Conditions of Uncertainty: Bill C-27’s approach to sensitive personal information is not enough
What kinds of information are deserving of special protection under Canadian privacy law? We explore the current landscape in light of Canada's proposed privacy laws, and look to other jurisdictions that are doing it better.
This article was written by Ali Aghaamoo, an OpenMedia summer student from the University of Ottawa’s Faculty of Law
On June 16, 2022, Canada’s federal government proposed the new federal privacy Bill C-27, the Digital Charter Implementation Act. It’s a three-tiered piece of legislation aimed at private sector personal information protection practices, and if passed, it would repeal Part 1 of the Personal Information and Electronic Documents Act (PIPEDA) and replace it with the Consumer Privacy Protection Act (CPPA).
This is a huge opportunity for people in Canada to finally get the privacy protections that they desperately need and deserve. The passage of new privacy laws could mean not only new privacy rights, but also that our existing privacy rights become enforceable and actionable. On the other hand, it could also mean that people in Canada are forced to sacrifice potential new privacy protections so that corporations can continue exploiting their sensitive data for profit.
What’s not happening?
Neither PIPEDA nor the CPPA adequately protects personal and sensitive information. Sensitive information can encompass anything from health and financial data, to ethnic and racial origins, personal information of minors, genetic and biometric data, and more. This personal and private information requires a higher degree of protection and must be guarded against unauthorized collection, use, and disclosure.
Under PIPEDA’s principles, some information like medical records or income records are considered to be sensitive, whereas any other information can be sensitive depending on the context. When asked to interpret Canada’s privacy laws, our judicial system is forced to strike a balance between two competing interests: an obligation to protect the privacy rights of individuals, and an obligation to facilitate the collection, use, and disclosure of personal information by the private sector. This creates conditions of uncertainty around what information is sensitive and deserving of special protections under Canada’s privacy laws, and what information can be exploited by companies like data brokers. Currently, Canadian courts have recognized two categories of information as sensitive: medical information and financial information.
The Office of the Privacy Commissioner of Canada (OPC) recently released an Interpretation Bulletin to illustrate categories of sensitive information. The OPC has acknowledged that those categories may include health information, individuals’ sex life or sexual orientation information, ethnic or origins information, and personal information affecting an individual’s reputation. But none of this is legally-binding and the courts – in interpreting Canada’s privacy laws – have significant discretion to define what information is sensitive and deserving of special protections, and what information is not.
Unfortunately, Bill C-27 takes the same approach to sensitive information as PIPEDA and leaves the interpretation up to the courts – whereas other jurisdictions name and define different categories of sensitive information in their laws. (More on what that looks like, and how that strategy is useful, below.)
But it's not all bad; both PIPEDA and CPPA do impose higher obligations regarding sensitive information – it’s just not entirely clear what constitutes that information. CPPA even steps up and recognizes explicitly that the personal information of minors is considered to be sensitive information, and requires a higher degree of protection. (For reading more about children’s privacy and Bill C-27 see this and this.)
What’s happening in other jurisdictions?
As compared to Canada, other jurisdictions from around the world that have passed new privacy laws that provide a list that is to be regarded as sensitive information explicitly in the law and establish additional requirements for its processing. This removes the conditions of uncertainty that exist in Canada’s current and proposed privacy laws.
In the EU, the General Data Protection Regulations (GDPR) establishes a general prohibition on the processing of sensitive personal data, which encompasses a wide range of sensitive information, including:
Racial or ethnic origin;
Religious or philosophical beliefs;
Trade union membership;
The processing of genetic data;
Health data; and
By taking a similar approach, the Australia’s Privacy Act includes even more categories, such as biometric templates, criminal records, and membership in a political or professional association. These categories help to establish clarity so that private companies understand their obligations under the law, and resolve ambiguities that lead to ongoing privacy violations.
In the United States, a recent federal privacy bill, American Data Privacy and Protection Act (ADPPA), imposes higher restrictions or prohibitions on the practice of sensitive information. ADPPA broadens and expands the categories of sensitive information, and explains each category in detail. This information includes:
- A government-issued identifier like SIN number, passport number, or driver’s license number;
- Any information that describes or reveals the past, present, or future physical health, mental health, disability, diagnosis, or healthcare condition or treatment of an individual;
- Financial information;
- Biometric information;
- Genetic information;
- Precise geolocation information;
- An individual’s private communications;
- Information identifying the sexual orientation or sexual behavior of an individual; in a manner inconsistent with the individual’s reasonable expectation regarding disclosure of such information;
- Calendar information, address book information, phone or text logs, photos, audio recordings, or videos maintained for private use by an individual, regardless of whether such information is stored on the individual’s device or in a separate location on an individual’s device, regardless of whether such information is backed up in a separate location;
- Non-consensual intimate images;
- Information that reveals the video content or services requested or selected by an individual from a provider of broadcast television service, cable service, satellite service, or streaming media service;
- Minor’s information.
What should Canada do?
To tackle concerns regarding sensitive information, Bill C-27 would be improved if different categories of sensitive information were explicitly named and defined. As currently drafted, Bill C-27 only creates one category of sensitive information: that of a minor (but don’t be fooled, Bill C-27 will do more harm than good for children in Canada). Canada should follow the example of international peers in the European Union, Australia, and the United States by proposing a list of categories of sensitive information to create greater clarity and to remove the conditions of uncertainty. A list of sensitive information would draw a clear road map for companies’ practices and prevent any misinterpretation, and provide the greatest privacy protections for people in Canada.
If you want to see things like special categories for sensitive information added into Bill C-27, send a message to your MP now!