The Absolute Bare Minimum: Privacy and the New Bill C-27
Canada is under pressure to pass new federal privacy laws for the commercial sector. Find out what these new laws mean for you!
The Canadian government has taken the first step towards creating new privacy rights for people in Canada. After a failed attempt in 2020 and three years of inaction since the proposal of the digital charter, the government has tabled another piece of legislation aimed at giving people in Canada the privacy rights they deserve.
In this post, we’ll explore how Bill C-27 compares to Canada’s current privacy legislation, how it stacks up against our international peers, and what it means for you. This post considers two of the three acts being proposed in Bill C-27, the Consumer Privacy Protection Act (CPPA) and the Personal Information and Data Tribunal Act (PIDTA), and doesn’t discuss the Artificial Intelligence and Data Act. The latter Act’s engagement with very new and complex issues means we think it deserves its own consideration separate from existing privacy proposals, and will handle it as such.
If we were to give Bill C-27’s CPPA and PIDTA a grade, it’d be a D. This is legislation that does the absolute bare minimum for privacy protections in Canada, and in some cases it will make things actually worse. If they were proposed and passed a decade ago, we might have rated it higher. However, looking ahead at predictable movement in data practices over the next ten – or even twenty – years, these laws will be out of date the moment they are passed, and leave people in Canada vulnerable to a wide range of predatory data practices. For detailed analysis, read on - but if you’re ready to raise your voice, go check out our action calling for positive change before C-27 passes!
Enforcement Powers
Like its predecessor, 2020’s privacy Bill C-11, the new legislation could encourage proactive compliance with Canada’s privacy laws by giving new powers to the Office of the Privacy Commissioner of Canada (OPC), Canada’s watchdog that holds companies accountable for privacy violations. This includes order-making powers, which gives the Commissioner the ability to compel companies to stop using or to delete personal information, and significant fining powers, which Canada has long lacked.
The fines exist to encourage companies to comply with Canada’s privacy laws. Currently, companies that operate in Canada don’t face significant repercussions for breaking our privacy laws. When fines for privacy violations were introduced in the European Union under their General Data Protection Regulations (GDPR), companies began adjusting their business practices in order to comply with the new laws, and to avoid the potential fines.
But can we expect the same thing to happen in Canada? Maybe not. Canada’s Bill C-27 will introduce weaker privacy protections than the EU’s GDPR (lots more on that below) and the fines will be watered down through the creation of a new tribunal slowing down the whole process.
The New Tribunal
The effectiveness of the fines might be lessened by the creation of a new tribunal structure, which grants companies another avenue of appeal and will slow the whole process down. Under C-27, Canada’s Privacy Commissioner can recommend that the tribunal impose a fine after finding that a company has violated our privacy laws – but the final decision to pursue monetary penalties will ultimately rest with a new tribunal.
It’s unclear why Bill C-27 proposes to set up the new fining mechanism like this. Without the tribunal, companies would still have an avenue of appeal through Canada’s federal court. The EU, UK, New Zealand, and Australia don’t have tribunals that mediate their fines for privacy violations.
Right to Request Deletion
Canada’s current privacy laws, the Personal Information Protection and Electronic Documents Act (PIPEDA) require that personal information be deleted once it no longer serves the purpose for which it was originally collected, and that inaccurate information should be corrected upon notification. What’s lacking is a mechanism for when people change their mind about consenting to the collection and use of their personal information, or if they’re opposed to the use of their data and consent wasn’t required at all (see Exceptions to Consent below). But nonetheless, if Bill C-27 passes, people in Canada will finally have the right to request that their personal information be deleted.
What might that look like? Maybe someone was confused or misguided about the purpose of the original collection, or maybe their information was collected without their consent, or maybe the information was collected for one purpose and is now being used for another. In those cases, people in Canada will now be able to submit a request to have their personal information deleted by the company.
Should the company fail to comply with that request, the person would have the right to complain to the OPC who – with the new enforcement powers – could compel the company to delete the data by issuing an order, and could even recommend a fine to the tribunal.
One significant limitation on this right are existing data retention schedules. Meaning, if a company has legally obtained your data and has a plan for how long they’ll keep it before deleting it, you won’t be able to accelerate that pre-existing timeline by submitting a request for deletion. This exception doesn’t apply to minors, who will be able to request the deletion of their data regardless of data retention schedules.
Right to Data Portability
One of the problems in the modern technology ecosystem is the concentration of power within just a handful of companies. Apple, Amazon, Alphabet (Google), Meta (Facebook), and Microsoft dominate the market and face little competition, which means we’re left with little choice about what services we can use. Even when we do want to leave a platform, it can be difficult to extract all the photos, documents and contacts embedded in it.
In order to create a more competitive marketplace and give consumers more choice, Bill C-27 introduces a right to data portability. This means that people in Canada would have the opportunity to request that these major technology companies give them ready access to their data so that they can take it to an alternative service provider – should one exist.
The right to data portability exists in the EU and California. But while data portability works great in theory, it can only be put into practice if there is meaningful choice and competition in the market. When there’s nowhere with comparable services to go with your data, what’s the use of being able to take it? This is an area privacy legislation can only help us so far – and antitrust measures and interoperability requirements must do the rest.
Private Right of Action
Currently, the primary recourse for people in Canada who’ve had their privacy violated is to band together to collectively sue companies through class action lawsuits. The introduction of a private right of action gives individuals the ability to pursue financial settlements with companies that have been found to have committed privacy violations – but like much else in Bill C-27, there’s a catch.
Our new ability to pursue a private right of action requires that the OPC and the new tribunal confirm that a privacy violation has occurred. Typically, the OPC takes about a year to complete an investigation and issue a report of their findings. So that means, before any person in Canada is able to pursue the private right of action against a privacy violating company, a period of at least one year is likely to have elapsed – not to mention the time needed for the tribunal to reach their own, separate decision.
Is this really going to work for an ordinary Canadian? Taking into consideration the avenues of appeal that the company might then take after these decisions have been made, and the difficulty in determining actual harm from privacy violations, a person will likely face an extremely lengthy, difficult, and uphill road towards justice through this mechanism.
Privacy as a Human Right
Unlike the EU’s GDPR, Bill C-27’s CPPA only plays brief lip service to privacy being a fundamental human right in its preamble; Bill C-27 fails to do the more important task of inscribing the privacy rights of people as being more important than the business interests of companies. This will create challenges for the OPC and the tribunal as they attempt to safeguard the privacy rights of people in Canada.
When investigating potential privacy violations, the absence of rights-based language in the bill might tip the scale away from people in Canada, as the OPC and tribunal weigh the privacy interests of people against the commercial interests of companies. For example, if someone feels as if their sensitive data should be deleted because they’re no longer using a service, Bill C-27 might lead the OPC and the tribunal to consider the value of that information to the company over a person's fundamental privacy rights, like their ability to control their own information. This is particularly true given the relative resources and focus available for companies to make their case before the tribunal, compared to the more limited resources citizens and civil society can bring to bear.
An inappropriate balance between business interests and privacy could take many forms. It could lead to the new fines for privacy violations in C-27 rarely or never being actually applied. It could provide unintended opportunities for companies to take advantage of the new exceptions to consent. And it could ensure that the status quo of unenforceable privacy rights continues for people in Canada.
Consent: Plain Language vs. Comprehension
Compared to Canada’s current privacy laws, Bill C-27’s CPPA takes a step backwards when it comes to consent agreements (more on this below when it comes to exceptions to consent.)
PIPEDA, the existing privacy law, puts the onus on companies to generate meaningful consent with people in Canada before collecting and using personal information. That means companies need to clearly and carefully describe things like what information they are collecting, how this information is going to be used, and how long it will be kept.
Compared to PIPEDA, the CPPA proposes the reverse; it would now be the responsibility of people in Canada to understand how companies are collecting and using their personal information, not the responsibility of companies to explain how they’re collecting and using the personal information of people in Canada. In exchange for this new dereliction of duty, Bill C-27 simply asks that companies provide a version of their privacy policy in plain language; it’ll be up to people in Canada to fully understand the implications of that agreement.
Taken in consideration with the lack of rights-based language in the bill, this change opens the door for companies to begin describing their data collection and surveillance practices in a highly simplified manner, leaving out important details about how this information could be used to harm and discriminate against a person or group of people, and ensuring that the data broker economy continues to thrive while people in Canada’s privacy rights are pushed to the side.
While consent in relation to privacy policies isn’t perfect, it’s still the gold standard. It’s what’s used in the EU, UK, Australia, New Zealand, California, Alberta, British Columbia, and Quebec. With the addition of more rights-based language in Bill C-27 CPPA, the switch from comprehension to plain language wouldn’t be nearly as treacherous. But with deceptive design practices already being regularly used to encourage people to click “agree” without really understanding what they’re signing up for, Bill C-27’s weakening of consent could be a big step backwards in terms of privacy.
Sensitive Information: Biometric and Location Data
Special treatment of our most sensitive information is widely recognized in privacy legislation around the world. The EU, UK, parts of the United States like California and Illinois, and Quebec, have privacy legislation that recognizes certain aspects of personal information as deserving of special protections. These are things like race, religion, sexuality, ability, and often also include biometric data.
For some reason, Bill C-27’s CPPA is conspicuously silent on this. It fails to create broad categories of sensitive data that are deserving of special protections, despite making a brief acknowledgement of the importance of privacy as a fundamental human right in its preamble. In this way, some of the most important privacy protections are left absent from the proposed legislation.
More befuddling, Bill C-27’s CPPA does recognize all information related to young people as sensitive data, but unlike our international peers, prescribes no other categories. This creates legal uncertainty about whether things like our faces, fingerprints, vocal patterns, etc., are protected through Canada’s privacy laws, and leaves the door open for bad actors, like Clearview AI, to abuse the sensitive data of people in Canada.
De-Identified Data
One of the shortfalls of Canada’s current privacy laws is that they fail to take the use of theoretically de-identified data into account. In fact, this failing is so significant that it gives companies the ability to easily avoid compliance with privacy laws by merely making the claim that the data they’re collecting, using – and potentially selling – has been de-identified, despite the significant risk this poses towards the privacy and security of people in Canada.
This issue rose to prominence last year when the Public Health Authority of Canada had secretly obtained location data from millions of people in Canada, in order to analyze the efficacy of public health measures in response to the pandemic. The secrecy with which this was done was one of many accountability and transparency failures that were uncovered during the ensuing parliamentary investigation.
The companies responsible for giving and selling this data to the federal government were able to dodge responsibility for what would normally be considered a massive privacy violation by stating that the location data they provided had been de-identified, despite study after study after study showing that location and mobility data can’t ever be fully anonymized, and no clarity on how they’d gone about de-identifying it. This claim is currently under investigation by the Privacy Commissioner of Canada.
It’s important to understand that even moderately well de-identified data contains a very real residual risk of re-identification, and so it still presents a privacy risk to people, and should be included and protected under Canada’s privacy laws. Bill C-27 includes de-identified data within its scope, but takes a narrow approach. The EU’s GDPR much more sophisticated treatment describes a scale of data types that range from fully identifiable to completely anonymous, and assigns different protections depending on the risk associated with a specific category, while also emphasizing the importance of privacy as a fundamental human right (see Privacy as a Human Right above).
Because Bill C-27’s CPPA lacks the balancing measures taken by leading privacy legislation like the EU’s GDPR, there’s a concern that companies will be able to continue to abuse sensitive data they collect, purchase, and sell about people in Canada.
Controlling Data Brokers
Around the world, countries are using privacy laws to address the largely unregulated and secretive collection and trade of personal information. State level legislation in California and Vermont, as well federally proposed privacy legislation in the US, requires that data brokers register themselves with the government. This gives regulators the ability to understand how this secretive economy operates and gives people the ability to exercise their privacy rights by opting out.
Digital advertising is incredibly profitable and funds much of the Internet we enjoy today, but the surveillance and influence that fuel this economy are not aligned with the rights and values of privacy. To learn more about data brokers, check out our blog series, and sign the petition to stop the harvest of your data.
Exceptions to Consent
The predecessor to Bill C-27 was universally criticized by privacy advocates because of the wide, seemingly endless, array of exceptions to consent that it proposed. Some of these have gone away, but many still exist inBill C-27’s CPPA.
In terms of privacy, consent means that a person has agreed to certain conditions in order to use a service. Most often these conditions are contained within the Terms of Service we’re presented with before signing up for a new service. For example, in order to create an account with a new app you’ve downloaded on your device, you might have to give the company that developed the software permission to collect your name, email address, device data, location-based information, and usage data.
Some of this data is necessary for the app to function properly, and some of it might be used for secondary purposes, like targeted advertising. But nonetheless, you’ll have to agree to all of these uses in order to use the service. And by clicking “agree” to the Terms of Service, you’re providing your consent for all of these uses.
The exceptions to consent come into play when traditional consent agreements are no longer required by the law. That means that companies can use your personal information without your permission. These exist under Canada’s current privacy laws, but Bill C-27’s CPPA will greatly expand them.
For example, under Bill C-27’s CPPA, consent is no longer needed for "an activity that is necessary to provide a product or service that the individual has requested from the organization.” So let’s say you downloaded an app on your phone and believed you were giving the company that produced the app (Tim Hortons, perhaps) permission to collect your location data while you’re using the app, but the app instead collected your location data dozens of times a day, even when you weren’t using the app. Under the CPPA, the company could argue that consent wasn’t required for this additional surveillance as it might arguably fit within one of the new exceptions to consent that are being proposed – that it was necessary to provide you with a product or service that you’ve requested.
The one potentially limiting factor on these new exceptions to consent is the introduction of a provision that might restrict their application in circumstances where personal information is "collected or used for the purpose of influencing the individual’s behaviour or decisions." But this purpose may prove very difficult, if not impossible, to prove. Coupling this concern with the lack of emphasis on privacy as a fundamental human right, Bill C-27’s CPPA will create a much more permissive playing field for commercial uses of personal information.
So what does the new exceptions for consent mean for people in Canada? It’ll likely mean that companies take advantage of these new loopholes and continue monetizing our personal information without first asking for our permission. Previously, companies were empowered to do this because of a lack of enforcement powers – now Bill C-27 will legalize their privacy violating practices. As Bill C-27’s CPPA is written to permit commercial uses of personal information, rather than protect our privacy as a fundamental right, it will also serve to limit the OPC’s ability to restrict these overly permissive, non-consensual uses of our sensitive data.
Privacy by Design
One of the biggest misses in Bill C-27 is its failure to include Privacy by Design principles, which were created by Ontario’s former Information and Privacy Commissioner, Ann Cavoukian, and have been embedded in world leading privacy legislation, like the EU’s GDPR.
Privacy by Design principles require organizations to consider privacy implications before launching a new initiative, not after the fact, as Bill C-27’s CPPA would require. For example, if Tim Hortons had employed Privacy by Design principles before launching their app, they would have been forced to consider privacy implications of constantly collecting their customers’ location information throughout the day (even when the app wasn’t open), and might have avoided an OPC investigation and a class action lawsuit.
But Bill C-27 doesn’t bring Privacy by Design’s proactive privacy protections to Canada. Instead, it creates the requirements for companies to have a privacy management program, which is quite different. Tim Hortons could have had a functional privacy management program, as described under Bill C-27’s CPPA, and it wouldn’t have done anything to prevent the massive privacy abuse that occurred because it’s not proactive enough. But the proactive thinking required to comply with the Privacy by Design principles could have prevented the privacy violation by forcing Tim Hortons to ask questions like: Have we considered privacy implications of digitally stalking our customers?
Political Parties and Your Privacy
For years, OpenMedia has been calling for political parties to abide by Canada’s privacy laws, and for years the government has ignored us. Bill C-27’s CPPA continues this trend by failing to include political parties (AND nonprofits like us!) within its scope, leaving their activities entirely unregulated from a federal privacy perspective.
The issue of how political operations can weaponize the use of personal information rose to prominence in the wake of the Cambridge Analytica and Facebook scandal, where personal information from Facebook was stolen and used in campaigns to influence elections around the world, most notably Brexit in the United Kingdom, and the 2016 Presidential election in the United States.
This scandal shone a light on the ways in which political parties use personal information, and criticism grew around the absence of privacy regulations for federal political parties in Canada. Recently, BC’s Information and Privacy Commissioner has said that federal privacy parties are subject to that province’s privacy laws, but the Conservatives, Liberals, and NDP are now fighting that decision in court, so it’s really no surprise that they’ve chosen to avoid regulation under Canada’s newly proposed privacy laws.
What does it all mean?
Taking this all into account, Bill C-27 isn’t yet the step forward for privacy in Canada that we need. While it’s an improvement upon the last privacy bill that the government put forward, it misses so many areas that are critical for improvement, like failing to put people in Canada above the commercial interests of companies.
As much as this prospective legislation gives, with things like new enforcement powers for the OPC, it takes away, with things like new exceptions to consent, taking responsibility away from businesses and putting it on people, a comparatively weak stance on de-identified data, a watered down right to deletion, the invention of a tribunal that might do more harm than good. And there are many basic features of privacy legislation enjoyed by our peers that it simply fails to include, like privacy by design principles, the inclusion of political parties, and an emphasis on the importance of privacy as a fundamental human right.
All in all, these aspects of Bill C-27 amount to a barely passing grade. People in Canada deserve modern privacy protections that will stand the test of time. If Bill C-27 passes in its current form, it will be badly out of date the moment it comes into force, leaving people in Canada vulnerable to a future that includes many more privacy abuses, and very little recourse.
But there is still time for us to strengthen Bill C-27. Please speak out and demand our MPs support crucial amendments to Bill C-27 BEFORE it is passed!