nNovation LLP

Small Canadian regulatory law firm with a big presence

Privacy

The Digital Charter Implementation Act: A Clear Plan for Change

by Leave a Comment

The Canadian government tabled draft legislation on November 17 that would make significant changes to the federal private sector privacy landscape. Bill C-11, the Digital Charter Implementation Act (DCIA), would replace Part 1 of the Personal Information Protection and Electronic Documents Act with the Consumer Privacy Protection Act (CPPA), create the Personal Information and Data Protection Tribunal Act (PIDPTA), and make minor amendments to several other laws.

The CPPA encapsulates the most fundamental aspects of Part 1 of PIPEDA, as it remains focused on providing individuals with control over how their personal information is collected, used and disclosed by organizations in the course of commercial activity. However, there are several important changes in both form and substance.

First, federal privacy law would exist in a standalone act, no longer bound to other, unrelated parts dealing with electronic documents. And, although the CPPA remains rooted in the ten privacy principles, unlike PIPEDA, it does not incorporate wholesale and build on the Canadian Standards Association Model Code for the Protection of Personal Information (which was an unusual way to draft a law).

In terms of substance, here are some of the most important changes:

  • Privacy management program. Organizations would be required to maintain a privacy management program setting out policies and procedures the organization takes to protect personal information, deal with privacy complaints, train personnel, and develop materials to explain an organization’s policies, practices and procedures. The Office of the Privacy Commissioner (OPC) would be authorized to demand access to these policies at any time.
  • Appropriateness. The CPPA incorporates and builds on the “reasonable purposes” clause of PIPEDA with a more comprehensive standard for when it is appropriate to process personal information.
  • Exceptions for business activities. The CPPA defines a list of “business activities” for which an organization can process personal information without consent.
  • Transfers to service providers. The CPPA would firmly establish that knowledge and consent are not required to transfer personal information to a service provider. It also helpfully clarifies when an organization is considered to have control over personal information.
  • De-identified information. The CPPA defines circumstances in which de-identified information can be processed.
  • Automated decision-making. If an organization uses an “automated decision system” to make a prediction, recommendation or decision about a person, the organization would be required to, on request, explain the prediction, recommendation or decision, and how the personal information used to make the prediction, recommendation or decision was obtained.
  • Data mobility. Individuals would have the right to transfer their data between organizations if those organizations are subject to a “data mobility framework” defined in regulation.
  • Disposal of data: The CPPA would provide individuals with an explicit right to request the deletion of their personal information.
  • Revised OPC powers. The OPC would have the authority to make orders requiring compliance with the Act and to recommend penalties.
  • Tribunal. The new Personal Information and Data Protection Tribunal would hear appeals from OPC orders. It would also have the ability to impose penalties, if recommended by the OPC.
  • Penalties. The CPPA provides  for maximum penalties of up to 3% of global revenue or C$10 million for most contraventions, and up to 5% of global revenue or C$25 million for certain offences.
  • Codes of practice and certification. The CPPA would allow for the creation of codes of practice and certification programs to facilitate compliance with the Act, which would be subject to approval by the OPC.
  • Private right of action. Individuals affected by contraventions of the law would have a right to sue for actual damages suffered. This right would only be available following an OPC finding that a contravention had occurred, which is not successfully appealed to the tribunal.

The DCIA would create the most significant change in Canadian privacy legislation in 20 years, aligning federal private sector privacy law – which applies throughout the country except in Alberta, British Columbia and Quebec – more closely with the EU General Data Protection Regulation. However, Bill C-11 still has a long road to travel before it becomes law, which is far from certain. The federal legislative process tends to move very slowly, and with a minority government in power, a vote of non-confidence in Parliament could trigger the election of a new government, which may prefer a different route.

Ontario Launches Consultation Process on Privacy in the Private Sector

by Leave a Comment

It seems that the winds of change have come to the privacy landscape in Canada. Ontario’s provincial government announced on August 13, 2020 its intention to seek public input on ‘creating a legislative framework for privacy in the province’s private sector.’

Citing growing privacy concerns that have been amplified during the pandemic by increased reliance on data gathering and digital platforms, the consultation will focus on increasing transparency, enhancing consent and enshrining opt-ins for secondary uses of data, privacy protections for de-identified or derived data, a right to deletion or erasure, data portability, requirements for de-identification, and increasing the enforcement powers of Ontario’s privacy commissioners.


There are two notable areas for those who have been following Canadian privacy legislative reform. The first includes the expansion to the non-profit and non-commercial organizations, which would notably catch charities, trade unions, and political parties (significant in light of the concerns arising out of the Cambridge Analytica case, in which only British Columbia could assert any authority over political parties).

The second intriguing area is the notion of enabling data trusts, for data sharing. This concept became important during the abortive Sidewalk Labs project in Toronto, where data trusts emerged as a way to address the risks associated with the large-scale collection of data in the smart city project. The data trust became an important vehicle to address concerns over data sovereignty, and the policy objective of deriving public benefit from private data.

The significance of Canada’s largest province and economy undertaking privacy legislation should not be underestimated. Federal privacy law currently applies to commercial activities in Ontario. The only Ontario law recognized as substantially similar by the federal government is PHIPA, the Personal Health Information and Protection Act, which applies only to the protection of health data in the health sector. The federal law, PIPEDA, does not govern employee data except if the sector is directly under federal jurisdiction (such as banks and airlines), and that gap has become noticeable during the pandemic. And there is no legislation addressing the significant non-profit sector.

In addition to these points, Canada’s federal law is in a revision process itself to address the significant changes that have taken place since it was enacted over twenty years ago, and to rise to the challenge our legislative regime will undoubtedly have to retain its adequacy status with the European Union under GDPR. One critical factor for adequacy has always been the limitation of it being to data governed by PIPEDA, and the ‘elephant in the room’ has always been the significant amount of data and activities under provincial jurisdiction.

Another key factor in Ontario is the tabling of legislation in Quebec in June, introducing an explicitly GDPR-like framework. In my commentary on that, I wondered if this would affect or alter the course of the federal government’s proposed changes by ‘raising the game.’ Now with Ontario entering the discussion on the future of our privacy regime, it makes certain elements I raised previously more urgent to address:

  • Canadians, and the Canadian economy, are not well served by a patchwork of different laws. We have been fortunate that because of our principles-based laws, we have largely ended up at the same place in terms of privacy values and results. This is true even between Quebec, which is a civil law jurisdiction, and the ‘rest of Canada’, which is common law, and between provincial and federal levels. Canadian businesses should not face the challenges that our friends in the US do in trying to comply with inconsistent laws.
  • It is in the interests of consistency and business predictability that we maintain a common market focus in our data protection laws.  GDPR itself has as its goal the free flow of data between EU member states. It is also worth noting the IMF has estimated 4 % of our GDP is ‘inhibited’ by internal trade barriers, an issue Canada’s Agreement on Internal Trade aims to address We want to avoid creating new barriers to trade within Canada.
  • Again, we cannot neglect our adequacy discussions with the EU; and as I have pointed out before, data goes with the trade. The original reason for PIPEDA was to facilitate and maintain trade relationships with the EU, and now more than ever, with a devastating economic contraction, our trade relationships must be maintained and strengthened externally and internally. We want to ensure that the EU is confident in exchanging data with Canada, all of Canada, and the Schrems II decision (which Abigail and I have discussed here), undoubtedly signals that we have to rise to the challenge.
  • While we need to address the business elements in privacy reform, it is worth also noting that our legal and constitutional framework had increasingly recognized privacy as a human right, through the Supreme Court of Canada and other court decisions. The Canadian genius has always been to find that balance, that supports business without sacrifice of those intrinsic values. This consultation is an opportunity to ensure that we promote business interests in data-driven innovation without creating an economy of digital have-nots, and that the goals of supporting the economy are consistent with personal control over the uses of data.

What an exciting time to be in privacy in Canada! There is an opportunity now to influence the future, and to build a framework that provides an integrated and consistent approach from sea to sea to sea; one that supports both our desires to remain in control and supports our data-driven economy. Canada, Ontario and Quebec now have the opportunity to lead in re-establishing Canada as a global privacy leader, and to make privacy Canada’s competitive differentiator. The consultation closes on October 1, 2020.

Facebook’s $9M Settlement with Canada’s Competition Bureau makes history

by Leave a Comment

Following Facebook’s challenge to the Office of the Privacy Commissioner (OPC) report arising from the Cambridge Analytica scandal, the fall-out for Facebook in Canada continues. While not at the scale of fines faced in the US and elsewhere, the involvement of a non-traditional regulator for privacy sends several signals to Canadian and multinational organizations.

In a news release today from the Competition Bureau Canada, Facebook has agreed to pay a penalty of $9 million to settle the Bureau’s investigation into Facebook’s privacy practices. (according to the press release – at this writing the settlement is not yet available from the Competition Tribunal).

The Bureau’s investigation concluded that Facebook had given the impression that users could control who could see and access their data, without limiting the sharing of users’ personal information with third-party developers. Further, third party developers could also access users’ friends’ personal information after users installed third-party applications.

The Bureau’s jurisdiction is based on the prohibition against false or misleading claims about products or services under the Competition Act. This is quite similar to section 5 of the US Federal Trade Commission Act, which prohibits “unfair or deceptive acts or practices in or affecting commerce“, and is commonly applied by the US Federal Trade Commission to enforce so-called “privacy promises”.

This is new territory for Canada, however. Given the OPC’s challenges enforcing the Personal Information Protection and Electronic Documents Act (PIPEDA), this settlement is a watershed in that privacy-related matters could increasingly be subject to oversight by a regulator who has significant enforcement powers.

The interaction with the OPC’s own enforcement, which its first application to the Federal Court to seek remedies against Facebook, deserves comment. The remedies being sought by the OPC mirrors some of the remedies obtained by the Competition Bureau, by requiring Facebook to cease making these representations. If the Competition Bureau’s enforcement reflects synchronization with the OPC’s views, as an expert tribunal, and particularly with the Guidelines for obtaining meaningful consent, jointly developed by the OPC and both British Columbia’s and Alberta’s Commissioners, then this enforcement action has suddenly put teeth into those guidelines and the privacy commissioners’ views.  It also raises the question of what the Facebook’s Federal Court application to set aside the OPC’s report is intended to accomplish, given what it has now agreed to.

Another observation to be drawn arises from the ‘non-traditional’ regulator; increasingly in Canada, other regulators are stepping into the privacy fray. Some examples: The Office of the Superintendent of Financial Institutions (OSFI), which supervises Canada’s federally regulated financial institutions, issued a notice requirement in January 2019 for cyber and privacy breaches. IIROC, the Investment Industry Regulatory Organization of Canada also issued a rule in November 2019 to require mandatory reporting of cybersecurity incidents. And the Ontario Energy Board which governs utilities in Ontario, has for several years had cybersecurity and privacy obligations made a requirement of licensing.

While it is natural that specialized regulators have a vested interest in the security and privacy given their roles in regulating markets and ensuring stability, it represents a risk of a patch work approach to privacy unless the principles upon which regulation is based are consistent. 

The Government’s Digital Charter, announced in May last year, is intended to not only chart a course for PIPEDA reform, but also is intended to provide a framework and direction for consistency with the provinces and regulatory agencies. With the COVID-19 crisis still underway, it is uncertain when reform will come, but the Competition Bureau settlement suggests that the enforcement of privacy obligations in Canada is still evolving.

Data Localization: An Exercise in Futility?

by Leave a Comment

Last week I presented on data localization at the IAPP Canada Privacy Symposium 2019 (my slides are here).

There are a mix of laws (BC and Nova Scotia), formal policies (federal, New Brunswick and Manitoba), in addition to other, less formal policies and practices among public bodies that restrict the flows of personal information beyond the borders of Canada. Although there are a few reasons for data localization requirements around the world, Canadian restrictions arose largely because of concerns about exposure to U.S. law enforcement agencies due to the changes to the Foreign Intelligence Surveillance Act (FISA) by the USA Patriot Act. This, of course, limits the ability of public bodies to use cloud-based and other service providers.

My view is that these restrictions are based on a few fundamental misconceptions: 1) FISA poses a meaningful threat to the privacy of Canadians (it does not); and 2) keeping data physically located in Canada eliminates this threat (it does not). For the most part, keeping the data physically located in Canada does nothing to insulate it from foreign demands for disclosure if the service provider is based in a foreign jurisdiction. However, in most cases, most of the time, personal information is still more secure if it is processed by a competent cloud-based service provider, regardless of its location.

The session generated quite a bit of discussion, although I expected more people to disagree with my position (a good portion of the room was filled with government employees and service providers who were frustrated by the restrictions). Interestingly, during another Symposium session, former Information and Privacy Commissioner for British Columbia David Loukidelis stated that the proliferation of data localization requirements throughout Canada is a concerning policy development. This is notable because Loukidelis conducted a seminal study on the Patriot Act in 2004 which contributed to the first legal data localization requirement being passed in B.C.

Why the Privacy Commissioner’s New Position on Transborder Dataflows Doesn’t Work

by Leave a Comment

The Office of the Privacy Commissioner (OPC) has, at least tentatively, revised its position on transborder data flows (TBDF). In a consultation published last month, the OPC claims that consent is now required for TBDF (consent must even be “express” in some cases). It also appears that the OPC is attempting to rewrite the Personal Information Protection and Electronic Documents Act (PIPEDA) by claiming that a “transfer” of personal information by an organization to a third-party service provider for processing is a “disclosure”.

Stakeholders are concerned; in fact, the TBDF Consultation has had the rare distinction of aligning privacy advocates and industry stakeholders on the same side of an issue (Michael Geist describes the OPC’s approach as “a dramatic reinterpretation of the law”).

Although there are practical reasons why the OPC’s new position will cause big challenges – it’s a prime example of a solution in search of a problem – I take a more conceptual approach here to explain why the new guidance doesn’t make sense from a legal perspective.

A transfer is not a disclosure

A transfer of personal information to a third-party service provider for processing under PIPEDA has, since at least 2009, been considered a “use” by the OPC under PIPEDA, not a disclosure. This is the case regardless of where the service provider is located.

Leaving aside for the moment whether a transfer is even a use, there’s a good reason why a transfer is not a disclosure. Principle 4.1.3 of Schedule 1 to PIPEDA states that “An organization is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing.” In The Personal Information Protection and Electronic Documents Act: An Annotated Guide, the authors provide the following commentary on Principle 4.1.3:

Clause 4.1.3 is important because it is the only area in the Act where transborder dataflow issues are addressed….The concept of custody and transfer is an important one, as opposed to disclosure, because when an organization discloses information, it must assure itself that it has the right to disclose, and once that is fulfilled and the disclosure has taken place securely, its responsibility is at an end.

However, if the information has been transferred for processing of any kind, and the organization expects to maintain an interest in the data, it retains responsibility and must use contractual or other means to provide a comparable level of protection[emphasis added].

This clearly explains why it doesn’t make sense to call a transfer a disclosure, as it misconstrues the meaning of a disclosure under PIPEDA. Once an organization discloses personal information, it is no longer accountable for the personal information that has been transferred. In other words, you can’t say that an organization has disclosed personal information, while at the same time claim that it is still has an interest in and remains accountable for that information.

The Annotated Guide, which was published in 2001 just after PIPEDA began coming into effect, carries considerable weight given that two of its four authors were directly involved in drafting and developing PIPEDA (Heather Black and Stephanie Perrin were at Justice Canada and Industry Canada, respectively). In the early years of PIPEDA this book was one of very few meaningful resources available.

If the OPC insists on calling a transfer a disclosure, it suggests that organizations somehow remain accountable for personal information post-disclosure in some cases, but not in others. To attempt to distinguish these cases based merely on the fact that a transfer occurs across borders is an arbitrary legal fiction.

But a transfer is a use, right? (No, it’s not)

While the authors of the Annotated Guide were clear that a transfer is not a disclosure under PIPEDA, they also did not state that a transfer is a use. This interpretation appears to come from the OPC. Guidelines on TBDF published back in 2009 state the following: “A “Transfer” is a use by the organization. It is not to be confused with a disclosure.

Referring to a transfer as a use avoids the issue of trying to create post-disclosure accountability for personal information, but it is also a strained interpretation that comes with its own conceptual problems.

In defining authority for the collection, use and disclosure of personal information, privacy legislation in Canada (in all sectors) focusses on “purposes”. The default rule under PIPEDA is that consent is required for the collection, use, or disclosure of personal information for most purposes, with narrowly defined exceptions for others. When obtaining consent, organizations must explain the purposes for which personal information is collected, used or disclosed, and limit collection, use and disclosure to personal information reasonably required for those purposes.

Public sector (and, to a slightly lesser extent, health information) privacy laws focus less on consent, and more on defining in legislation the specific purposes for which personal information can be collected, used and disclosed.

A transfer, as that concept is understood in Principle 4.1.3, is not a use in and of itself. Organizations do not collect personal information for the purpose of transferring it. They collect and use personal information for things like processing payments, delivering products and services, email marketing, profiling and tailoring ads and marketing campaigns to consumers, paying employees, etc. A transfer to a service provider is merely a product of decision by an organization about how to process personal information for those purposes. In other words, as a process to carry out a purpose, a transfer is a means to an end.

The Federal Court of Appeal acknowledged this distinction between process and purpose in 2017 in Toronto Real Estate Board (TREB) v. Commissioner of Competition. In determining the rights of brokerages to publish information about property listings on “Virtual Office Websites”, or “VOWs”, the court considered language in Ontario real estate listing agreements that provides real estate boards and brokerages with consent to “make….use of the information as the Brokerage and/or real estate board(s) deem appropriate, in connection with the listing, marketing and selling of real estate during the term of the listing and thereafter.” TREB attempted to argue that this did not allow for the distribution of listing information through VOWs, because it was a new method of distribution not explicitly mentioned in the listing agreement. The court rejected this argument, stating that

PIPEDA only requires new consent where information is used for a new purpose, not where it is distributed via new methods. The introduction of VOWs is not a new purpose–the purpose remains to provide residential real estate services and the Use and Distribution of Information clause contemplates the uses in question. The argument that the consents were insufficient−because they did not contemplate use of the internet….does not accord with the unequivocal language of the consent [para. 165].

Thus, the Federal Court of Appeal recognized that if an organization has consent to use personal information for a given purpose, it does not also require consent for the particular process(es) of how that purpose is carried out.

The OPC had it right the first time

In the well-known 2005 CIBC case summary, the OPC found that CIBC did not require consent to use foreign-based third party service providers, but that organizations should notify consumers that outsourcing arrangements could make personal information vulnerable to foreign demands for disclosure. It also reminded organizations of the requirement under the Accountability Principle to have appropriate measures in place to ensure the protection of personal information when outsourcing, regardless of the location of service providers. The OPC got it right in this case because it did not refer to the transfer as a use (or a disclosure).

The OPC’s new position, for the time being, would appear to only target transfers across borders. However, while some people may be uncomfortable about having their personal information processed in another country, according to the law, a transfer remains a transfer regardless of where the processing takes place. In other words, there is nothing substantively different about a transfer across borders that turns the transfer into a use, or disclosure, therefore triggering consent requirements.

It may be tempting to cede the point that a transfer is either a use or disclosure, so long as the OPC agrees that implied consent is acceptable (and surely it would need to be, especially given the Supreme Court’s broad interpretation of implied consent in RBC. v. Trang). However, for the many privacy professionals who need to interpret, understand and explain the meaning of privacy legislation to their clients on a daily basis, precision matters. Agreeing to twist legal concepts to settle the matter of the day will only cause bigger headaches down the road. If the OPC really wants to be able to tell organizations that they need consent for transfers of personal information, under any circumstance, it needs to convince the government to change the law.

(Edit: The Commissioner announced on May 22 that the OPC’s TBDF consultation “in its current form” has been “paused” following the announcement of the Digital Charter by Innovation, Science and Economic Development Canada).