artificial Intelligence and Data Act (AIDA) governs two categories of “regulated activity” so long as they are carried out “in the course of international or interprovincial trade and commerce”. These are set out in s. 5(1):

(a) processing or making available for use any data relating to human activities for the purpose of designing, developing or using an artificial intelligence system;

(b) designing, developing or making available for use an artificial intelligence system or managing its operations.

These activities are cast in broad terms, capturing activities related both to the general curating of the data that fuel AI, and the design, development, distribution and management of AI systems. The obligations in the statute do not apply universally to all engaged in the AI industry. Instead, different obligations apply to those performing different roles. The chart below identifies the actor in the left-hand column, and the obligation the column on the right.

 

Actor

Obligation

A person who carries out any regulated activity and who processes or makes available for use anonymized data in the course of that activity

(see definition of “regulated activity” in s. 5(1)

s. 6 (data anonymization, use and management)

s. 10 (record keeping regarding measures taken under s. 6)

A person who is responsible for an artificial intelligence system (see definition of ‘person responsible’ in s. 5(2)

s. 7 (assess whether a system is high impact)

s. 10 (record keeping regarding reasons supporting their assessment of whether the system is high-impact under s. 7)

A person who is responsible for a high-impact system (see definition of ‘person responsible’ in s. 5(2; definition of “high-impact” system, s. 5(1))

s. 8 (measures to identify, assess and mitigate risk of harm or biased output)

s. 9 (measures to monitor compliance with the mitigation measures established under s. 8 and the effectiveness of the measures

s. 10 (record keeping regarding measures taken under ss. 8 and 9)

s. 12 (obligation to notify the Minister as soon as feasible if the use of the system results or is likely to result in material harm)

A person who makes available for use a high-impact system

s. 11(1) (publish a plain language description of the system and other required information)

A person who manages the operation of a high-impact system

s. 11(2) (publish a plain language description of how the system is used and other required information)

 

For most of these provisions, the details of what is actually required by the identified actor will depend upon regulations that have yet to be drafted.

A “person responsible” for an AI system is defined in s. 5(2) of the AIDA in these terms:

5(2) For the purposes of this Part, a person is responsible for an artificial intelligence system, including a high-impact system, if, in the course of international or interprovincial trade and commerce, they design, develop or make available for use the artificial intelligence system or manage its operation.

Thus, the obligations in ss. 7, 8, 9, 10 and 11, apply only to those engaged in the activities described in s. 5(1)(b) (designing, developing or making available an AI system or managing its operation). Further, it is important to note that with the exception of sections 6 and 7, the obligations in the AIDA also apply only to ‘high impact’ systems. The definition of a high-impact system has been left to regulations and is as yet unknown.

Section 6 stands out somewhat as a distinct obligation relating to the governance of data used in AI systems. It applies to a person who carries out a regulated activity and who “processes or makes available for use anonymized data in the course of that activity”. Of course, the first part of the definition of a regulated activity includes someone who processes or makes available for use “any data relating to human activities for the purpose of designing, developing or using” an AI system. So, this obligation will apply to anyone “who processes or makes available for use anonymized data” (s. 6) in the course of “processing or making available for use any data relating to human activities for the purpose of designing, developing or using an artificial intelligence system” (s. 5(1)). Basically, then for s. 6 to apply, the anonymized data must be processed for the purposes of development of an AI system. All of this must also be in the course if international or interprovincial trade and commerce.

Note that the first of these two purposes involves data “related to human activities” that are used in AI. This is interesting. The new Consumer Privacy Protection Act (CPPA) that forms the first part of Bill C-27 will regulate the collection, use and disclosure of personal data in the course of commercial activity. However, it provides, in s. 6(5), that: “For greater certainty, this Act does not apply in respect of personal information that has been anonymized.” By using the phrase “data relating to human activities” instead of “personal data”, s. 5(1) of the AIDA clearly addresses human-derived data that fall outside the definition of personal information in the CPPA because of anonymization.

Superficially, at least, s. 6 of the AIDA appears to pick up the governance slack that arises where anonymized data are excluded from the scope of the CPPA. [See my post on this here]. However, for this to happen, the data have to be used in relation to an “AI system”, as defined in the legislation. Not all anonymized data will be used in this way, and much will depend on how the definition of an AI system is interpreted. Beyond that, the AIDA only applies to a ‘regulated activity’ which is one carried out in the course of international and inter-provincial trade and commerce. It does not apply outside the trade and commerce context, nor does it apply to any excluded actors [as discussed in my previous post here]. As a result, there remain clear gaps in the governance of anonymized data. Some of those gaps might (eventually) be filled by provincial governments, and by the federal government with respect to public-sector data usage. Other gaps – e.g., with respect to anonymized data used for purposes other than AI in the private sector context – will remain. Further, governance and oversight under the proposed CPPA will be by the Privacy Commissioner of Canada, an independent agent of Parliament. Governance under the AIDA (as will be discussed in a forthcoming post) is by the Minister of Industry and his staff, who are also responsible for supporting the AI industry in Canada. Basically, the treatment of anonymized data between the CPPA and the AIDA creates a significant governance gap in terms of scope, substance and process.

On the issue of definitions, it is worth making a small side-trip into ‘personal information’. The definition of ‘personal information’ in the AIDA provides that the term “has the meaning assigned by subsections 2(1) and (3) of the Consumer Privacy Protection Act.” Section 2(1) is pretty straightforward – it defines “personal information” as “information about an identifiable individual”. However, s. 2(3) is more complicated. It provides:

2(3) For the purposes of this Act, other than sections 20 and 21, subsections 22(1) and 39(1), sections 55 and 56, subsection 63(1) and sections 71, 72, 74, 75 and 116, personal information that has been de-identified is considered to be personal information.

The default rule for ‘de-identified’ personal information is that it is still personal information. However, the CPPA distinguishes between ‘de-identified’ (pseudonymized) data and anonymized data. Nevertheless, for certain purposes under the CPPA – set out in s. 2(3) – de-identified personal information is not personal information. This excruciatingly-worded limit on the meaning of ‘personal information’ is ported into the AIDA, even though the statutory provisions referenced in s. 2(3) are neither part of AIDA nor particularly relevant to it. Since the legislator is presumed not to be daft, then this must mean that some of these circumstances are relevant to the AIDA. It is just not clear how. The term “personal information” is used most significantly in the AIDA in the s. 38 offense of possessing or making use of illegally obtained personal information. It is hard to see why it would be relevant to add the CPPA s. 2(3) limit on the meaning of ‘personal information’ to this offence. If de-identified (not anonymized) personal data (from which individuals can be re-identified) are illegally obtained and then used in AI, it is hard to see why that should not also be captured by the offence.

 

Published in Privacy

This is the first of a series of posts on the part of Bill C-27 that would enact a new Artificial Intelligence and Data Act (AIDA) in Canada. Previous posts have considered the part of the bill that would reform Canada’s private sector data protection law. This series on the AIDA begins with an overview of its purpose and application.

Bill C-27 contains the text of three proposed laws. The first is a revamped private sector data protection law. The second would establish a new Data Tribunal that is assigned a role under the data protection law. The third is a new Artificial Intelligence and Data Act (AIDA) While the two other components were present in the bill’s failed predecessor Bill C-11, the AIDA is new – and for many came as a bit of a surprise. The common thread, of course, is the government’s Digital Charter, which set out a series of commitments for building trust in the digital and data economy.

The preamble to Bill C-27, as a whole, addresses both AI and data protection concerns. Where it addresses AI regulation directly, it identifies the need to harmonize with national and international standards for the development and deployment of AI, and the importance of ensuring that AI systems uphold Canadian values in line with the principles of international human rights law. The preamble also signals a need for a more agile regulatory framework – something that might go towards justifying why so much of the substance of AI governance in the AIDA has been left to the development of regulations. Finally, the preamble speaks of a need “to foster an environment in which Canadians can seize the benefits of the digital and data-driven economy and to establish a regulatory framework that supports and protects Canadian norms and values, including the right to privacy.” This, then, frames how AI regulation (and data protection) will work in Canada – an attempt to walk a tightrope between enabling fast-paced innovation and protecting norms, values and privacy rights.

Regulating the digital economy has posed some constitutional (division of powers) challenges for the federal government, and these challenges are evident in the AIDA, particularly with respect to the scope of application of the law. Section 4 sets out the dual purposes of the legislation:

(a) to regulate international and interprovincial trade and commerce in artificial intelligence systems by establishing common requirements, applicable across Canada, for the design, development and use of those systems; and

(b) to prohibit certain conduct in relation to artificial intelligence systems that may result in serious harm to individuals or harm to their interests.

By focusing on international and interprovincial trade and commerce, the government asserts its general trade and commerce jurisdiction, without treading on the toes of the provinces, who remain responsible for intra-provincial activities. Yet, this means that there will be important gaps in AI regulation. Until the provinces act, these will be with respect to purely provincial AI solutions, whether in the public or private sectors, and, to a large extent, AI in the not-for-profit sector. However, this could get complicated since the AIDA sets out obligations for a range of actors, some of which could include international or interprovincial providers of AI systems to provincial governments.

The second purpose set out in s. 4 suggests that at least when it comes to AI systems that may result in serious harm, the federal jurisdiction over criminal law may be invoked. The AIDA creates a series of offences that could be supported by this power – yet, ultimately the offences relate to failures to meet the obligations that arise based on being engaged in a ‘regulated activity’, which takes one back to activities carried out in the course of international or interprovincial trade and commerce. The federal trade and commerce power thus remains the backbone of this bill.

Although there would be no constitutional difficulties with the federal government exerting jurisdiction over its own activities, the AIDA specifically excludes its application to federal government institutions, as defined in the Privacy Act. Significantly, it also does not apply to products, services or activities that are under the control of the Minister of National Defence, the Canadian Security Intelligence Service, the Communications Security Establishment or any other person who is responsible for a federal or provincial department or agency that is prescribed by regulation. This means that the AIDA would not apply even to those AI systems developed by the private sector for any of the listed actors. The exclusions are significant, particularly since the AIDA seems to be focussed on the prevention of harm to individuals (more on this in a forthcoming post) and the parties excluded are ones that might well develop or commission the development of AI that could (seriously) adversely impact individuals. It is possible that the government intends to introduce or rely upon other governance mechanisms to ensure that AI and personal data are not abused in these contexts. Or not. In contrast, the EU’s AI Regulation addresses the perceived need for latitude when it comes to national defence via an exception for “AI systems developed or used exclusively for military purposes” [my emphasis]. This exception is nowhere near as broad as that in the AIDA, which excludes all “products, services or activities under the control of the Minister of National defence”. Note that the Department of National Defence (DND) made headlines in 2020 when it contracted for an AI application to assist in hiring; it also made headlines in 2021 over an aborted psyops campaign in Canada. There is no reason why non-military DND uses of AI should not be subject to governance.

The government might justify excluding the federal public sector from governance under the AIDA on the basis that it is already governed by the Directive on Automated Decision-Making. This Directive applies to automated decision-making systems developed and used by the federal government, although there are numerous gaps in its application. For example, it does not apply to systems adopted before it took effect, it applies only to automated decision systems and not to other AI systems, and it currently does not apply to systems used internally (e.g., to govern public sector employees). It also does not have the enforcement measures that the AIDA has, and, since government systems could well be high-impact, this seems like a gap in governance. Consider in this respect the much-criticized ArriveCan App, designed for COVID-19 border screening and now contemplated for much broader use at border entries into Canada. The app has been criticized for its lack of transparency, and for the ‘glitch’ that sent inexplicable quarantine orders to potentially thousands of users. The ArriveCan app went through the DADM process, but clearly this is not enough to address governance issues.

Another important limit on the application of the AIDA is that most of its obligations apply only to “high impact systems”. This term is defined in the legislation as “an artificial intelligence system that meets the criteria for a high-impact system that are established in regulations.” This essentially says that this crucial term in the Bill will mean what cabinet decides it will mean at some future date. It is difficult to fully assess the significance or impact of this statute without any sense of how this term will be defined. The only obligations that appear to apply more generally are the obligation in s. 6 regarding the anonymization of data used or intended for use in AI systems, and the obligation in s. 10 to keep records regarding the anonymization measures taken.

By contrast, the EU’s AI Regulation applies to all AI systems. These fall into one of four categories: unacceptable risk, high-risk, limited risk, and low/minimal risk. Those systems that fall into the first category are banned. Those in the high-risk category are subject to the regulation’s most stringent requirements. Limited-risk AI systems need only meet certain transparency requirements and low-risk AI is essentially unregulated. Note that Canada’s approach to ‘agile’ regulation is to address only one category of AI systems – those that fall into the as-yet undefined category of high ‘impact’. It is unclear whether this is agile or supine. It is also not clear what importance should be given to the choice of the word ‘impact’ rather than ‘risk’. However, it should be noted that risk refers not just to actual but to potential harm, whereas ‘impact’ seems to suggest actual harm. Although one should not necessarily read too much into this choice of language, the fact that this important element is left to regulations means that Parliament will be asked to enact a law without understanding its full scope of application. This seems like a problem.

 

Published in Privacy

Privacy is a human right. It is recognized the United Nations Declaration of Human Rights and other international human rights instruments. In Canada, the Supreme Court of Canada has interpreted the. 8 Charter right to be secure against unreasonable search or seizure as a privacy right, and it has also found that data protection laws in Canada have ‘quasi-constitutional’ status because of the importance of the privacy rights on which they are premised. The nature of privacy as a human right should not be a controversial proposition, but it became so in Bill C-11, the 2020 Bill to reform the Personal Information Protection and Electronic Documents Act (PIPEDA). Bill C-11 did not address the human rights dimensions of data protection, and it was soundly criticized by the former Privacy Commissioner of Canada for failing to do so. Bill C-27, which contains the new PIPEDA reform bill, and which was introduced in June 2022, gives a nod to the human rights dimensions of data protection. This post will consider whether this is enough.

There are several reasons why the human rights dimensions of data protection law became such an issue in Canada. Data protection laws balance the privacy rights of individuals with the needs of organizations and governments to collect and use personal information for a range of purposes. If a balance is to be struck between two things, the weight given to considerations on either side of the scale must be appropriate. Recognizing the human rights dimensions of the protection of personal data gives added weight to the interests of individuals (and communities) by acknowledging the importance that control over personal data has to the exercise of a variety of human rights (including, but not limited to, dignity, autonomy and freedom from discrimination). It also acknowledges the substantial threats that the data economy can pose to human rights. Second, the EU’s General Data Protection Regulation puts the human rights dimensions of privacy and data protection front and centre. Once this has been done across the EU, the omission of a similar approach from draft legislation in Canada takes on greater significance. It starts to look like a deliberate statement. Third, Quebec takes an explicit human-rights based approach to privacy, making it – well, awkward – to have a less human rights-forward standard crafted for the rest of Canada. In Ontario, a government White Paper considering a private sector data protection law for Ontario explicitly endorsed a human rights-based approach.

The federal government’s hesitation to address the human rights dimensions of privacy is rooted in its anxiety over the constitutional footing for a federal private sector data protection law. PIPEDA has been constitutionally justified under the federal government’s general trade and commerce power. This means that it is enacted to regulate an aspect of trade and commerce at the national level. PIPEDA focuses on data collected, used, and disclosed by the private sector in the course of commercial activity. The government’s concern is that adopting a human rights-based approach would transform the statute from one that addresses the management of personal data in the commercial context to one that governs human rights as they relate to personal data. Constitutional anxiety is evident even in the new name of the future data protection law: The Consumer Privacy Protection Act [my emphasis].

The former Privacy Commissioner of Canada, Daniel Therrien, commissioned a legal opinion on the issues of constitutionality linked to adopting a human rights-based approach. This opinion found that the legislation could support such an approach within the general trade and commerce framework. The federal government clearly takes a different view, which may be rooted in an almost pathological division-of-powers anxiety. After all, this government also refused to defend the constitutional challenge to the Genetic Non-Discrimination Act, even though the constitutionality of that statute (which began its life as a private-member’s bill) was ultimately upheld by a majority of the Supreme Court of Canada.

One of the changes in Bill C-27 from Bill C-11 is the addition of a preamble. It is in this preamble that the government now makes reference to the human rights basis for privacy. The preamble also enumerates other considerations, making it clear that the interests (or rights) of individuals are just one factor in a rather complex balance. The other factors include the importance of trade and free flows of data, the need to support and foster the data-driven economy, the need for an agile regulatory framework, the need to not unduly burden small businesses, the need for harmonization, and the importance of facilitating data collection and use in the public interest.

The clauses in the preamble that address privacy and human rights include an acknowledgement that the protection of personal information is essential to the autonomy and dignity of individuals and to their full enjoyment of their fundamental rights and freedoms in Canada. This is probably the strongest statement and it is near the top of the list. There is also an acknowledgement of the importance of privacy and data protection principles found in international instruments. There are some references to human rights in relation to AI, but those relate to the Artificial Intelligence and Data Act that is part of this Bill. There is also a closing paragraph which refers to bolstering the digital and data-driven economy by establishing a regulatory framework “that supports and protects Canadian norms and values, including the right to privacy”. At best, however, this just emphasizes that the right to privacy is one factor in the balance – and not necessarily the predominant one. The government has been reasonably explicit in the preamble about the range of competing public policy considerations that feed into their data protection bill. The overall message is: “Yes, privacy is a human right, but we’re trying to do something here.”

Bill C-27 also includes the text of a proposed Artificial Intelligence and Data Act (AIDA). This statute is arguably the government’s attempt to address human rights in the AI and data context, in that it contains measures meant to address discriminatory bias in AI (which is fueled by data). It is meant to apply to ‘high impact’ systems (not defined in the Bill), although impact certainly seems to be understood in terms of harms to individuals. Next week my series of posts will begin to consider the AIDA in more detail. For present purposes, however, consider that the AIDA will only apply to systems defined as ‘high impact’; it addresses only individual and not group harms; it will apply only in the context of AI (whereas data are used in many more contexts); and many organisations and institutions are excluded from its scope. In any event, while the proper governance of AI is of great importance, so is the proper governance of personal data, which is the domain of data protection legislation. The AIDA is therefore not an answer to concerns over the need for a human rights-based approach to data protection.

I have argued for a human rights-based approach to privacy in data protection law. The volumes of data collected, the way these data are used and shared, and the potential impacts they can have on peoples’ lives all suggest that we can no longer mince words when it comes to understanding the significance of data protection. Technology now reduces just about anything to streams of data, and those data are used to profile, categorize, assess, and monitor individuals. They are used in tools of surveillance and control. Although we talk the talk of individual consent and control, such liberal fictions are no longer sufficient to provide the protection needed to ensure that individuals and the communities to which they belong are not exploited through the data harvested from them. This is why acknowledging the role that data protection law plays in protecting human rights, autonomy and dignity is so important. This is why the human rights dimension of privacy should not just be a ‘factor’ to take into account alongside stimulating innovation and lowering the regulatory burden on industry. It is the starting point and the baseline. Innovation is good, but it cannot be at the expense of human rights.

In Canada we have relied upon the normative idea in s. 5(3) of PIPEDA that any collection, use or disclosure of personal information must be “for purposes that a reasonable person would consider are appropriate in the circumstances”. This normative concept is also found in s. 12(1) of Bill C-27. Although past privacy commissioners have given substance to this provision, the concern remains that without an anchor in an explicitly human rights-based approach, the ‘reasonable person’ might, over time, be interpreted to be more excited about the potential of data to boost the economy than concerned about the adverse effects its use might have on certain individuals or groups. Given that Bill C-27 will shift interpretive authority over key concepts in the legislation from the Privacy Commissioner to the mysterious Data Tribunal, this normative wiggle-room is particularly concerning.

In spite of this, the addition of a preamble to Bill C-27, with its references to privacy and human rights is probably all that we are going to get from this government on this issue. There is not much interest in going back to the drawing board with this Bill, and the government is no doubt impatient to move the data protection law reform file forward.

In the meantime, it is worth noting that the provinces remain free to enact and/or amend their own private sector data protection laws, and to make strong statements about a human-rights-basis for data protection. The laws in Alberta and British Columbia will be reformed once a new federal bill is passed. And, with a newly re-elected government, Ontario might once again turn its attention to crafting its own law. There are other fronts on which this battle can be fought, and perhaps it is best to turn attention to these.

 

Published in Privacy
Monday, 25 July 2022 06:34

Bill C-27 and Children’s Privacy

Note: This is the fifth in a series of posts on Canada's Bill C-27 which, among other things, will reform Canada's private sector data protection law.

Bill C-27, the bill to amend Canada’s existing private sector data protection law, gives particular attention to the privacy rights of minors in a few instances. This is different from the current law, and it is a change since the previous (failed) reform bill, Bill C-11. The additions to Bill C-27 respond to concerns raised by privacy advocates and scholars regarding Bill C-11’s silence on children’s privacy.

Directly addressing children’s privacy has been a bit of a struggle for this government, which seems particularly sensitive to federal-provincial division of powers issues. After all, it is the provinces that get to determine the age of majority. A private sector data protection law that defined a child in terms of a particular age range for the purposes of consent, for example, might raise constitutional hackles. Further, many of the privacy issues that concern parents the most are ones that fall at least to some extent within provincial jurisdiction. Consider the issues around children’s privacy and educational technologies used in schools. While many of those technologies are sourced from the private sector, the schools themselves are subject to provincial public sector data protection laws, and so, the schools’ adoption and use of these technologies is governed by provincial legislation. That said, children still spend a great deal of time online; their toys are increasingly connected to the Internet of Things; their devices and accompanying apps capture and transmit all manner of data; and they, their parents and friends post innumerable pictures, videos and anecdotes about them online. Children have a clear interest in private sector data protection.

The government’s modest response to concerns about children’s privacy in Bill C-27 no doubt reflects this constitutional anxiety. The most significant provision is found in s. 2(2), which states that “For the purposes of this Act, the personal information of minors is considered to be sensitive information.” Note that the reference is to ‘minors’ and not ‘children’, and no attempt is made to define the age of majority.

If you search Bill C-27 for further references to minors, you will find few. Two important ones are found in s. 55, which deals with the right of erasure. This right, which allows an individual to request the deletion of their data, has number of significant exceptions to it. However, two of these exceptions do not apply in the case of the data of minors (see my post on the right of erasure). The first of these allows an organization to deny a request for erasure if “the disposal of the information would have an undue adverse impact on the accuracy or integrity of information that is necessary to the ongoing provision of a product or service to the individual in question”. The second allows an organization to deny a request for deletion if the data is subject to a data retention policy. Neither exception to the right of erasure applies in the case of the data of minors. This is important as it will allow minors (or those acting on their behalf) to obtain deletion of data – even outside the organization’s regular disposal schedule.

The Personal Information Protection and Electronic Documents Act currently links valid consent to a person’s capacity to understand “the nature, purpose and consequences of the collection, use or disclosure of the personal information to which they are consenting” (s. 6.1). Bill C-11 would have eliminated this requirement for valid consent. Responding to criticisms, the government in Bill C-27, has added a requirement that consent must be sought “in plain language that an individual to whom the organization’s activities are directed would reasonably be expected to understand.” (s. 15(4)) It is good to see this element returned to the reform bill, even if it is a little half-hearted compared to PIPEDA’s s. 6.1. In this regard, Bill C-27 is an improvement over C-11. (See my post on consent in Bill C-27).

Although no other provisions are specifically drafted for minors, per se, declaring that the personal information of minors is considered ‘sensitive’ is significant in a Bill that requires organizations to give particular attention to the sensitivity of personal data in a range of circumstances. For example, an organization’s overall privacy management program must take into account both the volume and sensitivity of the information that the organization collects (s. 9(2)). The core normative principle in the legislation, which limits the collection, use and disclosure of personal information to that which a reasonable person would consider appropriate in the circumstances also requires a consideration of the sensitivity of personal data (s. 12(2)(a)). In determining whether an organization can rely upon implied consent, the sensitivity of the information is a relevant factor (s. 15(5)). Organizations, in setting data retention limits, must take into account, among other things, the sensitivity of personal data (s. 53(2)), and they must provide transparency with respect to those retention periods (s. 62(2)(e)). The security safeguards developed for personal data must take into account its sensitivity (s. 57(1)). When there is a data breach, the obligation to report the breach to the Commissioner depends upon a real risk of significant harm – one of the factors in assessing such a risk is the sensitivity of the personal data (s. 58(8)). When data are de-identified, the measures used for de-identification must take into account the sensitivity of the data, and the Commissioner, in exercising his powers, duties or functions must also consider the sensitivity of the personal data dealt with by an organization (s. 109).

The characterization of the data of minors as ‘sensitive’ means that the personal data of children – no matter what it is – will be treated as sensitive data in the interpretation and application of the law. In practical terms, this is not new. The Office of the Privacy Commissioner has consistently treated the personal data of children as sensitive. However, it does not hurt to make this approach explicit in the law. In addition, the right of erasure for minors is an improvement over both PIPEDA and Bill C-11. Overall, then, Bill C-27 offers some enhancement to the data protection rights of minors.

Published in Privacy

Bill C-27, which will amend Canada’s private sector data protection law, contains a right of erasure. In its basic form, this right allows individuals to ask an organization to dispose of the personal information it holds about them. It is sometimes referred to as the right to be forgotten, although the right to be forgotten has different dimensions that are not addressed in Bill C-27. Bill C-27’s predecessor, Bill C-11, had proposed a right of erasure in fairly guarded terms: individuals would be able to request the disposal only of information that the organization had obtained from the individual. This right would not have extended to information the organization had collected through other means – by acquiring that information from other organizations, scraping it from the internet, or even creating it through profiling algorithms. Section 55 of Bill C-27 (“disposal at individual’s request”) brings some interesting changes to this limitation. Significantly, it extends the right of erasure to the individual’s personal information that “is under the organization’s control”. Nevertheless, in doing so, it also adds some notable restrictions.

First, Bill C-27’s right of erasure will only apply in three circumstances. The first, set out in s. 55(1)(a), is where the information was collected, used or disclosed in contravention of the Act. Basically, if an organization had no right to have or use the personal data in the first place, it must dispose of the information at the request of the individual.

The second situation, set out in s. 55(1)(b), is where an individual has withdrawn their consent to the collection, use or disclosure of the information held by the organization. Perhaps a person agreed to allow an organization to collect certain data in addition to the data considered necessary to providing a particular product or service. If that person decides they no longer want the organization to collect this additional data, not only can they withdraw consent to its continued collection, they can exercise their right to erasure and have the already-collected data deleted.

Finally, s. 55(1)(c) allows an individual to request deletion of personal data where the information is no longer necessary for the continued provision of a product or service requested by the individual. If an individual ceases to do business with an organization, for example, and does not wish the organization to retain their personal information, they can request its deletion. Here, the expansion of the right to include all personal information under the organization’s control can be important. For example, if you terminate your contract with a streaming service, you could request deletion not just of the customer data you provided to them, and your viewing history, but also the organization’s inexplicable profile of you as someone who loves zombie movies.

Where an organization has acceded to a request for disposal of personal data, it is also obliged, under s. 55(4), to inform “any service provider” to which it has transferred the data to dispose of them. The organization is responsible for ensuring this takes place. Note, however, that the obligation is only to inform any service provider, defined in the bill as an entity that “provides services for or on behalf” of the organization to assist it in fulfilling its purposes. The obligation to notify does not extend to those to whom the data may have been sold.

There are, however, important exceptions to this expanded right of erasure. Subsection 55(2) would allow an organization to refuse to dispose of data under s. 55(1)(b) or (c) in circumstances where it is inseparable from the personal data of another person (for example, that embarrassing photo of you partying with others that someone else posted online); other legal requirements require the organization to retain the information; or the organization requires the data for a legal defence or legal remedy.

A few other exceptions are potentially more problematic. Paragraph 55(2)(d) creates an exception to the right of erasure where:

(d) the information is not in relation to a minor and the disposal of the information would have an undue adverse impact on the accuracy or integrity of information that is necessary to the ongoing provision of a product or service to the individual in question;

For example, this might apply in the case where an individual remains in a commercial relationship with an organization, but has withdrawn consent to a particular use or disclosure of their data and has requested its deletion. If the organization believes that deleting the information would adversely affect the integrity of the product or service they continue to provide to the individual, they can refuse deletion. It will be interesting to see how this plays out. There may be a matter of opinion about the impacts on the integrity of the product or service being supplied. If an individual finds an organization’s recommendation service based on past purchases or views to be largely useless, seeking deletion of data about their viewing history will not impact the integrity of the service from the individual’s point of view – but the organization might have a different opinion.

In Bill C-27, the government responded to criticisms that its predecessor, Bill C-11, did nothing to specifically deal with children’s privacy. Bill C-27 addresses the privacy of minors in specific instances, and the right of erasure is one of them. Interestingly, the right of erasure prevails under s. 55(2)(d) for minors, presumably even when the erasure would have an “undue adverse impact on the accuracy or integrity of information that is necessary to the ongoing provision of a product or service”. It seems that minors will get to choose between deletion and adverse impacts, while those over the age of majority will have to put up with retention and uses of their personal data to which they object.

Another exception to the right also applies only to those past the age of majority. Paragraph 55(2)(f) provides that an organization may refuse a request for disposal of personal information if:

(f) the information is not in relation to a minor and it is scheduled to be disposed of in accordance with the organization’s information retention policy, and the organization informs the individual of the remaining period of time for which the information will be retained.

What this means is that if an organization has a retention policy that conforms to s. 53 of Bill C-27 (one that provides for the destruction of personal information once it is no longer necessary for the purposes for which it was collected, used or disclosed), then it can refuse a request for erasure – unless, of course, it is a minor who requests erasure. In that case, they must act in advance of the normal disposal schedule. This provision was no doubt added to save organizations from the burden of having to constantly respond to requests for erasure of personal data. For large swathes of personal data, for example, they can prepare a standard response that informs a requestor of their retention policy and provides the timetable on which the data will be deleted once it is no longer necessary to fulfill the purposes for which it was collected. If this provision can also be relied upon when an individual ceases to do business with an organization and requests the deletion of their information, then the right of erasure in Bill C-27 will become effectively useless in the case of any company with a data retention policy. Except, of course, for minors.

Finally, organizations will be given the right to refuse to consider requests for deletion that are “vexatious or made in bad faith”. Let’s hit pause here. This exception is to protect commercial entities against data subjects. I understand that organizations do not want to be subject to mass campaigns for data deletion– or serial requests by individuals – that overwhelm them. That might happen. However, the standard form email that will be part of the ‘regular deletion schedule’ exception discussed above will largely suffice to address this problem. Organizations now have enormous abilities to collect massive amounts of personal data and to use these data for a wide variety of purposes. Many do this responsibly, but there are endless examples of overcollection, over-retention, excessive sharing, poor security, and outright abuses of personal data. The right of erasure is a new right for individuals to help them exercise greater control over their personal data in a context in which such data are often flagrantly misused. To limit this right based on what an organization considers vexatious is a demonstration of how the balance in Bill C-27 leans towards the free flow and use of personal data rather than the protection of privacy.

It is important to note that there is yet another limit on the right of erasure, which is found in Bill C-27’s definition of ‘dispose’. According to this definition, dispose means “to permanently and irreversibly delete personal information or to anonymize it. Thus, an organization can choose to anonymize personal data, and once it has done so, the right of erasure is not available. (See my post on anonymized and deidentified data for what ‘anonymized’ means). Section 2(3) of Bill C-27 also removes the right of erasure where information is merely de-identified (pseudonymized). This seems like an internal contradiction in the legislation. Disposal means deletion or rigorous anonymization – but, under s. 2(3), a company can just pseudonymize to avoid a request for disposal. The difference seems to be that pseudonymized data may still eventually need to be disposed of under data retention limits, whereas anonymized data can be kept forever.

All told, as a right that is meant to give more control to individuals, the right of erasure in Bill C-27 is a bit of a bust. Although it allows an individual to ask an organization to delete data (and not just data that the individual provided), the right is countered by a great many bases on which the organization can avoid it. It’s a bit of a ‘Canadian compromise’ (one of the ones in which Canadians get compromised): individuals get a new right; organizations get to side-step it.

 

 

Published in Privacy

This is the second post in a series on Bill C-27, a bill introduced in Parliament in June 2022 to reform Canada's private sector data protection law. The first post, on consent provisions, is found here.

In a data-driven economy, data protection laws are essential to protect privacy. In Canada, the proposed Consumer Privacy Protection Act in Bill C-27 will, if passed, replace the aging Personal Information Protection and Electronic Documents Act (PIPEDA) to govern the collection, use and disclosure of personal information by private sector organizations. Personal information is defined in Bill C-27 (as it was in PIPEDA) as “information about an identifiable individual”. The concept of identifiability of individuals from information has always been an important threshold issue for the application of the law. According to established case law, if an individual can be identified directly or indirectly from data, alone or in combination with other available data, then those data are personal information. Direct identification comes from the presence of unique identifiers that point to specific individuals (for example, a name or a social insurance number). Indirect identifiers are data that, if combined with other available data, can lead to the identification of individuals. To give a simple example, a postal code on its own is not a direct identifier of any particular individual, but in a data set with other data elements such as age and gender, a postal code can lead to the identification of a specific individual. In the context of that larger data set, the postal code can constitute personal information.

As the desire to access and use more data has grown in the private (and public) sector, the concepts of de-identification and anonymization have become increasingly important in dealing with personal data that have already been collected by organizations. The removal of both direct and indirect identifiers from personal data can protect privacy in significant ways. PIPEDA did not define ‘de-identify’, nor did it create particular rules around the use or disclosure of de-identified information. Bill C-11, the predecessor to C-27, addressed de-identified personal information, and contained the following definition:

de-identify means to modify personal information — or create information from personal information — by using technical processes to ensure that the information does not identify an individual or could not be used in reasonably foreseeable circumstances, alone or in combination with other information, to identify an individual

This definition was quite inclusive (information created from personal information, for example, would include synthetic data). Bill C-11 set a relative standard for de-identification – in other words, it accepted that de-identification was sufficient if the information could not be used to identify individuals “in reasonably foreseeable circumstances”. This was reinforced by s. 74 which required organizations that de-identified personal information to use measures that were proportionate to the sensitivity of the information and the way in which the information was to be used. De-identification did not have to be perfect – but it had to be sufficient for the context.

Bill C-11’s definition of de-identification was criticized by private sector organizations that wanted de-identified data to fall outside the scope of the Act. In other words, they sought either an exemption from the application of the law for de-identified personal information, or a separate category of “anonymized” data that would be exempt from the law. According to this view, if data cannot be linked to an identifiable individual, then they are not personal data and should not be subject to data protection law. For their part, privacy advocates were concerned about the very real re-identification risks, particularly in a context in which there is a near endless supply of data and vast computing power through which re-identification can take place. These concerns are supported by research (see also here and here). The former federal Privacy Commissioner recommended that it be made explicit that the legislation would apply to de-identified data.

The changes in Bill C-27 reflect the power of the industry lobby on this issue. Bill C-27 creates separate definitions for anonymized and de-identified data. These are:

anonymize means to irreversibly and permanently modify personal information, in accordance with generally accepted best practices, to ensure that no individual can be identified from the information, whether directly or indirectly, by any means.

[. . .]

de-identify means to modify personal information so that an individual cannot be directly identified from it, though a risk of the individual being identified remains. [my emphasis]

Organizations will therefore be pleased that there is now a separate category of “anonymized” data, although such data must be irreversibly and permanently modified to ensure that individuals are not identifiable. This is harder than it sounds; there is, even with synthetic data, for example, still some minimal risk of reidentification. An important concern, therefore, is whether the government is actually serious about this absolute standard, whether it will water it down by amendment before the bill is enacted, or whether it will let interpretation and argument around ‘generally accepted best practices’ soften it up. To ensure the integrity of this provision, the law should enable the Privacy Commissioner to play a clear role in determining what counts as anonymization.

Significantly, under Bill C-27, information that is ‘anonymized’ would be out of scope of the statute. This is made clear in a new s. 6(5) which provides that “this Act does not apply in respect of personal information that has been anonymized”. The argument to support this is that placing data that are truly anonymized out of scope of the legislation creates an incentive for industry to anonymize data, and anonymization (if irreversible and permanent) is highly privacy protective. Of course, similar incentives can be present if more tailored exceptions are created for anonymized data without it falling ‘out of scope’ of the law.

Emerging and evolving concepts of collective privacy take the view that there should be appropriate governance of the use of human-derived data, even if it has been anonymized. Another argument for keeping anonymized data in scope relates to the importance of oversight, given re-identification risks. Placing anonymized data outside the scope of data protection law is contrary to the recent recommendations of the ETHI Standing Committee of the House of Commons following its hearings into the use of de-identified private sector mobility data by the Public Health Agency of Canada. ETHI recommended that the federal laws be amended “to render these laws applicable to the collection, use, and disclosure of de-identified and aggregated data”. Aggregated data is generally considered to be data that has been anonymized. The trust issues referenced by ETHI when it comes to the use of de-identified data reinforce the growing importance of notions of collective privacy. It might therefore make sense to keep anonymized data within scope of the legislation (with appropriate exceptions to maintain incentives for anonymization) leaving room for governance of anonymization.

Bill C-27 also introduces a new definition of “de-identify”, which refers to modifying data so that individuals cannot be directly identified. Direct identification has come to mean identification through specific identifiers such as names, or assigned numbers. The new definition of ‘de-identify’ in C-27 suggests that simply removing direct identifiers will suffice to de-identify personal data (a form of what, in the GDPR, is referred to as pseudonymization). Thus, according to this definition, as long as direct identifiers are removed from a data set, an organization can use data without knowledge or consent in certain circumstances, even though specific individuals might still be identifiable from those data. While it will be argued that these circumstances are limited, the exception for sharing for ‘socially beneficial purposes’ is disturbingly broad given this weak definition (more to come on this in a future blog post). In addition, the government can add new exceptions to the list by regulation.

The reference in the definition of ‘de-identify’ only to direct identification is meant to be read alongside s. 74 of Bill C-27, which provides:

74 An organization that de-identifies personal information must ensure that any technical and administrative measures applied to the information are proportionate to the purpose for which the information is de-identified and the sensitivity of the personal information.

Section 74 remains unchanged from Bill C-11, where it made more sense, since it defined de-identification in terms of direct or indirect identifiers using a relative standard. In the context of the new definition of ‘de-identify’, it is jarring, since de-identification according to the new definition requires only the removal of direct identifiers. What this, perhaps, means is that although the definition of de-identify only requires removal of direct identifiers, actual de-identification might mean something else. This is not how definitions are supposed to work.

In adopting these new definitions, the federal government sought to align its terminology with that used in Quebec’s Loi 25 that reformed its public and private sector data protection laws. The Quebec law provides, in a new s. 23, that:

[. . .]

For the purposes of this Act, information concerning a natural person is anonymized if it is, at all times, reasonably foreseeable in the circumstances that it irreversibly no longer allows the person to be identified directly or indirectly.

Information anonymized under this Act must be anonymized according to generally accepted best practices and according to the criteria and terms determined by regulation.

Loi 25 also provides that data is de-identified (as opposed to anonymized) “if it no longer allows the person concerned to be directly identified”. At first glance, it seems that Bill C-27 has adopted similar definitions – but there are differences. First, the definition of anonymization in Loi 25 uses a relative standard (not an absolute one as in C-27). It also makes specific reference not just to generally accepted best practices, but to criteria and terms to be set out in regulation, whereas in setting standards for anonymization, C-27 refers only to “generally accepted best practices”. [Note that in its recommendations following its hearings into the use of de-identified private sector mobility data by the Public Health Agency of Canada, the ETHI Committee of Parliament recommended that federal data protection laws should include “a standard for de-identification of data or the ability for the Privacy Commissioner to certify a code of practice in this regard.”]

Second, and most importantly, in the Quebec law, anonymized data does not fall outside the scope of the legislation –instead, a relative standard is used to provide some flexibility while still protecting privacy. Anonymized data are still subject to governance under the law, even though the scope of that governance is limited. Further, under the Quebec law, recognizing that the definition of de-identification is closer to pseudonymization, the uses of de-identified data are more restricted than they are in Bill C-27.

Further, in an eye-glazing bit of drafting, s. 2(3) of Bill C-27 provides:

2(3) For the purposes of this Act, other than sections 20 and 21, subsections 22(1) and 39(1), sections 55 and 56, subsection 63(1) and sections 71, 72, 74, 75 and 116, personal information that has been de-identified is considered to be personal information.

This is a way of saying that de-identified personal information remains within the scope of the Act except where it does not. Yet, data that has only direct identifiers stripped from it should always be considered personal information, since the reidentification risk, as noted above, could be very high. What s. 2(3) does is allow de-identified data to be treated as anonymized (out of scope) in some circumstances. For example, s. 21 allows organizations to use ‘de-identified’ personal information for internal research purposes without knowledge or consent. The reference in s. 2(3) amplifies this by providing that such information is not considered personal information. As a result, presumably, other provisions in Bill C-27 would not apply. This might include data breach notification requirements – yet if information is only pseudonymized and there is a breach, it is not clear why such provisions should not apply. Pseudonymization might provide some protection to those affected by a breach, although it is also possible that the key was part of the breach, or that individuals remain re-identifiable in the data. The regulator should have jurisdiction. Subsection 22(1) allows for the use and even the disclosure of de-identified personal information between parties to a prospective business transaction. In this context, the de-identified information is not considered personal information (according to s. 2(3)) and so the only safeguards are those set out in s. 22(1) itself. Bizarrely, s. 22(1) makes reference to the sensitivity of the information – requiring safeguards appropriate to its sensitivity, even though it is apparently not considered personal information. De-identified (not anonymized) personal information can also be shared without knowledge or consent for socially beneficial purposes under s. 39(1). (I have a blog post coming on this provision, so I will say no more about it here, other than to note that given the definition of ‘de-identify’, such sharing seems rash and the safeguards provided are inadequate). Section 55 provides for a right of erasure of personal information; since information stripped of direct identifiers is not personal information for the purposes of section 55 (according to s. 2(3)), this constitutes an important limitation on the right of erasure. If data are only pseudonymized, and if the organization retains the key, then why is there no right of erasure? Section 56 addresses the accuracy of personal information. Personal information de-identified according to the definition in C-27 would also be exempted from this requirement.

In adopting the definitions of ‘anonymize’ and ‘de-identify’, the federal government meets a number of public policy objectives. It enhances the ability of organizations to make use of data. It also better aligns the federal law with Quebec’s law (at least at the definitional level). The definitions may also create scope for other privacy protective technologies such as pseudonymization (which is what the definition of de-identify in C-27 probably really refers to) or different types of encryption. But the approach it has adopted creates the potential for confusion, for risks to privacy, and for swathes of human-derived data to fall ‘outside the scope’ of data protection law. The government view may be that, once you stir all of Bill C-27’s provisions into the pot, and add a healthy dose of “trust us”, the definition of “de-identify” and its exceptions are not as problematic as they are at first glance. Yet, this seems like a peculiar way to draft legislation. The definition should say what it is supposed to say, rather than have its defects mitigated by a smattering of other provisions in the law and faith in the goodness of others and the exceptions still lean towards facilitating data use rather than protecting privacy.

In a nutshell, C-27 has downgraded the definition of de-identification from C-11. It has completely excluded from the scope of the Act anonymized data, but has provided little or no guidance beyond “generally accepted best practices” to address anonymization. If an organization claims that their data are anonymized and therefore outside of the scope of the legislation, it will be an uphill battle to get past the threshold issue of anonymization in order to have a complaint considered under what would be the new law. The organization can simply dig in and challenge the jurisdiction of the Commissioner to investigate the complaint.

All personal data, whether anonymized or ‘de-identified’ should remain within the scope of the legislation. Specific exceptions can be provided where necessary. Exceptions in the legislation for the uses of de-identified information without knowledge or consent must be carefully constrained and reinforced with safeguards. Further, the regulator should play a role in establishing standards for anonymization and de-identification. This may involve consultation and collaboration with standards-setting bodies, but references in the legislation must be to more than just “generally accepted best practices”.

Published in Privacy

This is the second post in a series on Bill C-27, a bill introduced in Parliament in June 2022 to reform Canada's private sector data protection law. The first post, on consent provisions, is found here.

In a data-driven economy, data protection laws are essential to protect privacy. In Canada, the proposed Consumer Privacy Protection Act in Bill C-27 will, if passed, replace the aging Personal Information Protection and Electronic Documents Act (PIPEDA) to govern the collection, use and disclosure of personal information by private sector organizations. Personal information is defined in Bill C-27 (as it was in PIPEDA) as “information about an identifiable individual”. The concept of identifiability of individuals from information has always been an important threshold issue for the application of the law. According to established case law, if an individual can be identified directly or indirectly from data, alone or in combination with other available data, then those data are personal information. Direct identification comes from the presence of unique identifiers that point to specific individuals (for example, a name or a social insurance number). Indirect identifiers are data that, if combined with other available data, can lead to the identification of individuals. To give a simple example, a postal code on its own is not a direct identifier of any particular individual, but in a data set with other data elements such as age and gender, a postal code can lead to the identification of a specific individual. In the context of that larger data set, the postal code can constitute personal information.

As the desire to access and use more data has grown in the private (and public) sector, the concepts of de-identification and anonymization have become increasingly important in dealing with personal data that have already been collected by organizations. The removal of both direct and indirect identifiers from personal data can protect privacy in significant ways. PIPEDA did not define ‘de-identify’, nor did it create particular rules around the use or disclosure of de-identified information. Bill C-11, the predecessor to C-27, addressed de-identified personal information, and contained the following definition:

de-identify means to modify personal information — or create information from personal information — by using technical processes to ensure that the information does not identify an individual or could not be used in reasonably foreseeable circumstances, alone or in combination with other information, to identify an individual

This definition was quite inclusive (information created from personal information, for example, would include synthetic data). Bill C-11 set a relative standard for de-identification – in other words, it accepted that de-identification was sufficient if the information could not be used to identify individuals “in reasonably foreseeable circumstances”. This was reinforced by s. 74 which required organizations that de-identified personal information to use measures that were proportionate to the sensitivity of the information and the way in which the information was to be used. De-identification did not have to be perfect – but it had to be sufficient for the context.

Bill C-11’s definition of de-identification was criticized by private sector organizations that wanted de-identified data to fall outside the scope of the Act. In other words, they sought either an exemption from the application of the law for de-identified personal information, or a separate category of “anonymized” data that would be exempt from the law. According to this view, if data cannot be linked to an identifiable individual, then they are not personal data and should not be subject to data protection law. For their part, privacy advocates were concerned about the very real re-identification risks, particularly in a context in which there is a near endless supply of data and vast computing power through which re-identification can take place. These concerns are supported by research (see also here and here). The former federal Privacy Commissioner recommended that it be made explicit that the legislation would apply to de-identified data.

The changes in Bill C-27 reflect the power of the industry lobby on this issue. Bill C-27 creates separate definitions for anonymized and de-identified data. These are:

anonymize means to irreversibly and permanently modify personal information, in accordance with generally accepted best practices, to ensure that no individual can be identified from the information, whether directly or indirectly, by any means.

[. . .]

de-identify means to modify personal information so that an individual cannot be directly identified from it, though a risk of the individual being identified remains. [my emphasis]

Organizations will therefore be pleased that there is now a separate category of “anonymized” data, although such data must be irreversibly and permanently modified to ensure that individuals are not identifiable. This is harder than it sounds; there is, even with synthetic data, for example, still some minimal risk of reidentification. An important concern, therefore, is whether the government is actually serious about this absolute standard, whether it will water it down by amendment before the bill is enacted, or whether it will let interpretation and argument around ‘generally accepted best practices’ soften it up. To ensure the integrity of this provision, the law should enable the Privacy Commissioner to play a clear role in determining what counts as anonymization.

Significantly, under Bill C-27, information that is ‘anonymized’ would be out of scope of the statute. This is made clear in a new s. 6(5) which provides that “this Act does not apply in respect of personal information that has been anonymized”. The argument to support this is that placing data that are truly anonymized out of scope of the legislation creates an incentive for industry to anonymize data, and anonymization (if irreversible and permanent) is highly privacy protective. Of course, similar incentives can be present if more tailored exceptions are created for anonymized data without it falling ‘out of scope’ of the law.

Emerging and evolving concepts of collective privacy take the view that there should be appropriate governance of the use of human-derived data, even if it has been anonymized. Another argument for keeping anonymized data in scope relates to the importance of oversight, given re-identification risks. Placing anonymized data outside the scope of data protection law is contrary to the recent recommendations of the ETHI Standing Committee of the House of Commons following its hearings into the use of de-identified private sector mobility data by the Public Health Agency of Canada. ETHI recommended that the federal laws be amended “to render these laws applicable to the collection, use, and disclosure of de-identified and aggregated data”. Aggregated data is generally considered to be data that has been anonymized. The trust issues referenced by ETHI when it comes to the use of de-identified data reinforce the growing importance of notions of collective privacy. It might therefore make sense to keep anonymized data within scope of the legislation (with appropriate exceptions to maintain incentives for anonymization) leaving room for governance of anonymization.

Bill C-27 also introduces a new definition of “de-identify”, which refers to modifying data so that individuals cannot be directly identified. Direct identification has come to mean identification through specific identifiers such as names, or assigned numbers. The new definition of ‘de-identify’ in C-27 suggests that simply removing direct identifiers will suffice to de-identify personal data (a form of what, in the GDPR, is referred to as pseudonymization). Thus, according to this definition, as long as direct identifiers are removed from a data set, an organization can use data without knowledge or consent in certain circumstances, even though specific individuals might still be identifiable from those data. While it will be argued that these circumstances are limited, the exception for sharing for ‘socially beneficial purposes’ is disturbingly broad given this weak definition (more to come on this in a future blog post). In addition, the government can add new exceptions to the list by regulation.

The reference in the definition of ‘de-identify’ only to direct identification is meant to be read alongside s. 74 of Bill C-27, which provides:

74 An organization that de-identifies personal information must ensure that any technical and administrative measures applied to the information are proportionate to the purpose for which the information is de-identified and the sensitivity of the personal information.

Section 74 remains unchanged from Bill C-11, where it made more sense, since it defined de-identification in terms of direct or indirect identifiers using a relative standard. In the context of the new definition of ‘de-identify’, it is jarring, since de-identification according to the new definition requires only the removal of direct identifiers. What this, perhaps, means is that although the definition of de-identify only requires removal of direct identifiers, actual de-identification might mean something else. This is not how definitions are supposed to work.

In adopting these new definitions, the federal government sought to align its terminology with that used in Quebec’s Loi 25 that reformed its public and private sector data protection laws. The Quebec law provides, in a new s. 23, that:

[. . .]

For the purposes of this Act, information concerning a natural person is anonymized if it is, at all times, reasonably foreseeable in the circumstances that it irreversibly no longer allows the person to be identified directly or indirectly.

Information anonymized under this Act must be anonymized according to generally accepted best practices and according to the criteria and terms determined by regulation.

Loi 25 also provides that data is de-identified (as opposed to anonymized) “if it no longer allows the person concerned to be directly identified”. At first glance, it seems that Bill C-27 has adopted similar definitions – but there are differences. First, the definition of anonymization in Loi 25 uses a relative standard (not an absolute one as in C-27). It also makes specific reference not just to generally accepted best practices, but to criteria and terms to be set out in regulation, whereas in setting standards for anonymization, C-27 refers only to “generally accepted best practices”. [Note that in its recommendations following its hearings into the use of de-identified private sector mobility data by the Public Health Agency of Canada, the ETHI Committee of Parliament recommended that federal data protection laws should include “a standard for de-identification of data or the ability for the Privacy Commissioner to certify a code of practice in this regard.”]

Second, and most importantly, in the Quebec law, anonymized data does not fall outside the scope of the legislation –instead, a relative standard is used to provide some flexibility while still protecting privacy. Anonymized data are still subject to governance under the law, even though the scope of that governance is limited. Further, under the Quebec law, recognizing that the definition of de-identification is closer to pseudonymization, the uses of de-identified data are more restricted than they are in Bill C-27.

Further, in an eye-glazing bit of drafting, s. 2(3) of Bill C-27 provides:

2(3) For the purposes of this Act, other than sections 20 and 21, subsections 22(1) and 39(1), sections 55 and 56, subsection 63(1) and sections 71, 72, 74, 75 and 116, personal information that has been de-identified is considered to be personal information.

This is a way of saying that de-identified personal information remains within the scope of the Act except where it does not. Yet, data that has only direct identifiers stripped from it should always be considered personal information, since the reidentification risk, as noted above, could be very high. What s. 2(3) does is allow de-identified data to be treated as anonymized (out of scope) in some circumstances. For example, s. 21 allows organizations to use ‘de-identified’ personal information for internal research purposes without knowledge or consent. The reference in s. 2(3) amplifies this by providing that such information is not considered personal information. As a result, presumably, other provisions in Bill C-27 would not apply. This might include data breach notification requirements – yet if information is only pseudonymized and there is a breach, it is not clear why such provisions should not apply. Pseudonymization might provide some protection to those affected by a breach, although it is also possible that the key was part of the breach, or that individuals remain re-identifiable in the data. The regulator should have jurisdiction. Subsection 22(1) allows for the use and even the disclosure of de-identified personal information between parties to a prospective business transaction. In this context, the de-identified information is not considered personal information (according to s. 2(3)) and so the only safeguards are those set out in s. 22(1) itself. Bizarrely, s. 22(1) makes reference to the sensitivity of the information – requiring safeguards appropriate to its sensitivity, even though it is apparently not considered personal information. De-identified (not anonymized) personal information can also be shared without knowledge or consent for socially beneficial purposes under s. 39(1). (I have a blog post coming on this provision, so I will say no more about it here, other than to note that given the definition of ‘de-identify’, such sharing seems rash and the safeguards provided are inadequate). Section 55 provides for a right of erasure of personal information; since information stripped of direct identifiers is not personal information for the purposes of section 55 (according to s. 2(3)), this constitutes an important limitation on the right of erasure. If data are only pseudonymized, and if the organization retains the key, then why is there no right of erasure? Section 56 addresses the accuracy of personal information. Personal information de-identified according to the definition in C-27 would also be exempted from this requirement.

In adopting the definitions of ‘anonymize’ and ‘de-identify’, the federal government meets a number of public policy objectives. It enhances the ability of organizations to make use of data. It also better aligns the federal law with Quebec’s law (at least at the definitional level). The definitions may also create scope for other privacy protective technologies such as pseudonymization (which is what the definition of de-identify in C-27 probably really refers to) or different types of encryption. But the approach it has adopted creates the potential for confusion, for risks to privacy, and for swathes of human-derived data to fall ‘outside the scope’ of data protection law. The government view may be that, once you stir all of Bill C-27’s provisions into the pot, and add a healthy dose of “trust us”, the definition of “de-identify” and its exceptions are not as problematic as they are at first glance. Yet, this seems like a peculiar way to draft legislation. The definition should say what it is supposed to say, rather than have its defects mitigated by a smattering of other provisions in the law and faith in the goodness of others and the exceptions still lean towards facilitating data use rather than protecting privacy.

In a nutshell, C-27 has downgraded the definition of de-identification from C-11. It has completely excluded from the scope of the Act anonymized data, but has provided little or no guidance beyond “generally accepted best practices” to address anonymization. If an organization claims that their data are anonymized and therefore outside of the scope of the legislation, it will be an uphill battle to get past the threshold issue of anonymization in order to have a complaint considered under what would be the new law. The organization can simply dig in and challenge the jurisdiction of the Commissioner to investigate the complaint.

All personal data, whether anonymized or ‘de-identified’ should remain within the scope of the legislation. Specific exceptions can be provided where necessary. Exceptions in the legislation for the uses of de-identified information without knowledge or consent must be carefully constrained and reinforced with safeguards. Further, the regulator should play a role in establishing standards for anonymization and de-identification. This may involve consultation and collaboration with standards-setting bodies, but references in the legislation must be to more than just “generally accepted best practices”.

Published in Privacy

Note: this is the first in a series of blog posts on Bill C-27, also known as An Act to enact the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Act.

Bill C-27 is a revised version of the former Bill C-11 which died on the order paper just prior to the last federal election in 2021. The former Privacy Commissioner called Bill C-11 ‘a step backwards’ for privacy, and issued a series of recommendations for its reform. At the same time, industry was also critical of the Bill, arguing that it risked making the use of data for innovation too burdensome.

Bill C-27 takes steps to address the concerns of both privacy advocates and those from industry with a series of revisions, although there is much that is not changed from Bill C-11. Further, it adds an entirely new statute – the Artificial Intelligence and Data Act (AIDA) – meant to govern some forms of artificial intelligence. This series of posts will assess a number of the changes found in Bill C-27. It will also consider the AIDA.

_________________________________

The federal government has made it clear that it considers consent to be a cornerstone of Canadian data protection law. They have done so in the Digital Charter, in Bill C-11 (the one about privacy), and in the recent reincarnation of data protection reform legislation in Bill C-27. On the one hand, consent is an important means by which individuals can exercise control over their personal information; on the other hand, it is widely recognized that the consent burden has become far too high for individuals who are confronted with long, complex and often impenetrable privacy policies at every turn. At the same time, organizations that see new and emerging uses for already-collected data seek to be relieved of the burden of obtaining fresh consents. The challenge in privacy law reform has therefore been to make consent meaningful, while at the same time reducing the consent burden and enabling greater use of data by private and public sector entities. Bill C-11 received considerable criticism for how it dealt with consent (see, for example, my post here, and the former Privacy Commissioner’s recommendations to improve consent in C-11 here). Consent is back, front and centre in Bill C-27, although with some important changes.

Section 15 of Bill C-27 reaffirms that consent is the default rule for collection, use or disclosure of personal information, although the statute creates a long list of exceptions to this general rule. One criticism of Bill C-11 was that it removed the definition of consent in s. 6.1 of PIPEDA, which provided that consent “is only valid if it is reasonable to expect that an individual to whom the organization’s activities are directed would understand the nature, purpose and consequences of the collection, use or disclosure of the personal information to which they are consenting.” Instead, Bill C-11 simply relied upon a list of information that must be provided to individuals prior to consent. Bill C-27’s compromise is found in the addition of a new s. 15(4) which requires that the information provided to individuals to obtain their consent must be “in plain language that an individual to whom the organization’s activities are directed would reasonably be expected to understand.” This has the added virtue of ensuring, for example, that privacy policies for products or services directed at youth or children must take into account the sophistication of their audience. The added language is not as exigent as s. 6.1 (for example, s. 6.1 requires an understanding of the nature, purpose and consequences of the collection, use and disclosure, while s. 15(4) requires only an understanding of the language used), so it is still a downgrading of consent from the existing law. It is, nevertheless, an improvement over Bill C-11.

A modified s. 15(5) and a new s. 15(6) also muddy the consent waters. Subsection 15(5) provides that consent must be express unless it is appropriate to imply consent. The exception to this general rule is the new subsection 15(6) which provides:

(6) It is not appropriate to rely on an individual’s implied consent if their personal information is collected or used for an activity described in subsection 18(2) or (3).

Subsections 18(2) and (3) list business activities for which personal data may be collected or used without an individual’s knowledge or consent. At first glance, it is unclear why it is necessary to provide that implied consent is inappropriate in such circumstances, since no consent is needed at all. However, because s. 18(1) sets out certain conditions criteria for collection without knowledge or consent, it is likely that the goal of s. 15(6) is to ensure that no organization circumvents the limited guardrails in s. 18(1) by relying instead on implied consent. The potential breadth of s. 18(3) (discussed below), combined with s. 2(3) makes it difficult to distinguish between the two, in which case, the cautious organization will comply with s. 18(3) rather than rely on implied consent in any event.

The list of business activities for which no knowledge or consent is required for the collection or use of personal information is pared down from that in Bill C-11. The list in C-11 was controversial, as it included some activities which were so broadly stated that they would have created gaping holes in any consent requirement (see my blog post on consent in C-11 here). The worst of these have been removed. This is a positive development, although the provision creates a backdoor through which other exceptions can be added by regulation. Further, Bill C-27 has added language to s. 12(1) to clarify that the requirement that the collection, use or disclosure of personal information must be “only in a manner and for purposes that a reasonable person would consider appropriate in the circumstances” applies “whether or not consent is required under this Act.”

[Note that although the exceptions in s. 18 are to knowledge as well as consent, s. 62(2)(b) of Bill C-27 will require that an organization provide plain language information about how it makes use of personal information, and how it relies upon exceptions to consent “including a description of any activities referred to in subsection 18(3) in which it has a legitimate interest”.]

Bill C-27 does, however, contain an entirely new exception to the collection or use of personal data with knowledge or consent. This is found in s. 18(3):

18 (3) An organization may collect or use an individual’s personal information without their knowledge or consent if the collection or use is made for the purpose of an activity in which the organization has a legitimate interest that outweighs any potential adverse effect on the individual resulting from that collection or use and

(a) a reasonable person would expect the collection or use for such an activity; and

(b) the personal information is not collected or used for the purpose of influencing the individual’s behaviour or decisions.

So as not to leave this as open-ended as it seems at first glance, a new s. 18(4) sets conditions precedent for the collection or use of personal information for ‘legitimate purposes’:

(4) Prior to collecting or using personal information under subsection (3), the organization must

(a) identify any potential adverse effect on the individual that is likely to result from the collection or use;

(b) identify and take reasonable measures to reduce the likelihood that the effects will occur or to mitigate or eliminate them; and

(c) comply with any prescribed requirements.

Finally, a new s. 18(5) requires the organization to keep a record of its assessment under s. 18(4) and it must be prepared to provide a copy of this assessment to the Commissioner at the Commissioner’s request.

It is clear that industry had the ear of the Minister when it comes to the addition of ss. 18(3). A ‘legitimate interest’ exception was sought in order to enable the use of personal data without consent in a broader range of circumstances. Such an exception is found in the EU’s General Data Protection Regulation (GDPR). Here is how it is worded in the GDPR:

6(1) Processing shall be lawful only if and to the extent that at least one of the following applies:

[. . . ]

(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Under the GDPR, an organization that relies upon legitimate interests instead of consent, must take into account, among other things:

6(4) [. . . ]

(a) any link between the purposes for which the personal data have been collected and the purposes of the intended further processing;

(b) the context in which the personal data have been collected, in particular regarding the relationship between data subjects and the controller;

(c) the nature of the personal data, in particular whether special categories of personal data are processed, pursuant to Article 9, or whether personal data related to criminal convictions and offences are processed, pursuant to Article 10;

(d) the possible consequences of the intended further processing for data subjects;

(e) the existence of appropriate safeguards, which may include encryption or pseudonymisation.

Bill C-27’s ‘legitimate interests’ exception is different in important respects from that in the GDPR. Although Bill C-27 gives a nod to the importance of privacy as a human right in a new preamble, the human rights dimensions of privacy are not particularly evident in the body of the Bill. The ‘legitimate interests’ exception is available unless there is an “adverse effect on the individual” that is not outweighed by the organization’s legitimate interest (as opposed to the ‘interests or fundamental freedoms of the individual’ under the GDPR). Presumably it will be the organization that does this initial calculation. One of the problems in data protection law has been quantifying adverse effects on individuals. Data breaches, for example, are shocking and distressing to those impacted, but it is often difficult to show actual damages flowing from the breach, and moral damages have been considerably restricted by courts in many cases. Some courts have even found that ordinary stress and inconvenience of a data breach is not compensable harm since it has become such a routine part of life. If ‘adverse effects’ on individuals are reduced to quantifiable effects, the ‘legitimate interests’ exception will be far too broad.

This is not to say that the ‘legitimate interests’ provision in Bill C-27 is incapable of facilitating data use while at the same time protecting individuals. There is clearly an attempt to incorporate some checks and balances, such as reasonable expectations and a requirement to identify and mitigate any adverse effects. But what C-27 does is take something that, in the GDPR, was meant to be quite exceptional to consent and make it potentially a more mainstream basis for the use of personal data without knowledge or consent. It is able to do this because rather than reinforce the centrality and importance of privacy rights, it places privacy on an uneasy par with commercial interests in using personal data. The focus on ‘adverse effects’ runs the risk of equating privacy harm with quantifiable harm, thus trivializing the human and social value of privacy.

 

 

Published in Privacy
<< Start < Prev 1 2 Next > End >>
Page 2 of 2

Canadian Trademark Law

Published in 2015 by Lexis Nexis

Canadian Trademark Law 2d Edition

Buy on LexisNexis

Electronic Commerce and Internet Law in Canada, 2nd Edition

Published in 2012 by CCH Canadian Ltd.

Electronic Commerce and Internet Law in Canada

Buy on CCH Canadian

Intellectual Property for the 21st Century

Intellectual Property Law for the 21st Century:

Interdisciplinary Approaches

Purchase from Irwin Law