Canada Introduces New Privacy Legislation: Consumer Privacy Protection Act

The Canadian government is introducing new privacy legislation. It is known as the Consumer Privacy Protection Act, or Bill C-11.

Do you remember the Cambridge Analytica Facebook scandal? These days, the beginnings of that scandal seem like ancient history now. This is especially true thanks to the dumpster fire that has been 2020 where two months ago seems like an eternity ago. Still, for either political watchers or privacy observers, the details are probably extremely easy to remember. A data collecting company, known as Cambridge Analytica, used its ability to scrape information from Facebook and helped both Donald Trump win and helped the Brexit movement. The scandal set off multiple debates such as what power should social media wield and whether there should be tighter rules around what companies can collect on people. If you can believe it, some of our coverage at the time was around the year 2018.

While the scandal did center largely around US and British politics, the scandal also affected Canada in a pretty fundamental way. Back then, Canada was still carrying a general reputation of being a world leader for privacy laws. Even in 2017, it was still a rather impressive thing to behold: a country that has “privacy commissioners”. They are able to investigate companies and individuals and find evidence of wrongdoing. Indeed, back then, this is something of a novelty that a country cared deep enough about personal privacy that they were willing to appoint people to safeguard people’s personal information. Sure, for some, this might seem like putting a bit too much importance on something as “trivial” as personal privacy, but it was hard to disagree with such an arrangement.

With all that prestige, 2018 would prove to be the year that Canada’s privacy rules got put to the test. At the time, a privacy case didn’t get much more high profile than the Cambridge Analytica/Facebook story. By 2019, Canadian privacy commissioners announced that they were launching a probe into the scandal. If launching a probe a year after a scandal seems like a long time, in reality at the time, it felt like an even bigger eternity. Other countries were already handing out fines going all the way up to $5 Billion USD. As we heard so many stories about other countries fining Facebook, Canadian regulators were staying rather mum about the whole affair up to that point.

Supporters of the commissioners could easily argue at the time that they need plenty of time to investigate an incident. After all, haste makes waste, right? Indeed, the BC and Canadian privacy commissioners did file a lawsuit against Facebook. Well, as we pointed out in the report at the time, Facebook simply responded by saying that they dispute the findings. In short, Facebook told regulators, “Bite me”.

While that seems like a flippant move inviting trouble, in this case, that move effectively killed Canada’s efforts to hold Facebook and Cambridge Analytica accountable for violating current privacy laws. People defending the commissioner’s point out that the power of the pen can be quite powerful in the commissioner’s hand. It can shame companies into complying with the laws. It probably worked in the past with other companies, but when it ran up against a company like Facebook, the laws and enforcement folded like a cheap lawn chair. Perhaps the most embarrassing aspect of it all is the fact that it happened with such a high profile company during such a high profile scandal. The weaknesses in Canada’s privacy regime was laid bare to all.

For those less familiar with the Canadian laws, you might be wondered, “well, what about fines?” Guess what? Under current laws, the commissioners wield no power. They can’t fine companies and they can’t penalize the companies in any significant way. They can certainly pen a letter and a report, but their powers simply boil down to “stop, or I’ll say stop again!” or “Don’t do that again or I’ll wag my finger even harder at you!”

Over top of the aforementioned multi-billion dollar fine coming from the US, Europe also passed the GDPR a year earlier while all of this was going down. It took one scandal and a mere two years for Canada to go from a nation with strong privacy laws to a country lagging behind virtually everyone from a privacy enforcement perspective. For privacy observers, 2017-2019 should have been a very humbling experience because Canada is quickly becoming the laughing stock of the world on this front.

Unsurprisingly, this caused many to raise serious questions about Canadian privacy laws. While Canada was going through an election year that year, privacy had shockingly little coverage. When someone did finally allow the question to be raised during one of the debates, the answer wound up being unanimous: every party supports strengthening Canadian privacy laws. Yet, ever since then, the topic didn’t really come up much.

Now, it appears that this might finally be changing. Michael Geist is noting that the Canadian government is tabling privacy law reforms. From Geist’s analysis:

It may be odd to start with how the law is enforced, but the CPPA’s biggest changes seek to address the fundamental flaw in the current law, namely the weak enforcement model. The bill proposes several key changes to address enforcement. First, the Privacy Commissioner of Canada will have order making power that will enable the office to order compliance with the law and to recommend significant penalties for failure to do so. The lack of order making power – the commissioner has long been limited to non-binding findings – has been a critical legal shortcoming.

Second, the order making power comes with the ability to recommend penalties that in some cases are the highest in the G7. The potential penalties for contravening the law is “is the higher of $10,000,000 and 3% of the organization’s gross global revenue in its financial year before the one in which the penalty is imposed.” Moreover, there are even tougher penalties in cases of violations for failing to comply with some of the security breach disclosure rules, data retention requirements, identifying someone using de-identified data (except in limited circumstances), or sanctioning a whistleblower. In those circumstances, the penalties can reach $25,000,000 or 5% of the organization’s gross global revenue.

Third, these penalties will be levied by a new Personal Information and Data Protection Tribunal. The Tribunal, which will feature between three and six members, will hear appeals of Privacy Commissioner of Canada orders. The hearings will be public and the decisions will also be made public. The Tribunal may impose penalties, including overruling the Privacy Commissioner’s order on penalties (in other words, it can increase or decrease penalties).

Fourth, the law also includes whisteblower provisions that protect employees that disclose alleged privacy non-compliance to the Privacy Commissioner of Canada. The Privacy Commissioner must keep the identity of the whistleblower secret and the employer is prohibited from sanctioning or penalizing the employee for having disclosed the concern.

Fifth, the law features a private right of action that will allow individuals to seek damages for loss or injury suffered due to a privacy violation. The private right of action is triggered once the Privacy Commissioner has made a finding of contravention of the law (in other words, individuals must first file a complaint with the commissioner) and the finding is either not appealed to the Tribunal or the Tribunal upholds the ruling. The action must be brought within two years of the rulings.

This excerpt certainly paints the new law in an extremely positive light. After all, lack of enforcement powers was the Achilles heal for the investigation into Facebook and Cambridge Analytica. Facebook basically proved that the era of public shaming being enough to change behavior is over. In the process, Facebook also proved that the laws are essentially toothless without penalties. The enforcement powers shown here suggests that this glaring hole in the law is finally getting fixed. Once again, it took way too long to get here, but it shows that Canada has finally decided to start catching up to other countries on this file.

While the news appears to be great news on the surface, skepticism started appearing shortly after. From a later posting from Geist:

The CPPA features many exceptions to the general principle of mandating consent for the collection, use and disclosure of personal information. Of particular concern is Section 18, which covers “business activities”. The provision states:

An organization may collect or use an individual’s personal information without their knowledge or
consent if the collection or use is made for a business activity described in subsection (2) and
(a) a reasonable person would expect such a collection or use for that activity; and
(b) the personal information is not collected or used for the purpose of influencing the individual’s behaviour or decisions.

In other words, no knowledge or consent is required for certain data collection categorized as business activities. What is covered? While most of subsection (2) is devoted to network security, safety or delivery of a service, (2)(e) covers:

an activity in the course of which obtaining the individual’s consent would be impracticable because the organization does not have a direct relationship with the individual

It is one thing to cover direct activities arising out of relationship between an individual and a commercial organization. But to cover activities with no direct relationship? That would seemingly invite all sorts of problems, not the least of which includes online tracking activities where the bill would potentially remove the need for knowledge or consent.

The concerns about exceptions do not end there given lingering concerns about how existing exceptions have been used by law enforcement and some companies with respect to personal information. This will be a big issue for both business and privacy groups.

In addition to that, it seems political parties are also given huge exceptions to the laws:

Privacy legislation always involves some measure of balance, particularly federal legislation that must be constitutionally grounded in commercial activities. Once hearings begin on the bill, it is likely that many will argue that the bill misses the mark in how it strikes the balance. Business groups will argue – as they have in the past – that there are significant costs and new compliance uncertainty with a law that is broadly applicable to all commercial organizations. Further, the private right of action is sure to face opposition, much as it did with Canada’s anti-spam legislation.

Meanwhile, privacy groups will lament the missed opportunities to bring political parties into the scope of Canadian privacy law, toughen consent provisions, address the right to be forgotten, add data localization rules, and expand protections against data misuse.

Beyond the specific provisions, there is the purpose of the law itself. While the government has added references to cross-border data dimensions, the law remains a commercial privacy law (as noted, arguably for constitutional reasons). Yet the Privacy Commissioner of Canada has called for a human rights centered approach that is absent from the bill.

Not only does this seemingly side-step a number of problems seen in the Cambridge Analytica scandal, it also shows that, even if these laws are passed, it will still make Canada fall very far behind Europe on this front.

In fact, GDPR was used by Open Rights Group to create a tool called “Who Do You Think We Are?” The digital rights organization was able to get snapshots into how political parties track people’s personal information and formulate sometimes scarily accurate pictures (or laughably bad pictures) about who you are and what you think as far as political parties are concerned.

The current bill, as it stands now, apparently decided to take a hard pass on this aspect of personal privacy. As a result, the gaping hole’s being found already are huge.

While the new proposed law is fixing some glaring flaws in privacy in Canada, it still needs a lot of work to be considered respectable. As a result, Canada will continue to be lagging behind other countries. While not quite as pathetic as Canada is now, Canada will continue to lag behind other countries if this bill passes as-is.

Drew Wilson on Twitter: @icecube85 and Facebook.

%d bloggers like this: