Ottawa’s second attempt at overhauling federal legislation regulating how businesses collect and use personal data of Canadians still favours the private-sector, says a leading technology and human rights group.
The University of Toronto’s Citizen Lab today released a critical analysis of the proposed Consumer Privacy Protection Act (CPPA, also known as C-27), complaining it allows “private individuals’ and communities’ data to be exploited for the benefit of the economy and society alike” rather than do what its name says: protect consumers.
The report calls for significant amendments before the bill is passed, including expanding the powers and responsibilities of the federal privacy commissioner; giving the commissioner the power to levy fines for violating the act instead of taking alleged offenders to a privacy tribunal; getting rid of the proposed distinction between de-identified and anonymous data; removing exemptions given to businesses for collecting data without the consent of individuals; and giving data sovereignty to Indigenous groups.
There are 19 recommended changes to the wording of C-27, enough that the group says the government should start all over again, beginning by giving Canadians the right to privacy.
“We think that the legislation would be best to be withdrawn and re-introduced,” co-author Christopher Parsons said in an interview.
“Likely the government will not do that,” he admitted, so the goal of the recommendations “is to remove as many sharp edges as we can.”
“It’s meant to let the government see what could be done to still enable the commercial and socially-beneficial uses of [personal] data that the government seems to be inclined towards, while also trying to mitigate some of the worst harms that could come, based on the way the legislation is written now.”
“I don’t think the legislation is principally designed with privacy in mind,” Parsons added. “Our analysis of the legislation is that it is very deliberately designed to be very friendly to business and to enable the free flow of personal information in the service of the information economy.”
The Citizen Lab analysis follows the release of a report last month by the non-profit Centre for Digital Rights, which says C-27 “not only expands [business] surveillance, it treats citizen privacy as an obstacle to corporate profits.”
Aimed at updating the Personal Information Protection and Electronic Documents Act (PIPEDA), the CPPA was re-introduced in June. The first time the Liberal government proposed it was in 2020, when it was designated as C-11. However, it died in the face of criticism from then Privacy Commissioner Daniel Therrien and the calling of the September 2021 federal election. Despite the criticism, the re-elected government largely left CPPA the same as the 2020 version. It continues PIPEDA’s framework of obliging companies to follow privacy principles rather than give Canadians the right to privacy.
The government counters that the importance of privacy protection is mentioned in the legislation’s preamble.
C-27 is now in second reading in the House of Commons, before being referred to a committee for detailed examination. It isn’t clear which committee the bill will go to: The Ethics and Privacy Committee, chaired by a Conservative, or the Industry committee, chaired by a Liberal. It may go to a committee before the end of the year.
C-27 is composed of three proposed pieces of legislation, including a proposed bill regulating the use of artificial intelligence applications, but the Citizen Lab report only deals with the CPPA.
Related content: More background on CPPA
In a November 4th speech to Parliament, the bill’s sponsor, Innovation Minister François-Philippe Champagne, said the legislation “would strengthen privacy protection for Canadians by giving the Privacy Commissioner of Canada significantly more powers, better protecting the data of Canadians, especially minors, and creating a clear set of rules to encourage Canadian organizations to innovate while using data responsibly.”
In response, Conservative Rick Perkins said, “Privacy is a fundamental human right. It should be recognized in this bill, but it is not.” Conservative Ryan Williams went further saying C-27 “needs massive rewrites and amendments to properly protect privacy.”
It isn’t clear yet whether the Liberal minority government has the votes to pass C-27 unchanged. The Liberals struck a deal with the NDP to support the government until 2025 on confidence and money bills. There are no news reports on whether the deal includes the NDP backing C-27. It isn’t known whether, if the Conservatives demand major changes to C-27, they will be supported by the New Democrats — or vice versa. A partnership of those two parties can override Liberal objections to changes.
The Citizen Lab report largely deals with problems of companies collecting, using, and disclosing data from mobile devices. With individuals increasingly using smartphones, laptops, and tablets as their principal telecommunications devices, this data is valuable to businesses — and governments.
The report focuses on the public controversy that broke out last December when news came out that Telus and a data analytics firm called BlueDot gave de-identified data and aggregated data to the Public Health Agency of Canada early in the COVID-19 pandemic, to help figure out how and where the virus was spreading. Data that has been de-identified and aggregated in particular ways likely can’t be re-identified, the report notes.
Citizen Lab argues that the data collection was likely legal under PIPEDA, but Ottawa failed to ensure that Telus and BlueDot got meaningful consent from individuals about the re-use of their personal data.
If the CPPA isn’t amended, Citizen Lab argues, that will happen again. The worry, Parsons said, is that another government might get (or buy) and use private sector mobility data to find out more intrusive things, like how many women are going to family health centres.
“Mobility information can be intensely sensitive,” the report says. “It can reveal individuals’ and communities’ patterns of life and reveal associational trends before participants themselves are aware of them.”
Among the report’s complaints is that the CPPA makes a distinction between the protection of anonymous data (data stripped of personal identifiers so individuals cannot be re-identified) and de-identified data (data processed in a less strict way that could allow persons to be re-identified). Anonymized data wouldn’t be covered by the CPPA. Companies would have to follow CPPA’s protections in handling de-identified data — but, there would be exceptions in certain cases, allowing businesses to treat it as anonymized data. Those exemptions should be removed, says Citizen Lab.
Another exemption that should be abolished, says the report, is one that would allow an organization to disclose de-identified data to a government institution if it is made for “a socially beneficial purpose” such as health, improvements of public amenities or infrastructure, the protection of the environment, “or any other prescribed purpose.”
If the government wants to go ahead with that, every individual should have to be told and given the choice of opting out, says the report — and the federal privacy commissioner should have to approve the disclosure.
The CPPA proposes that a business can collect or use an individual’s personal information without their knowledge or explicit consent if it’s for an activity in which the firm has a legitimate interest “that outweighs any potential adverse effect on the individual” as long as the personal information isn’t collected or used for the purpose of influencing the individual’s behaviour or decisions. In that case, says Citizen Lab, people should be told and given the right to opt-out.
The CPPA says the sharing of personal data collected by a business is acceptable under certain conditions. The proposed legislation says three factors are to be taken into account, including the sensitivity of the personal information and whether the purposes represent
legitimate business needs of the organization. Citizen Lab proposes firms have to take a new factor to take into account: The company has to do an analysis of the sensitivity of the privacy interest in the information, and what it calls “the sensitivity of quality-impacting inferences that could be derived from or associated with the personal information.”
And if a firm determines that the personal information it has collected is to be disclosed for a new purpose, it has to renew its consent obligation from individuals before it can be used.
Finally, while the CPPA gives individuals the right to sue firms for violating the act after the privacy commissioner has made a finding of wrongdoing, Citizen Lab says that the condition should be removed because it may take some time for the commissioner to issue a report.