The federal government’s proposed new privacy legislation is a welcome improvement over the existing law, most legal experts agreed Tuesday during an online panel discussion.
However, a number of them also predict what is known as Bill C-11 (the proposed Consumer Privacy Protection Act, or CPPA) will face a rough time in a minority Parliament from businesses on two sections.
“I think there will be a lot of push-back,” said Teresa Scassa, University of Ottawa law professor and Canada Research Chair in information law and policy.
Michael Geist, another law professor at the university and Canada Research Chair in internet and e-commerce law, and privacy lawyer Alex Cameron of the Fasken law firm, weren’t optimistic C-11 will pass at all. The panel of nine was hosted by the University of Ottawa’s Centre for Law, Technology and Society.
If passed, the CPPA would replace and overhaul the existing Personal Information Protection and Electronic Documents Act (PIPEDA), giving more power to individuals over the personal data collected by firms that come under the federal legislation. It would also give the privacy commissioner the power to recommend multi-million dollar fines to a Personal Information and Data Protection Tribunal, which has the final say.
If the commissioner or the tribunal agrees a firm has violated an individual’s privacy rights that person would also have the right to sue the firm for damages.
Scassa is critical the CPPA doesn’t specifically list the right to privacy as a human right.
‘Reasonable person’
More importantly, Scassa says sections 12 and 13 of the proposed legislation are attracting a lot of heat from businesses. Section 12 says affected firms may collect, use or disclose personal information, “only for purposes that a reasonable person would consider appropriate in the circumstances.”
Among the criteria a firm must consider are the sensitivity of the personal information; whether the purposes represent legitimate business needs of the organization; the effectiveness of the collection, use or disclosure in meeting the organization’s legitimate business needs; whether there are less intrusive means of achieving those purposes at a comparable cost and with comparable benefits; and whether the individual’s loss of privacy is proportionate to the benefits in light of any measures, technical or otherwise, implemented by the organization to mitigate the impacts of the loss of privacy on the individual.
It also says firms must determine at or before the time of the collection of any personal information each of the purposes for which the information is to be collected, used or disclosed — and must record those purposes.
Section 13 says a firm can only collect the personal information that is necessary for those purposes.
“I think this is going to be a hot button issue for the industry,” she said. “I think there will be a lot of push-back against sections 12 and 13 because they expose businesses to a higher level of scrutiny for their information [collection] practices.”
Tribunal questions
Geist predicted a “rough road” for the proposed law, with lots of complaints about sections — which, he suggested, could also mean a law that pleases no one has good compromises.
He also sees problems with the proposed tribunal only requiring one member to have expertise in privacy law. Better, he says, at least have the tribunal chair to be a former judge and the vice-chair be a former provincial privacy commissioner.
The goal, he says, should be a panel that has expertise in privacy law so appeal courts may defer to the tribunal’s decisions. Paul Daly, University of Ottawa research chair in administrative law, says C-11 should specify that the majority of the tribunal members must have privacy law expertise.
Geist also worries too many provisions are left to be finalized by government-issued regulations.
‘A wonderful bill’
McGill University law professor Ignacio Cofone called C-11 “overall a wonderful bill … an enormous improvement over PIPEDA.” But while it gives individuals the right to sue firms for privacy breaches, they only get that right if the privacy commissioner or the tribunal rules their rights were breached. The commissioner won’t investigate all alleged breaches, he pointed out. Meanwhile, firms not only face the possibility of being sued, but they also face potentially huge fines from the tribunal.
He suggested Ottawa follow California’s privacy legislation, which gives companies a short amount of time to address alleged privacy violations before an individual can sue. (The right to launch class actions would remain.) Alternatively, CPPA could limit the amount of damages so individual claims would have to be heard in small claims courts.
By contrast, Cameron says the business community is not “jumping for joy” over the CPPA, although the law could have been worse.
But he worries that in considering fines the tribunal has to take into consideration a firm’s size, revenue ability to pay. Does that mean a firm will have to open its books to the regulator? It also isn’t clear if the tribunal has to hear the privacy commissioner’s recommendation of a fine. Cameron says it’s unclear if a firm can just agree to pay the fine without an extra hearing.
Tighten wording
Eloise Gratton of the Borden Ladner Gervais law firm noted with approval that under Section 18 a firm or an organization can collect or use an individual’s personal information without their knowledge or consent under certain circumstances as long as it’s, “not for the purpose of influencing the individual’s behaviour or decisions.” That wording may have to be looked at, she stated.
Similarly, the wording of a section allowing firms to use de-identified personal data may have to be clarified, she added.
Finally, Gratton wondered if the private right to sue should be allowed, given that the tribunal can levy large fines. The controversial anti-spam law known as CASL includes the same private right to sue, she remarked — one that Ottawa has suspended because of trouble interpreting certain sections. Gratton suggested that Ottawa should consider suspending the same section in the CPPA for a few years to evaluate whether it’s really needed.
Adam Kardash of the Osler Hoskin & Harcourt law firm wondered why the CPPA continues PIPEDA’s reliance on firms getting clear user consent to use their personal information. The European Union’s General Data Protection Regulation (GDPR) says consent is only one factor that can be considered. Privacy experts say that in today’s complex environment getting people to understand consent provisions isn’t easy, he argued. There should be more debate on this, he says.
Look to California
Emily Laidlaw, an associate law professor at the University of Calgary and Canada Research Chair in Cybersecurity Law, argued California’s privacy act deals better with some things, including giving individuals the right to refuse the sale of their data to third parties. She also says the proposed CPPA doesn’t offer much guidance to firms on what they should disclose to users if they send data outside Canada for processing.
She is also unsatisfied the law says firms don’t need to get express consent from persons to use their data where it would be impractical. This covers areas where there is no direct relationship between a firm and an individual. But, Laidlaw says, that may be a loophole for data brokers.
While some of the panellists aren’t sure if the legislation will pass, Scassa noted, “something has to happen. PIPEDA is in need of reform.”