Date:July 10, 2022
Written by Allison Hawkins: CRM
As we move further into the digital age and more items become IoT, pressure has steadily increased on governments to regulate and limit the collection and use of personal data. The update to PIPEDA that the government maintains will be passed in the current parliamentary session is Canada’s response to the digital age. The question is does it actually change much from the original and does it put Canada at the forefront of privacy protection?The UN, in its “Principles on Personal Data Protection and Privacy”, recognized privacy as a human right that must be protected. The first attempt at the bill – C 11 – died on paper and was strongly criticized by many privacy protection experts in Canada, such as those from the Munk School of Global Affairs and Public Policy, The Schwartz Reisman Institute for Technology and Society, Canada’s Privacy Commissioner and various legal experts. Bill C 27 attempts to address some of that criticism and has been received much more positively. Other jurisdictions, such as Europe, have taken an approach more in line with the UN opting to view privacy protection as an individual’s “right to remain anonymous”. Canada has chosen to look at privacy from a consumer perspective rather than a human rights perspective and this has not changed in the updated bill. It does however include enough changes to the legislation to put it more in line with Europe’s GDPR, generally seen at the forefront of individual privacy protection.
Bill C 27, like its predecessor PIPEDA, puts most of the burden around policing the collection, storage and use of personal data on the individual. It does, however, strengthen the role of the privacy commissioner and require an organization to have a Privacy Management Program in place that the commissioner can audit upon request. The updated Bill now differentiates and defines “anonymized” information versus “de-identified” information. It stipulates that “de-identified” information is personal information and an organization must consider how easily it could be to use it to identify an individual. Anonymous information is defined as information that cannot be used to identify an individual and is not subject to the bill. The previous bill did not make this clarification, and it was suggested that it would hamper research activities and stifle innovation. The new definitions bring the legislation more in line with the GDPR. Another important addition from a privacy perspective is that information collected on minors has now been included and considered automatically sensitive. The previous bill did not include any mention of children’s privacy and was widely criticized for the omission.
An important new addition to the bill is Artificial Intelligence and Data Act (AIDA). This is the first piece of federal legislation in Canada to address artificial intelligence and its use. The new bill imposes penalties for non-compliance and proposes to create a Commissioner that would be responsible for enforcement of AIDA and would have the ability to impose fines and penalties. The bill would prohibit the use of certain types of artificial intelligence if it could result in serious harm to an individual or their interests, however it does not define what serious harm means in this context.
Privacy experts have still raised some concerns over the updated bill, although there is certainly much more support for the updated version. One of the concerns raised is that the bill does not provide enough protection for identity theft and that the bill focuses too closely on individual harms related to AI and not enough on the potential for broader harms to a group. The main concern with regards to data protection and the potential for identity theft is that the legislation lacks the appropriate deterrents. There has been a notable increase in identity thefts and theft of private information from those who collect and store private information. There is some concern that without the proper enforcement, including resources, the new legislation will not have the desired effect. In other words, if there is a law prohibiting something but it’s never enforced it isn’t much of deterrent. The criticism of AI is that it has been shown to include a bias particularly against marginalized communities and that the legislation excludes any agency under the direction of the federal government or provincial governments. It has been suggested, for example, that given this exclusion the use of facial recognition AI by law enforcement which was widely criticised would still be acceptable under bill C 27.
Bill C 27 seems to have much broader support than its predecessor bill C 11. It shows that the government reviewed and acknowledged some of the criticisms of the previous bill and puts Canada more in line with GDPR. The bill is still being debated and could see some updates prior to the final version being passed. Organizations that want to get ahead of the curve should start developing a comprehensive Privacy Management Program in anticipation of the bill being passed. Forward-thinking organizations will also take into consideration the criticisms of the bill and keep those in mind when developing policies with regards to collection and retention of personal information. The new bill is certainly more in line with the global movement toward privacy protection, but will be subject to updates once it’s been in enforcement for a period. Keeping ahead of the curve on privacy protection will help organizations to avoid pitfalls and criticism as we move further into the digital age.