Blog Post:

Submission on Reform of Canada’s Privacy Act: Modernizing Canada’s Privacy Act

I am Professor in the Political Science Department at the University of Victoria.   For over 30 years, I have been researching and writing about the issue of personal privacy protection in Western societies:  the spread of surveillance; the nature and extent of public concern; and the content and effectiveness of privacy protection policies, both in Canada and internationally.  I have written several reports to Canadian and international governmental bodies, including to the European Commission. I have been a complainant under several federal and provincial privacy laws, including the 1982 Privacy Act.   I teach courses on these issues at UVIC, and so get an important perspective on the views and concerns of younger people.  

I welcome this opportunity to comment on reform of the Privacy Act.   I last offered my views on this issue before the House of Commons Access to Information, Privacy and Ethics (ETHI) Committee in September 2016.[1]   I also wrote on the development of this legislation back in the 1990s, and noted back then the dire need to reform a dated law.[2]  I would also commend to you the analysis of my colleague, David Flaherty, the former Information and Privacy Commissioner of BC.[3]   The Privacy Act was written for a different era, and for a very different generation of technology.  It has long needed radical reform.  

Before addressing some of the explicit questions in the consultation document, I want to make four general points about this process, and perhaps to push back on some of the assumptions that underpin the Government’s consultation. 

First, what does it mean to modernize privacy legislation?   The word is used frequently in the consultation document, but is never defined.  One interpretation is that the Privacy Act should be strengthened to reflect modern assumptions about how privacy is best protected, based on important lessons learned from Canadian and international experience.  An alternative reading, however, is the desire to modernize in order to allow a greater flexibility in the use of new technologies, including massive sources of personal data, in order to perform a variety of administrative functions.   So, are we modernizing personal data processing, or are we modernizing the legislation in order to better promote personal privacy protection?  I hope the latter, but I do see the two goals in some conflict.  

Second, what is meant by technological neutrality?  I am frankly not sure that I want privacy laws to be technologically neutral.   There are plenty of technologies that we should clearly not be neutral about.  Some are inherently invasive and should be banned.   (I have that reaction to some forms of facial recognition, for example).   Technological neutrality has become a bit of a cliche in privacy discourse.   I think the government does not want a privacy act that impedes valuable innovation, and also one that is going to be future-proofed.   But I don’t think that is neutrality.  Technologies are not neutral.  They embody biases.  And some should be outright prohibited, especially if they are in the hands of the agencies of the state. 

Third, the consultation document stresses the importance of interoperability.   The word is not defined, but I think it means something very different from harmonization.   The obligations in laws can be interoperable without necessarily being the same.   For instance, the processes for doing PIAs should be interoperable between the federal government and the provinces.   If an organization does a PIA under the authority of one law, it may need the assurance that the PIA will also be acceptable in another jurisdiction.   But that does not necessarily mean the harmonization or convergence of rules.  Different jurisdictions can have different rules, that are nevertheless interoperable.   

But interoperable with what?   When the Privacy Act was passed in 1982, the main goal was to make it interoperable with the Access to Information Act, such that exemptions were consistent across the two pieces of legislation, and that any tensions would be worked out between the two Commissioners.  I believe these two legislative schemes have drifted apart over the years.   Therefore, it is far more important that the reform of the Privacy Act be made consistent with the legislation governing the private sector.  The inconsistencies between PIPEDA and the Privacy Act have been far more serious, in my judgement.   Every effort should be made to ensure that a reformed Privacy Act and the reformed PIPEDA (expressed in Bill C-11) be made as closely aligned as possible in terms of the essential principles and the powers of the Commissioner.  

Increasingly, the Privacy Commissioner of Canada is also cooperating with his provincial counterparts on investigations in public and private sectors.   These joint efforts have generally been successful, even if lengthy.   Differences between provincial and federal legislation, and between the powers and procedures of federal and provincial commissioners have created some inconsistencies that need careful navigation.  The new Privacy Act should also be interoperable with the main public sector information and privacy protection laws in the main provinces.   

The Privacy Act should also be aligned with established global standards, and the discussion paper references the main ones.   But global standards are not necessarily of the same strength.   The OECD principles and the APEC Privacy principles, for instance, reflect the solutions of the past.   The EU General Data Protection Regulation (GDPR) and the modernized Convention 108 embrace the modern tools of privacy governance and are far more relevant models.  With regard to the latter, I have argued that Canada should seriously consider accession to Convention 108+. [4]  It arguably provides a far more accessible and exportable model than does the GDPR.  That said, a modernized Privacy Act is critical for the continued enjoyment of adequacy status from the EU, as lawful access to private sector data now forms a central component of adequacy evaluations.[5]

Finally, I hope the government is contemplating a complete rewrite of this legislation.   Because it is so dated, it does not lend itself to cosmetic changes or minor amendments.   The overall scheme for the protection of personal data by the Canadian government needs to be rethought.  Several generations of privacy legislation have come and gone since 1982.   I don’t think therefore the current framework really lends itself to being updated.   It needs to be fundamentally redesigned.  

I will now address some of the key questions raised by the Discussion Paper.

1. Changing title of act

I support changing the title of the legislation.   Privacy Act is a misnomer.  At the same time, the new title has to make sense alongside the new private-sector law; and I am critical of the title of the Consumer Privacy Protection Act (CPPA).  

2. Modernizing the purpose clause 

I also support a broader purpose clause.   At the same time, the list offered (p. 7) seem to be too confusing and lengthy.   For example, I don’t think the purpose of a privacy act should be to promote effective and accountable public governance, or to support sound, ethical and evidence-based public sector decision-making.   This law should stay in its lane.   It is about the protection of personal data in order to promote privacy, human dignity, personal autonomy and self-determination.    This is essentially a law to protect individuals against intrusions by their government.  If the Privacy Act has quasi-constitutional status, then that should be acknowledged in the purposes.

3. Consistency with International Models

I am in favour of updating the principles within the new legislation.   And those principles should be consistent with those in the CPPA.   Again, however, those principles were developed in the 1990s and incorporated into the CSA’s Model Code for the Protection of Personal Information.   So, an incorporation of those principles per se, would not necessarily make the new law consistent with contemporary international models.   I repeat the point earlier, and urge the government to look very closely at the new Convention 108 from the Council of Europe.  I argue that accession to Convention 108+ would:  reinforce Canada’s reputation as a trusted jurisdiction for personal data processing and thereby assist the development of the Canadian digital economy; help Canada’s application to the European Union for continued adequacy status under the General Data Protection Regulation; facilitate the import and export of personal data to and from other signatories to the Convention; potentially reinforce data export restrictions in recently signed international trade treaties; make a powerful statement about Canada’s commitment to international privacy rights; and also enhance the credibility of the Convention as the only binding and multilateral standard for the protection of personal information, at a critical time in the development of the global digital economy.[6]   

4. Clarifying Concepts

On the question of the definition of personal information, I think the definition should be consistent with that in the GDPR, otherwise interoperability with global standards is going to be difficult to achieve.    It makes perfect sense to remove the dated concept of a record.   There is surely a difference between having the information in a record and having the information recorded.   The key concept, surely, is identified or identifiable.   This is one of the key areas where the Act needs to be modernized.    There does need to be clarity about when an individual is identifiable.   But again, the GDPR (and Convention 108+) provide useful guidance on these questions.  

Throughout this section, I sense that the problems addressed are guided by outdated thinking concerning the Access to Information Act.  I agree that the list of exemptions in j to m should be removed.   And yes, more precise standards for publicly available information would be desirable.  I do, however, have some doubts about the administrative purposes definition, and wonder why it is currently necessary.   It is a dated concept.   Individuals should have the full suite of privacy rights over their personal data, whether it is used for an administrative purpose or not.   

I have expressed the view in my analysis of C-11 that the government should specify some special restrictions for sensitive forms of data.   C-11 obliges organizations to consider the sensitivity of the data in many of their obligations.   I don’t see why any lesser obligations should apply to government.   It is all very well to advocate a flexible principled approach, and to argue that protections should be based on context.   But the sensitivity of data is contextual, and federal public bodies (like corporations) should be especially careful when processing data on health, ethnicity, sexual practices and orientation, political opinions, genetic data and so on.   Furthermore, to the extent that analysis of a reformed Privacy Act will form part of an EU adequacy assessment, I see no reason why the government should not modernize the legislation by specifying special rules for sensitive (but not exhaustive) categories of personal data. 

5. Updating rights and obligations 

It is a no-brainer that the Act should be extended to foreign nationals who are not present in Canada, and would bring our legislation into line with other jurisdictions.  It would also assist in the adequacy assessment given attention by the EU to personal data accessed by foreign governments.    I also support the right to have personal information collected directly from the individual unless an exception applies.  However, the breadth of any publicly available exemption requires very careful specification.  Notifications of collection, and the expansion of the rights to correction obviously make sense.  

I am concerned about the weakness of the language concerning automated decision-making systems.  The paper stresses the importance of accountability mechanisms and public awareness.  I see nothing, however, about the right to insist on human intervention both in the decision-making, and to have an explanation of any decision relating to the individual.    These rights are laid out in Article 22 of the GDPR.   They also appear in Article 63 of the CPPA.   There should clearly be consistency with any revised Privacy Act.   Indeed, I believe the right is even more urgent with respect to government and the potential loss of important government benefits or services when adverse decisions occur as a result of automated decision-making.   This is not a new problem, even though AI tools are far more efficient (and probably dangerous).   The same issues were debated in the 1980s and 1990s with respect to the old practice of computer matching or record linkage.  The protections in the Privacy Act were inadequate back then, as they are now.    

The absence of security safeguards in the Privacy Act has been a subject of constant complaints over the years.   The absence of one of the foundational privacy principles of information privacy legislation, and it is extraordinary that it was not included back in 1982.   Data breach reporting requirements are now also essential.   They go hand-in-hand, however, with appropriate security safeguards.   It is wise to combine the stick of mandatory data breach reporting with the carrot that says that if you have taken appropriate technical measures to encrypt the data, then reporting requirements are less onerous.  Strong data breach notification measures, with the attendant bad publicity, should be framed in such a way to incentivize organizations to protect personal data with strong technical safeguards and appropriate organizational measures (such as staff training). 

 6. Updating rules on collection, use, disclosure, retention

The first part of this section is essentially proposing a data minimisation principle without saying so in so many words.   I would support the inclusion of a necessary rather than a reasonably required standard.   My impression is that federal government data collection practices over the years have become more expansive.  A stricter standard would force agencies critically to examine the statutory authority for collection, and to assess (if there is no clear statutory authorization) why they need the data in the first place.  

I have a similar reaction to the consistent use exemption, a provision that has been expansively interpreted over the years.   I note that agencies are supposed to report consistent uses, and list them in Info Source.   I doubt whether this reporting requirement is effective.  I support, therefore, a clarification of the meaning and a listing of examples better to guide public bodies.   Of course, the reasonable expectations of the individual should be considered.  

7. De-Identified information 

The analysis of de-identified data can, sometimes, assist administrative decision-making and planning.   I have three points about the use of de-identified personal data.   

First, any definition should be consistent with C-11, as should the penalties for deliberate re-identification.   Care should also be taken that the definition should line up with definitions of anonymization and pseudonymization in the GDPR.  Second, de-identification should be undertaken with a view to being able to prove, externally, that the data cannot be re-identified according to well-established standards.[7]  Organizations should be prepared to demonstrate (to external regulators) that strong standards of de-identification have been adhered to.   Third, the provisions of the Act (with the exception of access and correction rights) should still be applying to de-identified data including crucially rules about security and data breaches.  

8. Stronger Accountability mechanisms

It is difficult to understand exactly what is contemplated for the protection of personal data sent outside Canada.  The rules will be dependent on context.  However, the kinds of written agreements proposed for the protection of personal information sent outside Canada are the minimum standards that should be contemplated.   Canadians need legal assurances that the data will be protected according to the same, if not higher, standards than that enjoyed in Canada.   They also need the insurance that they will have enforceable rights of redress should their data be misused or breached.   I have similar concerns about the data export restrictions in C-11.  Both legal regimes should be strengthened and consistent.  

I fully support the other accountability mechanisms, including Privacy by design, PIAs and the need for Privacy Management programs.  PIAs have become a feature of the privacy protection landscape in Canada since the 1990s.   Ideally, they should be a recurrent process, rather than just a one-off checklist.  Experience also suggests that they are more likely to be effective when embodied in existing administrative processes (such as technology procurement, budget approval and so on).   The OPC has repeatedly reported that the quality of PIAs conducted in the federal government is uneven because there is no legislative requirement, as there is in some provinces and in other jurisdictions.  I fully support, therefore, the statutory requirement to conduct PIAs for new, or substantial modifications, in policy.  

9. Modernizing transparency practices

The system of publishing and updating Personal Information Banks in InfoSource should indeed be thoroughly reviewed.  This process is the legacy of a prior technological era, when personal data was indeed stored in discrete databanks.   I have always wondered whether Info Source is of real value to Canadians.  It always seems out-of-date, and probably gives a very unrealistic impression about the extent and nature of personal data processing in the federal government.   It is also probably a headache for federal public servants to update.  So, I fully support a more accessible and searchable information registry.   Summaries of PIAs and of information-sharing agreements (within the federal government and between the feds and the provinces) also obviously need to be transparent.  

10. Open dialogue and publicly accessible guidance

The absence of a public education mandate for the Privacy Commissioner in the Privacy Act has always been a critical failing, and successive Commissioners have always complained about it.  The Commissioner should obviously be given the power to issue guidance on the interpretation of the Act.  I would also add that the office should be given the authority to commission research on issues of pressing concern. This is done through the excellent, and widely popular, Contributions Program.[8]  It makes sense to base the Commissioner’s ability to commission relevant research on a statutory footing.   

On the question of the regulatory sandbox environment, obviously the procedures for participation in this scheme need very careful specification so that any future investigation of a participant’s activities is not hampered.   My impression is that the regulatory sandbox scheme currently administered by the Information Commissioner’s Office in the UK has been successful.   The government should look at the design of this program and draw appropriate lessons. 

11. Creating an enhanced compliance framework 

I am generally in favour of the suggestions listed in this section on an enhanced compliance framework especially the power to conduct pro-active audits.   Any specification of discretion to refuse to investigate frivolous, vexatious or bad faith complaints needs to be very carefully circumscribed.   These exemptions appear in provincial legislation; lessons should be drawn from the practices and experiences of provincial commissioners.   A statutory power to collaborate with federal and provincial counterparts is obviously needed, and probably just formalizes current practices in many respects. 

I have one final comment on the imposition of clear statutory timelines.   Those who have initiated complaints to the Office of the Privacy Commissioner (as have I) are often frustrated by the huge delays.  It is not clear who is to blame.  To the extent that clear statutory deadlines would assist the expeditious investigation of complaints, I support their inclusion in the Act.  I am also of the view that delays are encouraged by the ombudsman model.   I suspect that the addition of order-making power will also have the effect of focussing the mind of organizations, and expediting the resolution of complaints.   I fully support providing the Commissioner with the power to make issue orders, consistent with those of his provincial counterparts.

 


[1] Testimony before Standing Committee on Access to Information, Privacy and Ethics, September 27, 2016.   

[2] Colin J. Bennett, The Formation of a Canadian Privacy Policy: The Art and Craft of Lesson-Drawing, Canadian Public Administration 33, 551-570 (1991)

[3] David H. Flaherty, Reflections on Reform of the Federal Privacy Act,  Canadian Journal of Administrative Law and Practice 21, 272-320 (2008)

[4] Colin Bennett ‘The Council of Europe’s Modernized Convention on Personal Data Protection: Why Canada Should Consider Accession’ CIGI Papers No. 246, November 2020.

[5] Colin Bennett ‘Canada’s new Consumer Privacy Protection Act (Bill C-11): Will it be adequate?’ (2021) 169 Privacy Laws & Business International Report (February 2021)

[6] Colin Bennett, ‘The Council of Europe’s Modernized Convention on Personal Data Protection.’ 

[7] Such as those proposed by the Ontario Office of the Information and Privacy Commissioner:    https://www.ipc.on.ca/wp-content/uploads/2016/08/Deidentification-Guidelines-for-Structured-Data.pdf

[8] Full disclosure.   I have received funds from this program over the years.