The federal government’s overhaul of privacy laws is poorly drafted and will destroy privacy while claiming to protect it, according to experts.
Bill C-11, the Digital Charter Implementation Act, gives the privacy commissioner powers to rule on breaches of privacy and levy a fine of $25 million or 5 percent of a company’s gross global revenue in the financial year before sentencing—whichever is higher. If the bill passes, it will also create a tribunal that will hear appeals to commissioner rulings.
The proposed legislation represents an overhaul of privacy laws enacted some 20 years ago, the aim being to better protect Canadians’ personal data in the digital age and provide “appropriate compensation” when personal data is breached.
But John Lawford, executive director and general counsel of the Public Interest Advocacy Centre, believes the bill, which had its first reading on Nov. 17, could be a step backward.
Lawford said in a statement that Bill C-11 should be rewritten to protect consumers instead of favouring big business.
“We are aghast that the federal government feels it can weaken consumer privacy with a doublespeak Bill that removes a consumer’s right to protect his or her personal information that is used for any ‘business activity’ if it is ‘de-identified’ or used for what the government deems is a ‘socially beneficial purpose,’” he said.
Weakened Consumer Protection
In an interview, Lawford said the proposed legislation is “a complete change” from the law as it currently stands.
“At the moment you at least notionally have to give your consent to all these uses and even your consent to having it de-identified and used in a further database, but that’s being taken away from us. So I just don’t think that’s a good deal for consumers,” he said.
The bill absolves businesses of privacy obligations regarding “an activity in the course of which obtaining the individual’s consent would be impracticable because the organization does not have a direct relationship with the individual.”
De-identified data can also be disclosed by an organization without knowledge or consent where it is for a “socially beneficial purpose,” defined as one “related to health, the provision or improvement of public amenities or infrastructure, the protection of the environment or any other prescribed purpose.”
Lawford said the heavy penalties in the bill are meaningless because so few rights are protected and violations would be hard to prove.
“I would have wanted to see a structure more like the European General Data Protection Regulation, which gives a little more protection for consumers and requires consent for most things, with some exceptions, but more tightly controlled than what we have,” he said.
A statement by Privacy Commissioner Daniel Therrien suggests that the legislation lacks the “legal framework that would entrench privacy as a human right and as an essential element for the exercise of other fundamental rights,” and that it “places even greater emphasis on the importance of the use of personal information for economic activity.”
Several groups have welcomed Bill C-11, including the Canadian Internet Registration Authority (CIRA), which manages .ca domains. CIRA president Byron Holland said in a media statement that companies must be held accountable for protecting users’ data and “face real consequences should they break the trust of their users.”
The proposed legislation explicitly allows individuals to authorize the transfer of their personal information to another organization if they desire. An organization is also obliged to respond to an individual’s inquiry regarding whether it has any personal information about that person, how it uses the information, whether it has disclosed the information, and if so, whom it disclosed it to. It must also give the individual access to that information.
The proposed legislation also forbids any process that would re-establish a personal identity to de-identified data.
University of Ottawa professor Michael Geist, however, is concerned that the bill leaves it at the commissioner’s discretion as to whether he investigates a privacy breach.
“[T]here still should be an avenue of appeal for complainants to the Tribunal. At the moment, the right of appeal in section 100 is limited to findings, orders, or decisions, meaning that declining to investigate leaves complainants with no recourse other than judicial review,” Geist wrote in a blog post.
Konrad von Finckenstein, a lawyer and former chair of the Canadian Radio-television and Telecommunications Commission, told The Epoch Times that some parts of the act are unclear.
Section 55(1) states that an organization must dispose of a person’s personal information upon written request “as soon as feasible.”
“What is ‘as soon as feasible?’” Finckenstein wonders.
Section 57 says the security and protection of information “must be proportionate to the sensitivity of the information.” Section 58 says organizations only have to report security breaches to the commissioner “if it is reasonable to the circumstances to believe that the breach creates a real risk of significant harm to the individual.”
“This loose drafting using imprecise subjective terms is unusual” and by consequence “will be difficult to comply with or enforce,” Finckenstein said.
Provincial privacy legislation is “very clear” in B.C., Alberta, and Quebec, he notes.
“And then you get this federal one, which is I think very poorly drafted, very loosey-goosey language, and doesn’t follow the format. Why isn’t there an attempt to try to uniform those pieces of legislation so that the same concept, the same wording, the same procedures are used at both levels?
“I thought there was a missed opportunity to do that.”