nNovation LLP

Small Canadian regulatory law firm with a big presence

Constantine Karbaliotis

Maturing the Privacy Impact Assessment

by Leave a Comment

Privacy Impact Assessments (PIAs) have not changed dramatically over the past 20 years or so, or at least the approach to them hasn’t.

Whether the starting point is in a Word or Excel template or [one hopes] by using actual technology to support the process, a PIA involves a group of people in the organization sitting around a [virtual] table to assess the risks and identify mitigations, before ultimately presenting it for sign-off by [one hopes] someone at the right level to accept the residual risk.

What’s wrong with this you might ask? It is certainly preferable over doing nothing, and in fact is a requirement for any privacy program worth its salt. It is increasingly also a legal requirement in many jurisdictions.

The problem is that this approach to PIAs creates a privacy echo chamber. Whether through meetings, or information gathering via technology that supports doing PIAs, it involves a group of internal employees assessing privacy risk, and ultimately accepting mitigations for a proposed use of technology or data. Inevitably, those involved will have similar viewpoints and see projects in a similar light.

So now for a revolutionary idea: why don’t we ask the people whose data we are using, what they think about what we are doing with their data?

Stay with me. Regulators have long supported that surveys, focus groups, and other ways of gathering stakeholder input would be influential in demonstrating an organization’s commitment to and accountability for privacy. So there is value in keeping your regulator happy, and this can mitigate the fallout should something unexpected or untoward occur.

What is the value to the organization? Well, these are your customers, your employees, your patients, your citizens. If you only look at PIAs in the echo chamber, you may miss how an average stakeholder reacts, and potentially miss the “that’s creepy” reaction. Increasingly, we are aware of how culture affects how we view privacy. For example, if the people assessing the risk of a geo-location app are all white males, they may fail to recognize how some data collection reinforces discriminatory pricing related to the area one lives in, or creates a potential risk to other groups, like the app being misused to stalk women.

Moreover, by explaining the good thing you are trying to accomplish, such as a new service, or greater convenience, you might well get suggestions from stakeholders as to how to reach that goal better, and without that potential “ick” factor. This might be through better notice or transparency, or data minimization.

And from the point of view of defending your choices later, it would seem a great insurance policy. So long as you haven’t failed to disclose something essential, and as long as you have approached seeking stakeholder involvement in good faith, documented stakeholder engagement can help demonstrate your practices were within individuals’ reasonable expectations should you be called upon to defend those practices at any time.

What are the downsides? Well for an organization, it could be scary, because it might mean hearing something you don’t want to hear – like the project is too invasive, too creepy. If the input is negative, and the remediation is too difficult or expensive, it might well kill the project. However, it is better to hear this early on than to find out later through complaints, a regulator, or negative press.  More likely, you will find out that how you have presented or explained the project leaves people suspicious or concerned.

What kind of project would benefit from this approach?

This could vary widely. Let’s use a topical example, which might relate to COVID screening of employees. You might want to engage with some employees, or union representatives, with the goal of finding the least intrusive way to ensure a safe workplace. Should we screen behind a screen, so we don’t embarrass anyone by sending them home? Who should know if someone is sent home? You might discover better, more privacy-minded ways to accomplish this from people at the front line.

Another example is smart city initiatives, where you might survey how your constituents would respond to a rollout of publicly accessible Wi-Fi. Would you want it funded by advertising, and if so, would you collect any user profile data to offset costs? What about law enforcement access to individuals’ connections – can you commit to requiring a court order to respond to law enforcement’s requests? What kind of notice or information will work best to inform users in either case?

A survey or focus group can provide real insight into the views of individuals whose data you collect, use, and disclose. The use of tools to obtain this kind of input has, ironically, always been in the hands of marketing, who have the best tools for getting this kind of feedback. Despite the concerns stakeholders might have initially, marketing would be the best ally for effectively soliciting input and might well be the ones most impacted (astounded, even?) by consumers’ responses. That, after all, is their business.

As we continue to innovate in how data is collected, used, and disclosed, it becomes ever more important that we innovate in how we conduct PIAs. Unquestionably, there will be complex areas where surveys and focus groups with the public won’t work well.  But these same techniques could be used with experts who understand complex topics. AI and data analytics are obvious examples. Specialists with knowledge in areas of ethics, medicine, data analysis, algorithms, or other specialty areas could also be leveraged to better understand and identify risks, evaluate approaches, and approve [or not] mitigations to risk. Publishing the results – transparency – would again help in demonstrating your commitment to privacy. Use of expert panels helps deal with the thorny question of demonstrating reasonableness or legitimate interests, where the processing activity is complex and informed consent is difficult to obtain.

Along with innovative technologies, innovative approaches to understanding and mitigating privacy risks can take the PIA out of a form-filling [and often dangerous rubber-stamping] exercise to something that inspires confidence with your stakeholders, your organization, and ultimately, your regulators.

Ontario Launches Consultation Process on Privacy in the Private Sector

by Leave a Comment

It seems that the winds of change have come to the privacy landscape in Canada. Ontario’s provincial government announced on August 13, 2020 its intention to seek public input on ‘creating a legislative framework for privacy in the province’s private sector.’

Citing growing privacy concerns that have been amplified during the pandemic by increased reliance on data gathering and digital platforms, the consultation will focus on increasing transparency, enhancing consent and enshrining opt-ins for secondary uses of data, privacy protections for de-identified or derived data, a right to deletion or erasure, data portability, requirements for de-identification, and increasing the enforcement powers of Ontario’s privacy commissioners.


There are two notable areas for those who have been following Canadian privacy legislative reform. The first includes the expansion to the non-profit and non-commercial organizations, which would notably catch charities, trade unions, and political parties (significant in light of the concerns arising out of the Cambridge Analytica case, in which only British Columbia could assert any authority over political parties).

The second intriguing area is the notion of enabling data trusts, for data sharing. This concept became important during the abortive Sidewalk Labs project in Toronto, where data trusts emerged as a way to address the risks associated with the large-scale collection of data in the smart city project. The data trust became an important vehicle to address concerns over data sovereignty, and the policy objective of deriving public benefit from private data.

The significance of Canada’s largest province and economy undertaking privacy legislation should not be underestimated. Federal privacy law currently applies to commercial activities in Ontario. The only Ontario law recognized as substantially similar by the federal government is PHIPA, the Personal Health Information and Protection Act, which applies only to the protection of health data in the health sector. The federal law, PIPEDA, does not govern employee data except if the sector is directly under federal jurisdiction (such as banks and airlines), and that gap has become noticeable during the pandemic. And there is no legislation addressing the significant non-profit sector.

In addition to these points, Canada’s federal law is in a revision process itself to address the significant changes that have taken place since it was enacted over twenty years ago, and to rise to the challenge our legislative regime will undoubtedly have to retain its adequacy status with the European Union under GDPR. One critical factor for adequacy has always been the limitation of it being to data governed by PIPEDA, and the ‘elephant in the room’ has always been the significant amount of data and activities under provincial jurisdiction.

Another key factor in Ontario is the tabling of legislation in Quebec in June, introducing an explicitly GDPR-like framework. In my commentary on that, I wondered if this would affect or alter the course of the federal government’s proposed changes by ‘raising the game.’ Now with Ontario entering the discussion on the future of our privacy regime, it makes certain elements I raised previously more urgent to address:

  • Canadians, and the Canadian economy, are not well served by a patchwork of different laws. We have been fortunate that because of our principles-based laws, we have largely ended up at the same place in terms of privacy values and results. This is true even between Quebec, which is a civil law jurisdiction, and the ‘rest of Canada’, which is common law, and between provincial and federal levels. Canadian businesses should not face the challenges that our friends in the US do in trying to comply with inconsistent laws.
  • It is in the interests of consistency and business predictability that we maintain a common market focus in our data protection laws.  GDPR itself has as its goal the free flow of data between EU member states. It is also worth noting the IMF has estimated 4 % of our GDP is ‘inhibited’ by internal trade barriers, an issue Canada’s Agreement on Internal Trade aims to address We want to avoid creating new barriers to trade within Canada.
  • Again, we cannot neglect our adequacy discussions with the EU; and as I have pointed out before, data goes with the trade. The original reason for PIPEDA was to facilitate and maintain trade relationships with the EU, and now more than ever, with a devastating economic contraction, our trade relationships must be maintained and strengthened externally and internally. We want to ensure that the EU is confident in exchanging data with Canada, all of Canada, and the Schrems II decision (which Abigail and I have discussed here), undoubtedly signals that we have to rise to the challenge.
  • While we need to address the business elements in privacy reform, it is worth also noting that our legal and constitutional framework had increasingly recognized privacy as a human right, through the Supreme Court of Canada and other court decisions. The Canadian genius has always been to find that balance, that supports business without sacrifice of those intrinsic values. This consultation is an opportunity to ensure that we promote business interests in data-driven innovation without creating an economy of digital have-nots, and that the goals of supporting the economy are consistent with personal control over the uses of data.

What an exciting time to be in privacy in Canada! There is an opportunity now to influence the future, and to build a framework that provides an integrated and consistent approach from sea to sea to sea; one that supports both our desires to remain in control and supports our data-driven economy. Canada, Ontario and Quebec now have the opportunity to lead in re-establishing Canada as a global privacy leader, and to make privacy Canada’s competitive differentiator. The consultation closes on October 1, 2020.

Schrems II: Impact on Data Flows with Canada

by Leave a Comment

On 16 July 2020 the Court of Justice of the European Union (CJEU) decision (Schrems II) sent a shockwave through the privacy, tech and business communities with its determination that the Privacy Shield is no longer a valid basis for transferring EU personal data to the US. Though focused on the US, this decision has the potential to impact Canadian businesses in a number of ways.

We will not reiterate what has already been described in numerous articles available through the IAPP about the decision itself, its history and lead-up; an excellent Canadian-oriented perspective is provided by Colin Bennett here. For what Canadian companies need to do about it, some background about Canada and its adequacy determination is needed. We will be developing some further articles to address Canadian concerns and provide practical tips, and we hope you will follow along with us.

The Limits of Adequacy

Canada’s adequacy determination in Commission Decision 2002/2/EC was limited to data that was under the jurisdiction of the Personal Information Protection and Electronic Documents Act (PIPEDA). This means organizations that: (1) fall under the federal jurisdiction, such as banks, airlines, and telecommunications: (2) works declared to be federal works or undertakings: and finally (3) commercial activities, whether under federal or provincial law, involving the collection, use or disclosure of personal information and where a province has not passed substantially similar legislation. Note, that employee data, other than those organizations falling under (1) and (2) of PIPEDA’s ambit, is therefore not included in the adequacy determination.

To date, Alberta, British Columbia, and Quebec have privacy legislation that takes commercial activities in those provinces out of the federal jurisdiction through the ‘substantial similarity’ exemption to PIPEDA. Federal privacy law defers to provincial law if a province meets the substantial similarity test, providing a baseline of privacy regulation across Canada. This division of authority is important, because for provinces recognized as substantially similar, their laws have not been given the stamp of ‘adequacy.’ The Commission Decision however explicitly calls out that ‘substantial similarity’ exclusion only applies to processing activities within the province in question. Once processing involves another province or country, PIPEDA will apply.

Employment data transfers in cases falling under (3) above, should always have been done pursuant to another international data transfer mechanism, such as Standard Contractual Clauses (SCCs), rather that adequacy because as long as the data remains within the province, it will be under the exclusive jurisdiction of that province, not PIPEDA, and therefore cannot benefit from the adequacy decision. Many European lawyers are quite aware of this fine point though many in Canada have been surprised by the distinction. What was anticipated in the original EU decision would be a process by which Canadian federal recognition of substantial similarity would lead to an adequacy determination which would address these gaps in adequacy; this process was never actually developed.

The consequence is that a careful review is required to determine if adequacy applies to the personal data that a controller or processor will be processing in Canada. If it does not, an SCC is required; and this then requires the same kind of risk-based analysis that our US counterparts are now undertaking.

There are some fundamental differences between that risk assessment in the US and that in Canada. This will be subject of a future article, but in short, while Canada is a member of the “Five Eyes,” there are different legal redress mechanisms, Supreme Court of Canada decisions, and other considerations which may make the risk considerably lower than equivalent transfers to the US.

Impacts on Canadian Data Flows

The impact for Canada lies in three main areas:

  1. Companies that rely on Standard Contractual Clauses (SCCs) rather than Canada’s adequacy determination, to process data of European residents either as a data controller or processor must immediately undertake a formal risk assessment that addresses the risk associated with transfer of the personal data being processed, to Canada. The nature of that risk assessment and what companies can rely upon, as mentioned, will be subject of an article in its own right. However, documenting this risk analysis, as well as identifying and implementing appropriate risk mitigations, is essential to preserving those data transfers; see this interview with Abigail expanding on this assessment.
  2. Canadian companies that relied, indirectly, on Privacy Shield certification to process Europeans’ data in the US: The Privacy Shield determination solely applied to cover EU to US data transfers. Perhaps hopefully, some Canadian entities may have relied on their parent’s or subsidiaries’ or even processors’ Privacy Shield certification to address onward transfers to the US, in lieu of a formal agreement. As Privacy Shield is obviously no longer valid, these companies clearly must repair this misapprehension.
  3. Canadian companies that rely on service providers, entities or cloud services based in the US or other third countries, to process EU personal data (“onward transfers”): While the Schrems II decision does not attack or undermine current adequacy determinations, onward transfers have been always been a sticking point for the EU in relation to Canadian adequacy, based on the concern that onward transfers from Canada to the US or elsewhere are not subject to the same restrictions as they are when made directly from the EU. Canadian companies need to ensure they have undertaken the appropriate risk analysis, and documented and put in place SCCs or their equivalent, whether relying on adequacy or not. This applies whether the transfer is made to the US or any other non-adequate country. GDPR requirements follow the data: a Canadian controller must ensure the processing can continue to comply with GDPR ‘down the chain’, regardless of where the data is transferred. And a Canadian processor’s duty to process the personal data only on the controller’s instructions extends to any international data transfers.  Canadian companies relying on US sub-processors should expect a call in the near term.

Canadian accountability principles require (as recently reinforced by the Equifax decision) some formality around transfers out of Canada of Canadians’ personal information. (It is arguable that the Equifax decision, rather than being one explained by consent principles, is really about accountability and the need to formally ensure that a data controller (to use EU parlance) remains in effective control over data processing activities by its processor). Complying with PIPEDA’s accountability principles then can be part-and-parcel of addressing the challenges arising from Schrems II in relation to onward transfers.

So to summarize needed actions by Canadian companies:

  • If you are processing data as controller, or as a processor for a client with EU personal data, and relying on onward transfers, first do a risk assessment; and then assuming the risks are addressable, put in place SCCs between yourself and any organization doing processing for you, if in a non-adequate country;
  • If you are relying on adequacy for transfers from the EU to Canada, be sure you are correct in doing so; and if you cannot rely on adequacy, again, conduct a risk assessment and document the transfer with an SCC.

Some further action steps for Canadian companies which we will also address in future articles. We should not rest on our adequacy laurels. Be aware that Canada, as well as all other countries in the ‘league of the adequate’ will have their adequacy determinations reviewed by 2022. We can likely anticipate this fall hearing from the EU concerning Canada’s adequacy status

To avoid the potential for disruption as our friends in the US are experiencing, it is important to consider what fall-backs your organization would rely upon to ensure that data transfers from the EU are not disrupted, as we have not been good at updating our privacy legislation quickly. Canadian companies need to consider how to switch to SCCs, or find alternative mechanisms. This is not going to be easy or quick, and so planning now is essential.

We also need to address privacy reform. Enlightened self-interest would dictate that Canadian businesses press our governments to act on privacy reform – for our own sakes, certainly first as Canada’s needs should certainly drive our discussion – but also to preserve Canada’s trade relationships with the EU, which in these uncertain times, is more important than ever.

Canada’s Supreme Court upholds Genetic Non-Discrimination Act

by Leave a Comment

On July 10, 2020, Canada’s Supreme Court issued its Reference re Genetic Non‑Discrimination Act decision, surprising many by upholding the Genetic Non-Discrimination Act (GINA)’s constitutionality in a 5-4 decision. This is consequential for Canadian privacy in many ways, and I will attempt to provide some context for both Canadians and non-Canadians to understand how this decision came about, and why it is consequential. (As my colleague Dustin Moores pointed out, recent news analysis has been more focussed on the decision’s constitutional-criminal law implications—I won’t pretend to analyze it from those contexts—but GINA is ultimately a privacy law, so it’s time for a privacy pro’s perspective).

Some brief background and procedure: The reference process allows governments to request from courts a determination of a law’s constitutionality without being started by traditional litigation. Parties can request to weigh in as intervenors, and this is important in this context. The reference was started in the Quebec Court of Appeal as the Quebec government challenged GINA as being outside the federal government’s powers under our Constitution Act, 1867 (Constitution),on the basis that the federal criminal power was being used to legislate on subject matter reserved for the provinces under our constitution. The Quebec decision held that GINA exceeded the authority of Parliament; and the Canadian Coalition for Genetic Fairness, an intervener in the Quebec Court of Appeal case, appealed as of right to the Supreme Court.

Some further history is important in how the law came to be. GINA was a result of a private member’s bill, not sponsored by the government. There was intensive lobbying by the insurance industry against the bill, but it was ultimately approved in an open vote by Parliament. The federal government’s position at the time of passage and throughout the hearing, was that GINA was beyond Parliament’s jurisdiction, so we have the unusual circumstance of both the provincial and federal governments arguing that a federal law was unconstitutional.

The decision, I think it is fair to say, surprised many, as it was expected the Quebec decision would be upheld. However, the Supreme Court held it was within the federal government’s criminal law power under s. 97(27) of the Constitution, by prohibiting the risk of harm from genetic discrimination and genetic testing, and viewed ‘protecting fundamental moral precepts or social values’ as legitimate bases on which to found that authority.

The Supreme Court decision may be coloured by general privacy concerns arising out of the current pandemic. In the majority opinion (of which there are two), Justice Karakatsanis stated,

Parliament is entitled to use its criminal law power to respond to a reasoned apprehension of harm, including a threat to public health.

Genetic discrimination and the fear of genetic discrimination are not merely theoretical concerns. Testimony before Parliament demonstrated that fear of genetic discrimination leads patients to forego beneficial testing, results in wasted health care dollars and may deter patients from participating in research that could advance medical understanding of their conditions. Genetic discrimination is a barrier to accessing suitable, maximally effective health care, to preventing the onset of certain health conditions and to participating in research and other initiatives serving public health. Parliament accordingly apprehended individuals’ vulnerability to and fear of genetic discrimination based on test results as a threat to public health…

…Giving individuals control over access to their genetic test results by prohibiting forced genetic testing and disclosure of test results and the non‑consensual collection, use or disclosure of genetic test results in the areas of contracting and the provision of goods and services targets the harmful fear of genetic discrimination that poses a threat to health. The Act was intended to target that fear.

The dissenting opinion focused on the regulation of contracts­—insurance for instance—and was of the view that GINA impinged on the provincial jurisdiction over property and civil rights, and that the criminal law power cannot be used to circumvent provincial jurisdiction.

GINA has very wide and powerful implications. Sections 1-4 prohibit the use of genetic testing or requiring genetic testing, as a condition of providing goods or services, or entering into or continuing a contract or agreement, or to discriminate against a person based on a refusal to provide the results of a genetic test. Collection of genetic information must be done with consent (s. 5), with some exceptions for health care practitioners and researchers (s. 6). Section 7 creates the offences: fines up to $1 million on indictment, or $300,000 on summary conviction, or imprisonment of up to five years on indictment or one year on summary conviction. The law also made corresponding amendments to the Canada Labour Code and the Canadian Human Rights Act.

What are GINA’s consequences? First of all, employers and insurers cannot, without consent, use or demand genetic testing or information as a condition of employment or insurance coverage, nor can they discriminate based on a refusal to provide consent.

GINA is not solely directed at one sector or type of agreement. For instance, consumer ancestry tests now come with a heighted certainty that the results cannot now be used or compelled in a way that would harm a user of those services. This should give that industry a welcome boost to the confidence that it can offer consumers. At the same time, given the criminal law consequences, controls over genetic data must be tightened to avoid attracting liability.

The exception for research or health practitioners is limited; use and disclosure of genetic data without consent is permissible only in the context of providing health services or research for which an individual is a participant in the research. This may motivate some greater focus on the risk of reidentification from genetic information in the research context—not a new risk but now one with some added teeth.  

More broadly, what does this decision say about the state of privacy in Canada? The Supreme Court, and in fact many courts, have taken the lead where legislation has faltered to protect the privacy rights of Canadians. The decision reflects Canadian societal values and the increasing importance of expectations of privacy. It bolsters, as does the recent Federal Court of Appeal decision in “Compufinder” (which upheld the constitutionality of Canada’s Anti-Spam Law), federal legislative authority over privacy. Together, that and the GINA decision must be giving the Ministry of Innovation, Science and Economic Development (ISED) some secret joy as it makes constitutional challenges increasingly unlikely to succeed against Canada’s federal private sector privacy law as ISED moves to implement Canada’s Digital Charter and update our legislation, while also navigating the challenge of how to incorporate specific or ad hoc legislation like GINA into a common set of principles.

The importance of releasing the proposed federal law has now been heightened by Quebec introducing a draft update to its provincial privacy law, that is very GDPR-like. And in the background, Canadian adequacy is likely to face a review from the European Union—perhaps quite soon. Combined with the uncertainty over the United Kingdom’s adequacy negotiations with the EU, and the upcoming Shrems II decision, there seems to be a perfect mix of events to make privacy reform in Canada a priority for federal attention in order to preserve the trade relationship with the EU.

The GINA decision of the Supreme Court itself lends support to Canadian claims that privacy is important and fundamental to Canadian law, and adds a significant ‘plus’ on our privacy ledger.

Quebec takes first step toward GDPR-style privacy legislation

by Leave a Comment

On June 12, 2020, Quebec tabled its proposed update to its public and private sector privacy laws, and it lives up to the promise of the “GDPR-style legislation” first announced this spring. There are a number of elements that echo other federal and provincial privacy laws in Canada, but there is a very strong European flavor. (Please note that Quebec follows a civil code legal system as opposed to its common law counterparts in the rest of Canada, and forthcoming guidance from Quebec lawyers will certainly be more definitive than this analysis. I am not a Quebec lawyer; this is intended only to provide a comparative view.)

Quebec was one of the first jurisdictions in North America to introduce a private sector privacy law (1993), but it has grown long in the tooth, with periodic challenges from Europe as to its adequacy. This legislation represents a significant update and may initiate a national conversation on privacy as the federal government has promised changes to the federal regime, as well. Given our competitive federal-provincial relationships, it may be optimistic, but one hopes for collaboration to ensure that one of the principal purposes behind the EU General Data Protection Regulation (the free flow of data within the EU) is mirrored within our own Canadian common market.

The tabled legislation updates a number of provincial laws, including those affecting the public sector; however, the focus here will be on the update to the “Act Respecting the Protection of Personal Information in the Private Sector.” The sections referred to below are to the proposed amendments.

The following sections reflect the amendment’s GDPR-like components:

  • Governance: There is a requirement to have a person in charge of personal information (Section 3.1), equivalent to a data protection officer, and privacy policies and framework for the protection of PI (Section 3.2). Section 81.2 provides for on-demand demonstration of compliance.
  • Enforcement: Quebec’s Commission may make an order to “take any measure to protect the rights of the persons concerned,” including an order to order the return or destruction of any PI. Sanctions can be levied for failures to provide notice, collection or use of PI in contravention of the act, failure to report a confidentiality incident (Section 90.1). The Commission can issue notices of noncompliance (Section 90.3) or administer a monetary penalty not exceeding $50,000 for an individual — but in all other cases, penalties may reach $25 million or if greater, an amount corresponding to 4% of worldwide turnover for the previous year (Section 90.12) ($10 million and 2% respectively for administrative sanctions).
  • Legal grounds for processing: Section 4 requires a determination of the purposes for collecting PI, and Section 5 requires that only the information necessary for that purpose may be collected. Processing of PI without consent is permissible for the purposes of carrying out a contract (Section 18.3). PI concerning a minor under 14 may not be collected without consent of a parental authority unless clearly for a minor’s benefit.
  • Processors: An equivalent to Article 28 of the GDPR is found in Section 18.3(2), which provides for contractual requirements to ensure the confidentiality of PI, as well as limitations on use and retention.
  • Privacy impact assessment: Numerous PIA requirements are contemplated within the amendments. For instance, the introduction of technology for any information systems or electronic service delivery (Section 3.3) requires a PIA. Privacy by default is mandated (Section 9.1) to ensure the highest level of confidentiality by default without any intervention by the person concerned, and the PICOPI must be contacted before a project commences or may intervene to suggest privacy-enhancing measures. For transborder flows and incidents, formal risk assessments are also mandated (below).
  • Transborder data flows: An assessment is mandated if PI is communicated outside Quebec or is collected or used under the organization’s authority and must address sensitivity of PI, the purposes for its use, protections and — quite importantly — the legal framework applicable to the jurisdiction to which it is being communicated (Section 17). “Equivalence” must be established in this assessment to permit the transfer and may be based on a written agreement that addresses the results of the assessment. Interestingly, there will be a published list of jurisdictions deemed as equivalent (s. 17.1).
  • Individual rights: There are a number of rights set out, including the right upon collection or request that the individual be told in clear and simple language, the purposes and means for information collection (Section 8), and of their rights of access, rectification and withdrawal of consent. Section 8 also provides for notice if the information could be communicated outside Quebec. Anyone collecting PI from another enterprise must, at the request of the person concerned, inform the latter of the source of the information (Section 7). Other rights include data portability (Section 3.3) and the obligation in the case of marketing (“prospection”) to communicate to a person the identity of the party using the PI and the right to withdraw consent. Section 27 obligates organizations to confirm the existence of PI, communicate and provide a copy. Section 32 provides that an individual rights request must be addressed within 30 days.
  • Right to be forgotten: Section 28.1. provides for a right to be forgotten by deindexing any hyperlink attached to an individual’s name, where dissemination causes serious injury to reputation or privacy, and the injury is greater than the interest of the public in freedom of expression or public knowledge. Several detailed criteria are set out for this assessment.
  • Profiling: A concept introduced with this law and defined in Section 8.1 and means person’s work performance, economic situation, health, personal preferences, interests or behavior. It requires advance notice of the use of technology that creates a profile, as well as the means to deactivate that function, if available.
  • Automated processing: This is also defined (Section 12.1). Individuals must be informed of the PI being used to render a decision about them, the reasons and principal factors and their right to have the decision corrected.

The following elements of the amendments echo Canadian legal developments:

  • Notable is the breach section, which uses the term “serious injury” as the threshold, but in looking at the factors identified to determine that, appears quite similar to the “reasonable risk of substantial risk of harm” test enunciated in Canada’s federal law (as with Alberta’s), as well as in notification to the Commission, the individual(s), and third parties who can reduce the risk. Section 3.6 defines a “confidentiality incident” as unauthorized access, use, loss or communication of PI. Section 3.7’s criteria for assessing serious injury requires that factors, including the sensitivity of the PI, anticipated consequences, and the likelihood of injurious use. There is also a requirement to consult with the PICOPI. Section 3.8 also requires a register of confidentiality incidents, which echoes the federal requirement for a record of breaches of security safeguards.
  • Notice and consent provisions continue and amplify Quebec’s existing requirements. Quebec notably did not join the joint statement by the federal and provincial commissioners on informed and meaningful consent because these requirements already existed within Quebec’s law. Consent requests must be made separately from other information requests and “consent must be clear, free and informed” and must be expressed when it comes to sensitive PI (Section 14).
  • As with Alberta’s Personal Information Protection Act, there is an express obligation to destroy information no longer required for the purposes for which it was collected; this can be satisfied through anonymization (Section 23).

What I think is interesting or unique in Quebec’s law:

  • A “lessons learned” or remediation exercise for confidentiality incidents (Section 3.5) with the PICOPI’s input is mandated to prevent new incidents of the same nature.
  • There is an explicit law enforcement exemption for notification (Section 3.5) to avoid hampering investigations, which is reflected in some U.S. legislation but not Canadian; what is not addressed is how long this should last or how this should be balanced against notification.
  • Section 12 requires, as with GDPR in the case of reliance on legitimate interests, an articulation of the benefits to the individual in the case of secondary uses of information.
  • There has always been a category of “personal information agents” or data brokers, and going beyond data broker-type laws in the U.S., extends and includes further obligations expressed upon them to reflect the data subject access rights in the amendments to this category (Section 74 and on). There is a clear retention period of seven years for any data held by PI agents.
  • As noted, transborder flows require a PIA under Section 17. What is interesting is how the “white list” of jurisdictions considered equivalent under Section 17.1 removes or reduces the assessment required to determine the equivalence test but leaves the PIA obligation.
  • Express protection is articulated in Section 81.1 that prohibits reprisals for someone bringing a complaint or cooperating in an investigation. This echoes the California Consumer Privacy Act in prohibiting discrimination but also presumably encompasses whistleblower protection for employees.

The legislation is of course not final, and timing is not certain given the ongoing pandemic, but given the great attention on the use of PI at this time, it seems that privacy reform is top-of-mind for the public, and therefore for legislators. 

The author would like to thank René W. Vergé, lawyer at e-Risk.ca, for his welcome input as a member of the Quebec bar and Dustin Moores, lawyer at nNovation, for editing and comments.

Comparing Facebook’s Settlement with Canada’s Competition Bureau with the Privacy Commissioner’s Recommendations

by Leave a Comment

Now that Facebook’s settlement with the Competition Bureau Canada (the “Settlement”) has been published, it is interesting to consider how this could impact other regulatory actions Facebook is dealing with in Canada with the federal Office of the Privacy Commissioner (OPC).

The Settlement is quite short but has some interesting implications. First, it expressly states that Facebook’s agreement does not constitute an admission of guilt under the Competition Act or any other law; so this settlement doesn’t preclude Facebook’s ability to challenge the OPC’s report, as it is currently doing, through a judicial review application or at the hearing of the OPC application to enforce its report. However, Facebook is not permitted to make any public statements that contradict the terms of the settlement agreement. The recitals state the Competition Bureau Commissioner’s conclusions, which are not admitted to, but the fact of those conclusion and the commitments by Facebook, cannot be denied. The recitals also note Facebook’s Consent Decree with the FTC of July 2019, which brings Facebook’s compliance program into the Settlement.

The financial penalty is substantial for Canada: $9 million, plus $500K to cover the Bureau’s costs of investigation.

More interesting is the ongoing commitments. Facebook is first of all not permitted to make any materially false or misleading statements in the future concerning the extent to which users can control access to their personal information, as explained here:

The Respondent shall not make, in connection with a Facebook product or service,  any representation to the public that, taking into account its general impression as  well as its literal meaning, is materially false or misleading regarding the disclosure  of Personal Information, including how and the extent to which Users can control who can access the Personal Information.

Secondly, Facebook must within 180 days ensure its compliance program supports this commitment. Facebook is obliged to ”review” the Bureau’s Corporate Compliance Program Bulletin (“Bulletin”) with the aim of aligning Facebook’s compliance program with the Bulletin. To reinforce these obligations, senior management is required to sign and acknowledge this commitment to “fully support and enforce” the compliance program. This creates the risk of personal liability, both civilly and criminally, for future transgressions.

Third, there is ongoing monitoring: senior management must be provided with a copy of the settlement agreement with the view to ensuring that Facebook responds to the Bureau on matters covered by the sections dealing with statements about user control, as well as senior management acknowledgement of the Settlement and its terms. There must be a response within 45 days. The Settlement is binding on Facebook for 10 years.

What is “review” of and “aligning” to the Bulletin? The Bureau obviously has a wider remit than privacy – competition law, of course, and misleading advertising, which is how, like the FTC, privacy statements can bring companies under its authority. The Bulletin speaks to  compliance more broadly, and would include privacy programs:

  1. Management Commitment and Support
  2. Risk‑based Corporate Compliance Assessment
  3. Corporate Compliance Policies and Procedures
  4. Compliance Training and Communication
  5. Monitoring, Verification and Reporting Mechanisms
  6. Consistent Disciplinary Procedures and Incentives for Compliance
  7. Compliance Program Evaluation

Privacy Commissioners’ Recommendations

  • Implementation of measures to obtain meaningful consent that clearly informs users of consequences in a timely manner
  • Because of the failure to take accountability, the OPC and BC Commissioner recommended the ability to conduct audits of the privacy policies and practices

Competition Bureau Settlement

  • While expressed in the negative, the Settlement effectively require meaningful consent
  • The ability of the Bureau to monitor for 10 years how Facebook complies with its commitment to the section noted above gives it considerable insight into how Facebook obtains data from users, and to monitor its practices.

It will be interesting to see how the Facebook challenge to the OPC’s report continues, and whether in fact it will be meaningful in light of this settlement.

For businesses operating in Canada, the settlement indicates a new and material enforcement player in the area of privacy, the Competition Bureau Canada; it has been traditionally hard to get management attention given the limitations on our Commissioners’ enforcement powers, which the Competition Bureau does not suffer from. It also gives privacy officers and privacy program designers an additional resource/checklist against which to measure the effectiveness of the programs, and common framework with which to integrate privacy to general compliance programs.