My initial impression of Bill C-11 was it is a series of 1/2 measures designed to “sort of” protect citizen’s personal information, while making it “manageable” for most businesses. This bill is our government’s attempt to please all – and in the process may please no one. Some say this means it is a well crafted piece of legislation.
Fact is there will be much to-and-fro before this becomes a law – if it ever does.
Let’s unpack some of the key areas. In no way does this represent a complete analysis of Bill C-11, but we can start with some questions that are right there on the surface. As we dig a little deeper and learn more about this government’s intent, there will be more analysis to come.
Let’s start with the elephant in the room. Consent is very hard to get for most businesses. We are certain every business can set up new practices for collecting consent, but the public is weary and quite frankly afraid of giving consent to businesses. After all, our past performance has not exactly been stellar! The business community has, without question, based their data use decisions on whether or not technology let them do it rather than “should they do it”, ethically. Perhaps had we collectively done the “right thing” with people’s personal data all of this data protection & privacy legislation would not have been required. But, the past is the past.
One of the most striking observations of Bill C-11 for me is the fact we did not adopt the EU’s structure regarding the “lawful basis of processing”. Under the GDPR there are 3 basis available to the private sector and and additional 3 options for government and public service. As stated, consent is hard to get so the GDPR allows a private sector business to claim “Contractual” or “Legitimate Interest”. For the most part, B2B direct marketing can all be conducted claiming Legitimate Interest. A lot of communication and processing of data for existing customers can fall under Contractual. Only then would we recommend collecting consent. There is a misperception that the GDPR is exclusively a consent regime. That is just not so.
Yet Canada opted to go all in on consent. With a number of exceptions that some consider to be similar to other forms of lawful basis for processing. I don’t. Every exception makes it easier for organizations to abuse your personal data. This is supposed to be a law designed to prevent that.
For example Section 18. 2 (e) says if consent is too difficult to obtain, it is not required.
Statements like Section 12 (1) state: “An organization may collect, use or disclose personal information only for purposes that a reasonable person would consider appropriate in the circumstances.” Could Facebook make a case that reasonable people expect them to do what they do with personal data? One could argue that you should realize that a “free” online service like Facebook has a “cost”, therefore any “reasonable person” should know that Facebook is going to use it to make lots of money.
Section 51 says consent is not required for publicly available information. That opens the door wide for most businesses. Does that mean any data they can find online is “publicly displayed”? Does that put all of your personal data up for grabs, to be used as companies see fit? If so, how does that differ from the way it is today? How does that create TRUST between the consumer and businesses?
There will be a lot more discussion about this going forward. The consent conversation is a very interesting one. The consumer will only have so much patience for companies requesting consent and businesses appear to have quite a few ambiguous exceptions to consent that could drive their behaviour with your personal data.
An expert Tribunal is a good idea. The Privacy Commissioner’s Office is stacked with privacy professionals who will conduct investigations and make recommendations to the Tribunal to fine offenders. If all members of the Tribunal do not have a privacy background and an in-depth understanding of the nuances that privacy professionals possess, how can they sit in judgement of the recommendations of the Privacy Commissioner’s Office?
Is this simply another patronage appointment for the current government to hand out to “friends”? Even if that is not the intent, we could see where it could turn into that very quickly.
There are 13 recommendations made by the INDU Committee in Dec, 2017 as a result of their formal review of CASL Only 1 recommendation was dealt with in these proposed changes! CASL or as the current government refers to it “ An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act (S.C. 2010, c. 23)” is left relatively unenforced.
How can businesses who invested millions in CASL compliance take this government seriously regarding the enforcement of this new Bill? As a busy CASL compliance consultant up until June 2017, the robust engagements stopped. They did not simply slow down. They stopped on June 8, 2017 when Minister Bains “indefinitely postponed” the private right of action. Clearly it was the only form of enforcement that business was truly concerned with. The CRTC did a great job of providing precedent settings AMPs and making guidance documents public during the first 18 months (July 1 2014 – Dec 2015) and then turned their attention to International MOUs for the next 18 months. With the PRA coming into force on July 1, 2017 they would be able to focus on the malicious spammers – the real trouble makers who are trying to infect our computers and electronic devices.
Currently, do you have a better chance of winning a lottery or getting fined under CASL? I find it difficult to get excited about this government’s claims that CPPA will be strongly enforced. I can’t hear you because your actions are too loud.
Why not deal with CASL and have the 2 laws well enforced?
The standard for all businesses will shift dramatically. Along with PCI compliance a small restaurant must now follow these privacy compliance standards:
Section 62 (1) reads: “An organization must make readily available, in plain language, information that explains the organization’s policies and practices put in place to fulfil its obligations under this Act.
(a) a description of the type of personal information under the organization’s control;
(b) a general account of how the organization makes use of personal information, including how the organization applies the exceptions to the requirement to obtain consent under this Act;
(c) a general account of the organization’s use of any automated decision system to make predictions, recommendations or decisions about individuals that could have significant impacts on them;
(d) whether or not the organization carries out any international or interprovincial transfer or disclosure of personal information that may have reasonably fore- seeable privacy implications;
(e) how an individual may make a request for disposal under section 55 or access under section 63; and
(f) the business contact information of the individual to whom complaints or requests for information may be made.
So every business must document all privacy and data protection policies & procedures, train all staff regarding these new practices, create a data map, documenting at all times what data they have, what purpose it is used for, confirm the public was advised, set a deletion date or retention period, along with an entire process designed to document how the business manages data subject requests (DSRs). Let that sink in for a moment.
We see no small business exception here and this is a concern. The CCPA in California says CCPA applies for businesses who do $25M+ in annual revenue or maintain over 50,000 data files of Californians. This eliminates many of those small businesses who are not really impacting the trust of consumer. The little guys are not the problem.
The private right of action is limited to cases that have been fined by the Tribunal. In our opinion, this negates the private right of action limiting it to simply double-down on those who are fined. Add the fact that damages must be proven (under CASL damages were set at $200 per incident), this makes it very difficult to exercise the PRA.
The primary purpose of the private right of action is to have the public keeping businesses honest. It is a form of enforcement that all business is afraid of. The way to have widespread compliance to the privacy and the spam law is to implement a private right of action with limitations to eliminate frivolous lawsuits.
The small team at the Office of the Privacy Commissioner cannot be the only enforcement tool. We have watched the CRTC enforce CASL and clearly businesses stopped caring about CASL on June 8, 2017. That was the day Minister Bains “indefinitely postponed” the private right of action that was the key enforcement tool for CASL.
This very limited PRA will serve no purpose other than creating extra monetary penalties for those charged by the Tribunal. Remember, the only way a business ends up in front of the Tribunal is after a detailed investigation by the Office of the Privacy Commissioner, who can only manage a certain number of investigations, before major backlogs begin.
If enforcement is the key to this new privacy and data protection law, additional enforcement tools are a must – preferably ones that businesses are afraid of.
At the end of the day, does this proposed bill establish trust between the public and the business community? Not even close.