By Mairead Matthews and Rob Davidson
The federal government introduced Bill C-11 in November as its first major attempt to change Canada’s privacy laws in decades. The proposed Consumer Privacy Protection Act (CPPA) is expected to modernize and, in some cases, toughen privacy and stiffen violation penalties for the digital age.
The Liberal government hasn’t committed to a timeline for the bill to become law (an election promise), but the Ontario government decided to conduct its own consultation on privacy in August to October 2020. In response to its request for input, the Ottawa-based Information and Communications Technology Council (ICTC), a national centre of expertise for the digital economy, submitted feedback on the major tents of Ontario privacy proposal, the CPPA, and privacy legislation in Europe.
Here is a summary of that feedback.
COVID-19 health measures pushed entire communities online in a matter of weeks in early 2020, normalizing digital telehealth, teleworking, and virtual learning. New digital tools became part of Canadian lives. People now spend more time online than ever before, which has privacy implications, so there has never been a more pressing time to improve Canada’s privacy laws.
While this is a national issue, Ontario is a key player in Canada’s increasingly digital economy. The province has a burgeoning tech industry, the country’s largest health and education sectors, and nearly 15 million people. Privacy laws is a core pillar of a modern economy.
Done right, a privacy-law redo will create certainty for business and protect the fundamental rights of consumers, patients, students, and individuals.
Privacy in Ontario is governed by a collection of federal and provincial privacy legislation. Public sector and healthcare activity are addressed by various provincial Acts, while private sector activity is covered by the federal Personal Information Protection and Electronic Documents Act (PIPEDA).
Significantly, non-profits and charities in Ontario are not covered by any current rules. Nor are unions or provincial political parties. In its consultation, Ontario wants to expand the scope of privacy legislation to include these categories and replace PIPEDA with provincial private sector legislation.
In this provincial effort, it will be important to recognize the specific needs of different types of organizations and their ability to comply with new regulations. A tiered system of requirements and penalties based on resources and capabilities could help address some of these challenges.
Ontario will also need to effectively coordinate their efforts with the federal government and relevant privacy commissioners to avoid conflicting or overlapping regulation. Legislative overlap is even more important now with the introduction of Bill C-11, which provides many of the same measures proposed by Ontario last summer.
The following measures are some core areas of Ontario’s privacy discussion:
Enhanced consent – Ontario proposes new provisions to allow individuals to revoke consent at any time and require an “opt-in” model for secondary uses of personal information.
While allowing individuals to revoke consent at any time might sound like a move in the right direction, ease and enforceability will be the real tests of this proposition. If individuals are forced to engage costly legal representation to force compliance, for example, enhanced consent provisions will not have helped.
Data and consent in other legislation – PIPEDA possesses relatively strict consent rules, whereas legislation like the European Union’s General Data Protection Regulation (GDPR) is more flexible.
The GDPR outlines six cases under which data can be legitimately processed and only requires consent in one case. If passed, the proposed federal CPPA rules would move meaningful consent toward GDPR interpretations, making the need for consent more flexible.
The right to erasure – Ontario proposes giving individuals the right to request the deletion of their personal information, subject to limitations. The argument is that if personal data has been altered, misused, or otherwise negatively impacted, people should have the right to lawfully erase it. This is especially important for minors and other vulnerable groups.
Rights to erasure and deletion are already afforded by the GDPR, the California Consumer Privacy Act, and recently proposed Québec legislation. This isn’t the case under current Canadian privacy laws. The proposed CPPA would implement a clear and explicit right to erasure.
De-identified personal data and synthetic data – Ontario proposes specific requirements for de-identified personal data.
De-identification and other privacy techniques such as synthetic data are valid processes that allow for data use without compromising personal privacy. The proposed federal CPPA clarifies that any direct identifiers of specific individuals need to be protected. The EU model incorporates a Data Protection Officer who is certified in the proper use and monitoring of emerging, industry standard de-identification techniques. A similar model would improve Canadian privacy law reform.
Safely sharing data through data trusts – There is no “magic bullet” for all data-sharing challenges. New tools like data trusts can generate significant inroads and enable the innovation potential of Canadian businesses.
When designed and implemented properly, a data trust can balance the competing needs of responsible data access, individual and group privacy, management of sensitive data such as medical and social services research, and development of commercial products.
Mairead Matthews is a Research and Policy Analyst and Rob Davidson, Director, Data Analytics at the Information and Communications Technology Council of Canada (ICTC), a national centre of expertise on the digital economy. The responses included in this article are a select portion of ICTC’s entire consultation submission. To read more visit www.medium.com/digitalthinktankictc/