nNovation LLP

Small Canadian regulatory law firm with a big presence

Legislation

The problem with de-identification in the Consumer Privacy Protection Act

by 1 Comment

The recently tabled Consumer Privacy Protection Act (CPPA) would allow organizations to use and disclose de-identified information for certain purposes without consent. This makes sense, but there is a flaw: information that is de-identified according to the law is not even personal information. So privacy legislation shouldn’t apply. Yet, according to the proposed CPPA, de-identified information is personal information, excluded from only some of the CPPA’s requirements. This seems to defeat the purpose of referencing de-identification in the first place, while potentially redefining the concept of personal information.

What is de-identification?

To de-identify personal information in the CPPA means the following:

to modify personal information — or create information from personal information — by using technical processes to ensure that the information does not identify an individual or could not be used in reasonably foreseeable circumstances, alone or in combination with other information, to identify an individual.

De-identified information appears to be a new category of personal information that would remain within the scope the CPPA, although certain uses and disclosures can be made without consent. De-identified information can be used by an organization internally for research and development purposes. It can be disclosed to government institutions, health care institutions, post-secondary institutions, or other entities prescribed in regulation, for “socially beneficial purposes”.1

The CPPA does not explicitly state that de-identified information is personal information. However, this is implied, as the CPPA applies only to activities involving personal information according to the sections of the law describing its purpose and application.2 There is nothing to suggest that the law is intended to apply to de-identified information in addition to personal information.

What is personal information?

To understand the problem, it’s necessary to consider the meaning of “personal information”, defined as “information about an identifiable individual”. There are two related and overlapping lines of inquiry under this definition. The first is whether the information is “about” an individual (as opposed to, for example, an object). The second is whether an individual is “identifiable”.

In the absence of statutory guidance, courts have used different language to interpret this definition. In 2007, the Federal Court of Appeal stated that an individual is identifiable if it is “reasonable to expect” that an individual could be identified from the information alone or combined with “sources otherwise available”.3 A year later the Federal Court of Canada adopted the standard put forward by the Privacy Commissioner of Canada: there must be a “serious possibility” of identifying an individual through the information alone or combined with “other available information”. 4

More recently, the Federal Court found that “serious possibility” and “reasonable to expect” are effectively the same thing: more than mere speculation or possibility, but not probable on a balance of probabilities.5

The need for a different threshold

De-identification in the CPPA uses effectively the same threshold as personal information, but in reverse. We’ll call this the “serious possibility/reasonably foreseeable” threshold. The courts have said that information is personal if there is a serious possibility that an individual could be identified, which is equivalent to “reasonable to expect.” Under the CPPA, personal information becomes de-identified if there are no “reasonably foreseeable circumstances” in which an individual could be identified. So personal information that is de-identified under the CPPA should not be personal information according to our current understanding of personal information as interpreted by the courts. Except, in the CPPA, it is.

Here’s another way of looking at it. In our current world, information becomes personal when it rises above the threshold of serious possibility/reasonably foreseeable, as seen in figure 1 below. Yet, under the CPPA, information that is personal information becomes de-identified personal information when it crosses below the threshold of serious possibility/reasonably foreseeable, as seen in figure 2.

An obvious question is when, if ever, does personal information become non-personal? In other words, once information becomes personal and within the scope of the CPPA, is it possible to transform it so that it is outside the scope of the CPPA? Currently, information that is sufficiently de-identified to no longer qualify as personal information is not regulated under PIPEDA (even if it is not truly anonymized). The effect of the CPPA seems arbitrary. If the information had been collected in a manner that never met the threshold for what constitutes personal information, it would never be subject to the law. However, because the information was, at some point, within the scope of the law, it is permanently trapped.

Even more confusing, does this alter the definition of personal information? If so, where is the new threshold? It seems that this would have to be lower under the CPPA than it already is.

It might be argued that there is a meaningful difference between “serious possibility/reasonable to expect” and “reasonably foreseeable circumstances”. But this isn’t tenable. When comparing “serious possibility” with “reasonable to expect”, the Federal Court said that it may be “impossible” to discern a meaningful difference. There’s no way the rest of us could be expected to differentiate between “reasonable to expect” and “reasonably foreseeable”.

Even less probable is an intentional effort to expand the definition of personal information, and in turn, the scope of the law. The government would have to be more explicit about such a significant change.

Most likely, this is just a well-intentioned idea with flawed execution, which would make the law too confusing.

One potential solution is to modify the definition of “de-identify” by removing the reference to reasonably foreseeable circumstances, as follows:

de-identify means to modify personal information — or
create information from personal information — by using
technical processes to ensure that the information does
not identify an individual. or could not be used in reasonably
foreseeable circumstances, alone or in combination
with other information, to identify an individual

This would create a threshold for de-identified information that is clearly distinct from the definition of personal information, which would seem to accomplish the objective of including de-identified information in the CPPA.

Another option is to just remove all references to de-identification from the law. Though maybe not ideal, if the threshold for de-identification is not modified to differentiate it from the definition of personal information, then the law would be better without it.

The Digital Charter Implementation Act: A Clear Plan for Change

by Leave a Comment

The Canadian government tabled draft legislation on November 17 that would make significant changes to the federal private sector privacy landscape. Bill C-11, the Digital Charter Implementation Act (DCIA), would replace Part 1 of the Personal Information Protection and Electronic Documents Act with the Consumer Privacy Protection Act (CPPA), create the Personal Information and Data Protection Tribunal Act (PIDPTA), and make minor amendments to several other laws.

The CPPA encapsulates the most fundamental aspects of Part 1 of PIPEDA, as it remains focused on providing individuals with control over how their personal information is collected, used and disclosed by organizations in the course of commercial activity. However, there are several important changes in both form and substance.

First, federal privacy law would exist in a standalone act, no longer bound to other, unrelated parts dealing with electronic documents. And, although the CPPA remains rooted in the ten privacy principles, unlike PIPEDA, it does not incorporate wholesale and build on the Canadian Standards Association Model Code for the Protection of Personal Information (which was an unusual way to draft a law).

In terms of substance, here are some of the most important changes:

  • Privacy management program. Organizations would be required to maintain a privacy management program setting out policies and procedures the organization takes to protect personal information, deal with privacy complaints, train personnel, and develop materials to explain an organization’s policies, practices and procedures. The Office of the Privacy Commissioner (OPC) would be authorized to demand access to these policies at any time.
  • Appropriateness. The CPPA incorporates and builds on the “reasonable purposes” clause of PIPEDA with a more comprehensive standard for when it is appropriate to process personal information.
  • Exceptions for business activities. The CPPA defines a list of “business activities” for which an organization can process personal information without consent.
  • Transfers to service providers. The CPPA would firmly establish that knowledge and consent are not required to transfer personal information to a service provider. It also helpfully clarifies when an organization is considered to have control over personal information.
  • De-identified information. The CPPA defines circumstances in which de-identified information can be processed.
  • Automated decision-making. If an organization uses an “automated decision system” to make a prediction, recommendation or decision about a person, the organization would be required to, on request, explain the prediction, recommendation or decision, and how the personal information used to make the prediction, recommendation or decision was obtained.
  • Data mobility. Individuals would have the right to transfer their data between organizations if those organizations are subject to a “data mobility framework” defined in regulation.
  • Disposal of data: The CPPA would provide individuals with an explicit right to request the deletion of their personal information.
  • Revised OPC powers. The OPC would have the authority to make orders requiring compliance with the Act and to recommend penalties.
  • Tribunal. The new Personal Information and Data Protection Tribunal would hear appeals from OPC orders. It would also have the ability to impose penalties, if recommended by the OPC.
  • Penalties. The CPPA provides  for maximum penalties of up to 3% of global revenue or C$10 million for most contraventions, and up to 5% of global revenue or C$25 million for certain offences.
  • Codes of practice and certification. The CPPA would allow for the creation of codes of practice and certification programs to facilitate compliance with the Act, which would be subject to approval by the OPC.
  • Private right of action. Individuals affected by contraventions of the law would have a right to sue for actual damages suffered. This right would only be available following an OPC finding that a contravention had occurred, which is not successfully appealed to the tribunal.

The DCIA would create the most significant change in Canadian privacy legislation in 20 years, aligning federal private sector privacy law – which applies throughout the country except in Alberta, British Columbia and Quebec – more closely with the EU General Data Protection Regulation. However, Bill C-11 still has a long road to travel before it becomes law, which is far from certain. The federal legislative process tends to move very slowly, and with a minority government in power, a vote of non-confidence in Parliament could trigger the election of a new government, which may prefer a different route.

Ontario Launches Consultation Process on Privacy in the Private Sector

by Leave a Comment

It seems that the winds of change have come to the privacy landscape in Canada. Ontario’s provincial government announced on August 13, 2020 its intention to seek public input on ‘creating a legislative framework for privacy in the province’s private sector.’

Citing growing privacy concerns that have been amplified during the pandemic by increased reliance on data gathering and digital platforms, the consultation will focus on increasing transparency, enhancing consent and enshrining opt-ins for secondary uses of data, privacy protections for de-identified or derived data, a right to deletion or erasure, data portability, requirements for de-identification, and increasing the enforcement powers of Ontario’s privacy commissioners.


There are two notable areas for those who have been following Canadian privacy legislative reform. The first includes the expansion to the non-profit and non-commercial organizations, which would notably catch charities, trade unions, and political parties (significant in light of the concerns arising out of the Cambridge Analytica case, in which only British Columbia could assert any authority over political parties).

The second intriguing area is the notion of enabling data trusts, for data sharing. This concept became important during the abortive Sidewalk Labs project in Toronto, where data trusts emerged as a way to address the risks associated with the large-scale collection of data in the smart city project. The data trust became an important vehicle to address concerns over data sovereignty, and the policy objective of deriving public benefit from private data.

The significance of Canada’s largest province and economy undertaking privacy legislation should not be underestimated. Federal privacy law currently applies to commercial activities in Ontario. The only Ontario law recognized as substantially similar by the federal government is PHIPA, the Personal Health Information and Protection Act, which applies only to the protection of health data in the health sector. The federal law, PIPEDA, does not govern employee data except if the sector is directly under federal jurisdiction (such as banks and airlines), and that gap has become noticeable during the pandemic. And there is no legislation addressing the significant non-profit sector.

In addition to these points, Canada’s federal law is in a revision process itself to address the significant changes that have taken place since it was enacted over twenty years ago, and to rise to the challenge our legislative regime will undoubtedly have to retain its adequacy status with the European Union under GDPR. One critical factor for adequacy has always been the limitation of it being to data governed by PIPEDA, and the ‘elephant in the room’ has always been the significant amount of data and activities under provincial jurisdiction.

Another key factor in Ontario is the tabling of legislation in Quebec in June, introducing an explicitly GDPR-like framework. In my commentary on that, I wondered if this would affect or alter the course of the federal government’s proposed changes by ‘raising the game.’ Now with Ontario entering the discussion on the future of our privacy regime, it makes certain elements I raised previously more urgent to address:

  • Canadians, and the Canadian economy, are not well served by a patchwork of different laws. We have been fortunate that because of our principles-based laws, we have largely ended up at the same place in terms of privacy values and results. This is true even between Quebec, which is a civil law jurisdiction, and the ‘rest of Canada’, which is common law, and between provincial and federal levels. Canadian businesses should not face the challenges that our friends in the US do in trying to comply with inconsistent laws.
  • It is in the interests of consistency and business predictability that we maintain a common market focus in our data protection laws.  GDPR itself has as its goal the free flow of data between EU member states. It is also worth noting the IMF has estimated 4 % of our GDP is ‘inhibited’ by internal trade barriers, an issue Canada’s Agreement on Internal Trade aims to address We want to avoid creating new barriers to trade within Canada.
  • Again, we cannot neglect our adequacy discussions with the EU; and as I have pointed out before, data goes with the trade. The original reason for PIPEDA was to facilitate and maintain trade relationships with the EU, and now more than ever, with a devastating economic contraction, our trade relationships must be maintained and strengthened externally and internally. We want to ensure that the EU is confident in exchanging data with Canada, all of Canada, and the Schrems II decision (which Abigail and I have discussed here), undoubtedly signals that we have to rise to the challenge.
  • While we need to address the business elements in privacy reform, it is worth also noting that our legal and constitutional framework had increasingly recognized privacy as a human right, through the Supreme Court of Canada and other court decisions. The Canadian genius has always been to find that balance, that supports business without sacrifice of those intrinsic values. This consultation is an opportunity to ensure that we promote business interests in data-driven innovation without creating an economy of digital have-nots, and that the goals of supporting the economy are consistent with personal control over the uses of data.

What an exciting time to be in privacy in Canada! There is an opportunity now to influence the future, and to build a framework that provides an integrated and consistent approach from sea to sea to sea; one that supports both our desires to remain in control and supports our data-driven economy. Canada, Ontario and Quebec now have the opportunity to lead in re-establishing Canada as a global privacy leader, and to make privacy Canada’s competitive differentiator. The consultation closes on October 1, 2020.

Quebec privacy reform: the business-friendly provisions

by Leave a Comment

Quebec’s proposed modernization of its private sector privacy legislation (Quebec Privacy Act) certainly contains a number of additional operationally burdensome demands on enterprises. However, the proposed amendments in Bill 64 contain several pragmatic, or even business-friendly, provisions. These provisions are not as headline grabbing as big administrative monetary penalties or the right to de-indexing / right to erasure. In this post, I review several of the pragmatic and business-friendly provisions that might otherwise be overlooked.

Business contact information is excluded

Section 93(3) of Bill 64 clarifies that the Quebec Privacy Act does not apply to personal information concerning the performance of duties within an enterprise by the individual, including the individual’s name, title, and duties, work address, work email address and work telephone number.

The exclusion of “org chart” and business contact information is entirely sensible and consistent with reasonable expectations. Moreover, Quebec has avoided overthinking this exception. The Quebec approach stands in contrast to the federal Personal Information Protection and Electronic Documents Act (PIPEDA)and Alberta’s Personal Information Protection Act. Under PIPEDA and Alberta PIPA, business contact information is only exempted to the extent it is being used for business contact purposes. That narrow exception is out of touch with reality and overly restrictive given the relative sensitivity of that information.

Data analytics are okay

The Quebec government appears to understand that modern businesses have a legitimate interest in conducting data analytics. Helpfully, section 102 of Bill 64 provides that consent is not required to de-identify data and use that data for research and the preparation of statistics. Moreover, the Quebec government has set a low and reasonable threshold for de-identification for these internal data analytics uses. Information is de-identified if it no longer allows the person concerned to be directly identified.

In section 111 of Bill 64, Quebec also proposes that an organization can retain data indefinitely if it is anonymized. The amendments clarify that information is anonymized if it irreversibly no longer allows the person to be identified directly or indirectly. Information must be anonymized according to generally accepted best practices.

This statutory distinction between de-identification and anonymization is helpful. Moreover, the lower standard of de-identification for internal data analytics comports with business needs and balances the interests of individuals with those of the organizations they do business with.

Outsourcing is okay

The federal Privacy Commissioner has had a hard time coming to grips with how to handle outsourcing under PIPEDA. Unsatisfied with the accountability principle, Commissioner Therrien attempted a short-lived interpretation of PIPEDA that would have required consent to transfer personal information for processing. A hue and cry followed. This episode seems to have been a cautionary tale for those drafting the proposed amendments to the Quebec Privacy Act.

Section 107 of Bill 64 recognizes the reality of outsourcing and supply chains. No consent is required to transfer information to an agent or service provider, provided it is necessary to the performance of that agency or the outsourced services.

Moreover, Quebec has also helpfully clarified that a data processing agreement is required and provided guidance on its minimum content. This is an improvement over PIPEDA. Clause 4.1.3 of Schedule 1 to PIPEDA requires an organization to use contractual or other means to protect personal information when it is transferred to a third party. However, the vagueness of the wording has left privacy-minded organizations in uphill battles with some large SaaS service providers to get data processing agreements in place. The Quebec government is giving these customers a leg-up by requiring that transfers to agents and service providers must be documented in a writing and must specify the measures the agent or service provider must take to protect the confidentiality of the information, to protect the information from unauthorized use, and to ensure the information is deleted after the expiry of the agency or service contract.

Moreover, Quebec is imposing direct obligations on the processor (the direct application of PIPEDA to processors is another contested area under PIPEDA). The agent or service provider must notify the client “without delay” of any violation or attempted violation of the obligation of confidentiality and allow for verification relating to confidentiality requirements.

These provisions should help take the wind out of arguments about whether a service provider needs to permit some kind of audit right. These provisions also clarify that service providers must notify their clients of security breaches – something altogether missed in PIPEDA. Unfortunately, the extension of notification requirements to “attempted violation” of confidentiality obligations is too broad. It will be interesting to see if this wording gets modified, since on any particular day, a SaaS provider fends off many, many “attempts”.

Commercial transactions

Quebec is taking steps to catch up with the rest of Canada regarding transfers of personal information as part of a commercial transaction. In section 107 of Bill 64, the Quebec government proposes amendments that permit the transfer personal information as part of a commercial transaction without consent. The party transferring the personal information and the recipient to have an agreement in place that requires the recipient to use the information only for concluding the commercial transaction, to not further disclose the information, to protect the information, and to destroy the information if the transaction is not completed. If the transaction is completed, the recipient must notify the individual if the recipient wants to continue to be able to use the personal information.

Unfortunately, the definition of commercial transaction is limited to transfers of ownership of all or part of a business. However, this provision is likely to have mergers and acquisitions rejoicing that there is now at least a process for transferring personal information.

Most importantly, the Quebec government is not placing unnecessary restrictions on the use of this commercial transaction provision as is the case under PIPEDA. Under PIPEDA the exception to consent does not apply to a transaction of which the primary purpose or result is the purchase, sale or other acquisition or disposition, or lease, of personal information. Quebec clearly understands that the most valuable asset a business might have is its customer list.

Conclusion Bill 64 has a ways to go before becoming law. Any of these provisions could change in substantive and material ways. However, these more business-friendly provisions demonstrate that balancing privacy protections for individuals can be blended with pragmatic provisions that do not require over-reliance on consent in order to provide a framework for responsible business practices.

Quebec takes first step toward GDPR-style privacy legislation

by Leave a Comment

On June 12, 2020, Quebec tabled its proposed update to its public and private sector privacy laws, and it lives up to the promise of the “GDPR-style legislation” first announced this spring. There are a number of elements that echo other federal and provincial privacy laws in Canada, but there is a very strong European flavor. (Please note that Quebec follows a civil code legal system as opposed to its common law counterparts in the rest of Canada, and forthcoming guidance from Quebec lawyers will certainly be more definitive than this analysis. I am not a Quebec lawyer; this is intended only to provide a comparative view.)

Quebec was one of the first jurisdictions in North America to introduce a private sector privacy law (1993), but it has grown long in the tooth, with periodic challenges from Europe as to its adequacy. This legislation represents a significant update and may initiate a national conversation on privacy as the federal government has promised changes to the federal regime, as well. Given our competitive federal-provincial relationships, it may be optimistic, but one hopes for collaboration to ensure that one of the principal purposes behind the EU General Data Protection Regulation (the free flow of data within the EU) is mirrored within our own Canadian common market.

The tabled legislation updates a number of provincial laws, including those affecting the public sector; however, the focus here will be on the update to the “Act Respecting the Protection of Personal Information in the Private Sector.” The sections referred to below are to the proposed amendments.

The following sections reflect the amendment’s GDPR-like components:

  • Governance: There is a requirement to have a person in charge of personal information (Section 3.1), equivalent to a data protection officer, and privacy policies and framework for the protection of PI (Section 3.2). Section 81.2 provides for on-demand demonstration of compliance.
  • Enforcement: Quebec’s Commission may make an order to “take any measure to protect the rights of the persons concerned,” including an order to order the return or destruction of any PI. Sanctions can be levied for failures to provide notice, collection or use of PI in contravention of the act, failure to report a confidentiality incident (Section 90.1). The Commission can issue notices of noncompliance (Section 90.3) or administer a monetary penalty not exceeding $50,000 for an individual — but in all other cases, penalties may reach $25 million or if greater, an amount corresponding to 4% of worldwide turnover for the previous year (Section 90.12) ($10 million and 2% respectively for administrative sanctions).
  • Legal grounds for processing: Section 4 requires a determination of the purposes for collecting PI, and Section 5 requires that only the information necessary for that purpose may be collected. Processing of PI without consent is permissible for the purposes of carrying out a contract (Section 18.3). PI concerning a minor under 14 may not be collected without consent of a parental authority unless clearly for a minor’s benefit.
  • Processors: An equivalent to Article 28 of the GDPR is found in Section 18.3(2), which provides for contractual requirements to ensure the confidentiality of PI, as well as limitations on use and retention.
  • Privacy impact assessment: Numerous PIA requirements are contemplated within the amendments. For instance, the introduction of technology for any information systems or electronic service delivery (Section 3.3) requires a PIA. Privacy by default is mandated (Section 9.1) to ensure the highest level of confidentiality by default without any intervention by the person concerned, and the PICOPI must be contacted before a project commences or may intervene to suggest privacy-enhancing measures. For transborder flows and incidents, formal risk assessments are also mandated (below).
  • Transborder data flows: An assessment is mandated if PI is communicated outside Quebec or is collected or used under the organization’s authority and must address sensitivity of PI, the purposes for its use, protections and — quite importantly — the legal framework applicable to the jurisdiction to which it is being communicated (Section 17). “Equivalence” must be established in this assessment to permit the transfer and may be based on a written agreement that addresses the results of the assessment. Interestingly, there will be a published list of jurisdictions deemed as equivalent (s. 17.1).
  • Individual rights: There are a number of rights set out, including the right upon collection or request that the individual be told in clear and simple language, the purposes and means for information collection (Section 8), and of their rights of access, rectification and withdrawal of consent. Section 8 also provides for notice if the information could be communicated outside Quebec. Anyone collecting PI from another enterprise must, at the request of the person concerned, inform the latter of the source of the information (Section 7). Other rights include data portability (Section 3.3) and the obligation in the case of marketing (“prospection”) to communicate to a person the identity of the party using the PI and the right to withdraw consent. Section 27 obligates organizations to confirm the existence of PI, communicate and provide a copy. Section 32 provides that an individual rights request must be addressed within 30 days.
  • Right to be forgotten: Section 28.1. provides for a right to be forgotten by deindexing any hyperlink attached to an individual’s name, where dissemination causes serious injury to reputation or privacy, and the injury is greater than the interest of the public in freedom of expression or public knowledge. Several detailed criteria are set out for this assessment.
  • Profiling: A concept introduced with this law and defined in Section 8.1 and means person’s work performance, economic situation, health, personal preferences, interests or behavior. It requires advance notice of the use of technology that creates a profile, as well as the means to deactivate that function, if available.
  • Automated processing: This is also defined (Section 12.1). Individuals must be informed of the PI being used to render a decision about them, the reasons and principal factors and their right to have the decision corrected.

The following elements of the amendments echo Canadian legal developments:

  • Notable is the breach section, which uses the term “serious injury” as the threshold, but in looking at the factors identified to determine that, appears quite similar to the “reasonable risk of substantial risk of harm” test enunciated in Canada’s federal law (as with Alberta’s), as well as in notification to the Commission, the individual(s), and third parties who can reduce the risk. Section 3.6 defines a “confidentiality incident” as unauthorized access, use, loss or communication of PI. Section 3.7’s criteria for assessing serious injury requires that factors, including the sensitivity of the PI, anticipated consequences, and the likelihood of injurious use. There is also a requirement to consult with the PICOPI. Section 3.8 also requires a register of confidentiality incidents, which echoes the federal requirement for a record of breaches of security safeguards.
  • Notice and consent provisions continue and amplify Quebec’s existing requirements. Quebec notably did not join the joint statement by the federal and provincial commissioners on informed and meaningful consent because these requirements already existed within Quebec’s law. Consent requests must be made separately from other information requests and “consent must be clear, free and informed” and must be expressed when it comes to sensitive PI (Section 14).
  • As with Alberta’s Personal Information Protection Act, there is an express obligation to destroy information no longer required for the purposes for which it was collected; this can be satisfied through anonymization (Section 23).

What I think is interesting or unique in Quebec’s law:

  • A “lessons learned” or remediation exercise for confidentiality incidents (Section 3.5) with the PICOPI’s input is mandated to prevent new incidents of the same nature.
  • There is an explicit law enforcement exemption for notification (Section 3.5) to avoid hampering investigations, which is reflected in some U.S. legislation but not Canadian; what is not addressed is how long this should last or how this should be balanced against notification.
  • Section 12 requires, as with GDPR in the case of reliance on legitimate interests, an articulation of the benefits to the individual in the case of secondary uses of information.
  • There has always been a category of “personal information agents” or data brokers, and going beyond data broker-type laws in the U.S., extends and includes further obligations expressed upon them to reflect the data subject access rights in the amendments to this category (Section 74 and on). There is a clear retention period of seven years for any data held by PI agents.
  • As noted, transborder flows require a PIA under Section 17. What is interesting is how the “white list” of jurisdictions considered equivalent under Section 17.1 removes or reduces the assessment required to determine the equivalence test but leaves the PIA obligation.
  • Express protection is articulated in Section 81.1 that prohibits reprisals for someone bringing a complaint or cooperating in an investigation. This echoes the California Consumer Privacy Act in prohibiting discrimination but also presumably encompasses whistleblower protection for employees.

The legislation is of course not final, and timing is not certain given the ongoing pandemic, but given the great attention on the use of PI at this time, it seems that privacy reform is top-of-mind for the public, and therefore for legislators. 

The author would like to thank René W. Vergé, lawyer at e-Risk.ca, for his welcome input as a member of the Quebec bar and Dustin Moores, lawyer at nNovation, for editing and comments.

Federal Update: Can the Government Push Through Legislative Reform?

by Leave a Comment

Prime Minister Justin Trudeau took the opportunity while he was attending a technology conference in Paris to announce that his government intends to unveil a “digital charter” soon. The digital charter will apparently hold social media companies to account and include potential monetary penalties. The 2019 Budget in March also mentioned cybersecurity legislation.

However, with four weeks left before the House of Commons starts its summer recess followed by a fall election, Prime Minister Trudeau is racing the clock to get anything new accomplished. There are a number of important Bills that remain before Parliament and that are at risk of dying on the order paper if the Trudeau government cannot get them passed before Parliament dissolves. Some of these Bills relate to 2015 election promises. Can the government get those Bills passed before getting distracted by the 2019 campaign?

Modernizing the Access to Information Act

During the 2015 election campaign, Prime Minister Trudeau promised to modernize Canada’s Access to Information Act. The government introduced Bill C-58 in June 2017. This legislation would be the first phase in overhauling the federal access to information regime. The Bill includes new powers for the Information Commissioner. If passed, the Commissioner would be able to make orders requiring government institutions to produce records sought by a requester or requiring the government institution to reconsider its decision. In the course of conducting an investigation of a complaint, the Commissioner would also be able to review records over which the government institution claimed privilege. The Commissioner could also begin publishing her orders.

Bill C-58 has passed the Senate, but the Senate made a number of significant amendments to the Bill. As a result, the Bill will be back before the House of Commons. Most of the amendments should not be controversial to the government. Indeed, some of the amendments, such as changes to the level of detail required in an access request were recommended by the government itself. The one exception are the amendments to the provisions relating to judges. The amendments weaken the Bill because now only anonymized expenses for judges need to be disclosed; however, it would be surprising if this became a sticking point of the government.

Meaningful reform of the Access to Information Act is close. The Trudeau government will need to stay focused and not chase new policy initiatives in the waning days before the summer recess in order to get the job done.

National Security

Bill C-59, the National Security Act was supposed to be the Liberal government’s attempt to make good on a campaign promise to overhaul Bill C-51, the Anti-terrorism Act, 2015, which had been passed by the former Conservative government. Concerns regarding security intelligence oversight and information sharing were heightened following a 2016 court decision that revealed unauthorized retention and use of metadata by the Canadian Security Intelligence Service that was collected and retained as a by-product of its investigations and subsequently mined for intelligence services. Bill C-59 would legitimize this type of data collection and use but would subject this data collection, retention and mining to greater oversight.

Even though Bill C-59 was introduced in June 2017, it has not yet been passed. On May 15, 2019, the Senate Standing Committee on National Security and defence issued its Report and recommended four amendments to the Bill.

The first amendment has to do with the powers of the Intelligence Commissioner. The Intelligence Commissioner Act, which is part of Bill C-59, creates the role of the Intelligence Commissioner. Under section 13 of the Act, the Intelligence Commissioner has an obligation to review, among other things, the basis on which a foreign intelligence authorization is issued by the Minister of National Defence. A foreign intelligence authorization could permit the Canadian Security Establishment to hack and disrupt global information infrastructure. If the Commissioner found the basis for the authorization to be reasonable, the Commissioner could approve it. The Senate Committee proposes an amendment to permit the Commissioner to require the Minister to reconsider the authorization if the Commissioner concludes that the basis for the authorization was unreasonable.

Bill C-59 would also amend the Criminal Code with respect to certain terrorist related offences. The Senate Committee recommended changes to broaden what would be covered by the offence of “counselling commission of a terrorist related offence” to clarify that the offence did not require that the offence actually be committed or that the person counselling the offence even knows the person being encouraged to engage in terrorism.

The Senate Committee also wants to shorten the timeframe for when the government would be required to review the new legislation enacted under Bill C-59. The government was to review the legislation in 6 years. The Senate wants that reduced to 4 years. Finally, the Senate Committee wants Ministerial Directions with respect to avoiding complicity in mistreatment by foreign entities to be scheduled to the Act.

The Senate must still accept and vote on the amendments proposed by the Committee. If approved, Bill C-59 will have to make its way back to the House of Commons and find its way back onto a busy legislative agenda.

National Cybersecurity Standards

In a surprise announcement on December 14, 2018, Public Safety and Emergency Preparedness Minister Ralph Goodale told an audience at the Empire Club that federal regulation on cybersecurity would be imminent. The Minister is reported to have suggested that the government would be introducing new legislation to lay out corporate and business responsibilities to prevent cyber attacks.

On March 19, 2019 the Federal Budget revealed that the Government intends to propose new legislation and make necessary amendments to existing federal legislation in order to introduce a new critical cyber systems framework. The mammoth omnibus Bill C-97 that would implement many of the budget measures did not contain any specific cyber security provisions.

Will the cybersecurity strategy be folded into the “digital charter” that Prime Minister Trudeau hinted at? If legislation is coming, there doesn’t seem to be much time to get anything done before the summer break.

New Digital Charter – Spin or Substance?

The federal Privacy Commissioner, Daniel Therrien, has been a vocal critic of the government for failing to provide his office with more powers. Indeed, recently the Commissioner highlighted deficiencies in his powers when he released a Report of Findings with respect to Facebook and the “thisisyourdigitallife” app that was part of the Cambridge Analytica scandal. We’ll have to wait to see what the “digital charter” involves. But, for the moment, it looks like this might well just be spin. This close to the end of the government’s first term, it is hard to believe that we would see any significant new legislation enacted. More consultation, anyone?