Legislating privacy in the digital age: Looking at the proposed Consumer Privacy Protection Act

December 13, 2020

Thomas Friedman is an American political commentator, a three-time Pulitzer Prize winner and a weekly columnist for The New York Times. His international best-selling book on the dual disruption of globalization and technology, The World Is Flat: A Brief History of the Twenty-first Century, was first published in 2005. A mere six years later, he was reflecting on this book as he sat down to write That Used to be Us: How America Fell Behind in the World it Invented and How We Can Come Back.

In reference to his earlier book he wrote: “Facebook didn’t exist; Twitter was a sound; the cloud was in the sky; 4G was a parking place; LinkedIn was a prison; applications were what you sent to college; and Skype for most people was typo.”

Mr. Friedman offered this observation as a vivid demonstration of how much and how fast our world has changed in a remarkably short period of time. This quote continues to resonate and came back to me again this week as I read the draft Digital Charter Implementation Act, 2020 (officially Bill C-11, Consumer Privacy Protection Act and the Personal Information and Data Protection Tribunal Act), Innovation Minister Navdeep Bains introduced in the House on Tuesday. The digital age brings both amazing opportunities and daunting challenges. Governments around the world are weighing the balance between enabling access to personal data and protection of individual rights and privacy. It was never an easy task, but at today’s pace, legislation can be antiquated before it even hits the Legislature floor. When you consider Canada’s first significant attempt to find symmetry between data access and personal privacy, the Personal Information and Electronic Document Act (PIPEDA) came into place in Canada nearly 20 years ago now, it is easy to understand why many are calling this week’s proposed legislation “Canada’s Biggest Privacy Overhaul in Decades”.

In January 2001, and for quite some time leading up to the introduction of PIPEDA, I was working for a big U.S. bank with a subsidiary in Canada. I was managing a small team in a department at the time known as, “Database Marketing and Sciences”. We had a nearly unlimited budget to collect and analyze the data of Canadians and we were very good at it. We had accumulated so much data on Canadians that, on average, we had control of dozens of individual personal attributes on every Canadian of majority age. Our operations were so advanced, we outsourced all data processing to firms in the U.S.  This was at a time when the bank’s data processing would require mainframes running 24 hours a day for 7-10 days to process the data we required for our monthly marketing efforts. Today, the same data processing can now be completed in a matter of seconds.

The introduction of PIPEDA brought the first wave of law and order to this digital Wild West. Since then, the emergence of big tech has completely re-written people’s expectations of privacy and data ownership. Without government intervention, the average citizen has little hope of guarding a right to privacy in this “everybody knows everything” world.  That’s why the new Digital Charter Implementation Act (DCIA) is so welcomed and needed.

While we can expect any adopted legislation to look a bit different than it does at first reading, like the PIPEDA before it, this legislation will create significant change in how business gathers, maintains and uses individuals’ information. It pays, therefore, for companies to be aware of the major aspects of the legislation, as proposed. Here are a few highlights:

  • The intended purpose of this legislation is, “to protect the personal information of individuals while recognizing the need of organizations to collect, use or disclose personal information in the course of commercial activities.” The productive balance of interests is the intended outcome of this Act.
  • This Act is not merely an amendment update to PIPEDA, but rather a new approach to privacy law, acknowledging the globalization of data and commerce. The legislation, as currently written, states: We now live in an “an era in which data is constantly flowing across borders and geographical boundaries and significant economic activity relies on the analysis, circulation and exchange of personal information.”
  • That being said, as Michael Geist notes in his review, DCIA incorporates many of the same principles found in PIPEDA, including “accountability, appropriate purposes, limiting collection, use and disclosure, retention and disposal of personal information, accuracy of personal information, security safeguards (to which DCIA adds provisions for security breach disclosure); and openness and transparency, which now includes algorithmic transparency”.
  • Probably the most important change is the proposal of a new enforcement regime, with powers granted to the Privacy Commissioner including the ability to impose significant penalties for contravening the Act. If passed into law, private companies that violate Canadians’ privacy could face millions of dollars in fines.
  • For the first time, artificial intelligence, machine learning, automated decision systems and algorithms are addressed. One of the provisions of the Act is to provide greater transparency as to how personal data is used within the context of these newer technologies. For example: If the organization has used an algorithm to make a decision about the individual, the organization must, on request by the individual, provide them with an explanation of how the personal information that was used to make the decision was obtained.
  • The DCIA revises the standards of consent and the individual’s right to reclaim their private data. This potentially could include de-identified data. As with PIPEDA, organizations must not, as a condition of the supply of a product or service, require an individual to consent to the collection, use or disclosure of their personal information beyond what is necessary to provide the product or service.
  • The bill also includes a new privacy right on data portability, which involves the potential for individuals to ask organizations to transfer their personal information to another organization. On the topic of de-identified data, severe penalties have been proposed for those that seek to try to identify an individual using de-identified data.
  • The Act would provide for the ability to use data with limited restrictions for the purposes of statistical, scholarly study or research and the ability to disclose an individual’s personal information without their knowledge or consent if it is for a “socially beneficial purpose”. Both these provisions, as currently written, seem particularly vague and potentially problematic and will either be adjusted during the path to Royal Assent or will require regulations to fully understand how they will be applied.
  • As in PIPEDA, if an organization transfers personal information to a service provider, the organization must ensure, by contract or otherwise, that the service provider provides substantially the same protection of the personal information as that which the organization is required to provide under this Act. However, under the proposed DCIA, if the organization determines that the personal information it has collected is to be used or disclosed for a new purpose, the organization must record that new purpose before using or disclosing that information for the new purpose.
  • As it pertains to providing/selling personal data to a third-party, if an organization has disclosed information, the organization must also provide to the individual the names of the third parties or types of third parties to which the disclosure was made, including in cases where the disclosure was made without the consent of the

While this new piece of draft legislation will no doubt benefit from thorough debate and discussion on its way to becoming law, it reflects an long over-due need to modernize online rights, including providing better protection of people’s personal data, and the ethical use of data and digital tools in the digital marketplace.

“In some ways, this tidal wave of data is the pollution problem of the information age. All information processes produce it. If we ignore the problem, it will stay around forever. And the only way to successfully deal with it is to pass laws regulating its generation, use and eventual disposal”. Bruce Schneier, The Future of Privacy.