The Canadian government yesterday introduced the Consumer Privacy Protection Act (technically Bill C-11, the Digital Charter Implementation Act), which represents a dramatic change in how Canada will enforce privacy law. I quickly posted a summary of the some of the key provisions yesterday, noting the need for careful study. That post focused on six issues: the new privacy law structure, stronger enforcement, new privacy rights on data portability and algorithmic transparency, standards of consent, bringing back PIPEDA privacy requirements, and codes of practice. This post raises ten questions that will likely emerge as pressure points with stakeholders on both sides raising concerns about their implications.
1. Are the business exceptions too broad?
The CPPA features many exceptions to the general principle of mandating consent for the collection, use and disclosure of personal information. Of particular concern is Section 18, which covers “business activities”. The provision states:
An organization may collect or use an individual’s personal information without their knowledge or
consent if the collection or use is made for a business activity described in subsection (2) and
(a) a reasonable person would expect such a collection or use for that activity; and
(b) the personal information is not collected or used for the purpose of influencing the individual’s behaviour or decisions.
In other words, no knowledge or consent is required for certain data collection categorized as business activities. What is covered? While most of subsection (2) is devoted to network security, safety or delivery of a service, (2)(e) covers:
an activity in the course of which obtaining the individual’s consent would be impracticable because the organization does not have a direct relationship with the individual
It is one thing to cover direct activities arising out of relationship between an individual and a commercial organization. But to cover activities with no direct relationship? That would seemingly invite all sorts of problems, not the least of which includes online tracking activities where the bill would potentially remove the need for knowledge or consent.
The concerns about exceptions do not end there given lingering concerns about how existing exceptions have been used by law enforcement and some companies with respect to personal information. This will be a big issue for both business and privacy groups.
2. Do the de-identification provisions undermine the bill?
The Public Interest Advocacy Centre was out quickly with tough criticism of the bill, arguing that the de-identification provisions hollow out consumer privacy and that the bill should be withdrawn. At issue are provisions that provides an express right to use personal information without an individual’s knowledge or consent to de-identify the information. De-identified information plays an important role in a data economy, but many individuals simply do not want their data used, whether identifiable or not. The balance the bill seeks to strike is to create some limitations on de-identification and to feature very tough penalties should organizations re-identify the de-identified data. This represents a major tension between modern data-based commercial activities and privacy safeguards that will no doubt be the subject of much debate in the coming months.
3. Are complainants stuck if the Privacy Commissioner refuses to conduct an inquiry into a complaint?
The bill contains several provisions establishing rules for complaints, investigations by the Privacy Commissioner, appeals, and potential reviews by the new Personal Information and Data Protection Tribunal. There is a potential concern that complainants may find themselves largely shut out of the process should the Privacy Commissioner decline to conduct an inquiry. Section 88(1) says that the Commissioner may conduct an inquiry after investigating a complaint. The permissive approach suggests that the Commissioner is not required to conduct an inquiry for all complaints. While that makes sense – some complaints may not be worthy of an inquiry that requires a decision and findings – there still should be an avenue of appeal for complainants to the Tribunal. At the moment, the right of appeal in section 100 is limited to findings, orders or decisions, meaning that declining to investigate leaves complainants with no recourse other than judicial review.
4. Is the Tribunal going to be a problem for effective privacy protection?
The Tribunal will play a significant role in privacy enforcement under the new law, conducting reviews of Privacy Commissioner decisions with the power to increase or decrease potential penalties. In fact, the Tribunal could replace the Privacy Commissioner’s order with its own order. This additional administrative layer is enormously powerful in the Canadian privacy law framework. There is considerable uncertainty about who will be on the Tribunal, how it will conduct hearings, how long the process will take, and a myriad of other issues. Further, Tribunal decisions will still be subject to judicial review, suggesting that the process will add considerable time to the privacy complaint process.
There are some obvious immediate fixes that might address some of the uncertainty concerns. For example, the legislation requires that only one of the three to six Tribunal members have information and privacy law experience. That is a very low bar, particularly when compared other similar tribunals where most members arrive with expertise. Indeed, the value of a specialized tribunal is the subject matter expertise and the potential lack of experts on the privacy tribunal is a source of concern.
5. Does the bill …