Experts weigh in on potential changes to Canadian privacy law
On November 12, the Faculty’s Privacy and Cybersecurity Law Group (PCLG) held the second event in their Digital Discussion Series: a panel discussion on potential reforms of The Personal Information Protection and Electronic Documents Act (PIPEDA). PIPEDA is Canada’s private-sector privacy legislation that governs the collection, use, and disclosure of personal information in the course of commercial activities.
The panel was moderated by Professor Lisa Austin and featured four accomplished industry professionals: Louisa Garib (legal counsel at the Office of the Privacy Commissioner of Canada (OPC)), David Fraser (partner at McInnes Cooper), Brenda McPhail (Director of the Canadian Civil Liberties Association’s Privacy, Technology, and Surveillance Project), and Holly Shonaman (Chief Privacy Officer at RBC).
Prof. Austin asked about the “daily life of the PIPEDA” and solicited the panelists’ opinions on which critical areas of PIPEDA need to be reformed. The panelists were also asked about the biggest PIPEDA-related issues facing their clients or organizations, and how they would potentially structure a new PIPEDA.
Some of the panelists wished to see Canada move away from the consent-based administration of PIPEDA. Others sought clarity on how minors are impacted by the legislation, and the point at which children are able to provide informed consent. Further, one panelist took the position that PIPEDA and the OPC ought to become a more independent regime in order to effectively seek justice against those who violate the privacy rights of individuals. Following the moderated discussion, audience members raised questions around the technological neutrality of the legislation, the government’s COVID-19 contact tracing app, and the tension between privacy and competition law.
Sophie Barnett (3L) and Madeleine Gottesman (4L JD/MBA) started the PCLG to allow students to engage in questions around privacy and cybersecurity. The co-founders first learned about PIPEDA in Prof. Austin’s Data Governance class last year. After rotating through the privacy groups at their firms this summer, they gained an appreciation for how clients may struggle to navigate their data protection obligations. Barnett and Gottesman commented, “we realized that although PIPEDA’s need for reform has long been accepted, what is less discussed is what the new PIPEDA should look like. We thought it would be interesting to hear from different stakeholders on what they think is likely to happen and what they wish to see.”
The event was timely as Bill C-11 underwent its first reading at the House of Commons on November 17. Bill C-11 introduces the Consumer Privacy Protection Act (CPPA) to replace the PIPEDA and the Personal Information and Data Protection Tribunal Act to establish an administrative tribunal to hear appeals of certain decisions by the Privacy Commissioner.
Prof. Austin believes the most important aspects of the PIPEDA reform are the provisions regarding order-making powers, penalties and fines, and the establishment of a Data Protection Tribunal. The reform has the potential to change the landscape of privacy law in Canada, and she highlighted four key areas to watch as the Bill moves through the House of Commons.
First, there is a new major exception for consent under s.18(1) of Bill C-11 if the collection or use of the personal information is “made for a business activity.” Prof. Austin generally supports the move away from relying upon an idea of implied consent for some of the listed activities. However, she worries the exceptions may catch too many activities within its scope. Under s.18(2)(e) for example, an activity “in the course of which obtaining the individual’s consent would be impractical because the organization does not have a direct relationship with the individual” would be characterized as a “business activity” that falls under s.18(1)’s exception.
Second, there is an exception for consent under s. 39 where personal information is disclosed to some kinds of organizations for a “socially beneficial purpose,” with a requirement that the information is de-identified. While this may be beneficial for activities such as university research, Prof. Austin believes the provisions as drafted still raise a lot of questions and require more scrutiny.
Third, there is a newly added definition of “de-identify.” Bill C-11 proposes that de-identify means “to modify personal information — or create information from personal information — by using technical processes to ensure that the information does not identify an individual, or could not be used in reasonably foreseeable circumstances, alone or in combination with other information, to identify an individual,” per section 2.
While the move towards de-identification is welcome, Prof. Austin believes that the definition as drafted still relies too heavily on the idea of modifying personal information rather than including other methods that focus on access, like trusted computing environments or privacy-protective methods of analysis.
Finally, the proposed law may make it easier to establish data governance models like data trusts. However, much remains to be seen as the work involved will happen largely through regulations.
These four aspects are just a few highlights of the proposed law discussed by Prof. Austin. Undoubtedly, Bill C-11 has the potential to drastically alter privacy law in Canada and the balance of individual privacy rights against commercial interests.
To stay updated on privacy and cybersecurity issues, Barnett and Gottesman recommend joining the PCLG’s Facebook group, where members share interesting articles and “geek out” over current events. They also suggest taking advantage of the many opportunities available at the Faculty, including courses like Data Governance, Governance of Artificial Intelligence, and the externship at the Citizen Lab. For those in the JD/MBA program, there may be opportunities to work with cyber or privacy startups through the Creative Destruction Lab. Joining the Canadian Bar Association’s Privacy and Access to Information Section is also a good way to receive the latest privacy news.
In the meantime, the PCLG intends to host more events in its Digital Discussion Series and has partnered with the Legal Hackers club to host a privacy and cybersecurity focused legal hackathon in 2021.
Editor’s Note: Natasha Burman is an executive member of the PCLG.
