A leading technology and human rights group says Ottawa’s second attempt to overhaul a federal law governing how businesses collect and use Canadians’ personal data still favors the private sector.
Citizen Lab, University of Toronto released a critical analysis today Complaining about the proposed Consumer Privacy Protection Act (CPPA, also known as C-27), it complains that it “enforces the use of data of private individuals and communities alike for the benefit of the economy and society.” to do” as its name says: protect consumers.
The report calls for significant amendments before the bill can be passed, including expanding the powers and responsibilities of the Federal Privacy Commissioner; giving the commissioner the power to impose fines for violating the Act instead of taking alleged offenders to a privacy tribunal; getting rid of the proposed distinction between de-identified and anonymised data; removing exemptions given to businesses for collecting data without the consent of individuals; and giving data sovereignty to indigenous groups.
There are 19 recommended changes to the wording of C-27, which is enough that the group says the government should start all over again, starting with giving Canadians a right to privacy.
“We think it would be best to withdraw and re-introduce the legislation,” co-author Christopher Parsons said in an interview.
“The government probably won’t do it,” he acknowledged, so the recommendations aim to “remove as many sharp edges as possible.”
“It’s meant to let the government see what can still be done to enable commercially and socially beneficial uses [personal] Based on the data the government seems to be leaning towards, as well as the way the law is written now, it is also trying to mitigate some of the worst damage to come.
“I don’t think the law was designed primarily with privacy in mind,” Parsons said. “Our analysis of the law is that it is very deliberately designed to be business friendly and to enable the free flow of personal information in service of the information economy.”
The Citizen Lab analysis follows the release of a report last month by the non-profit Center for Digital Rights, which says that the C-27 “not only spreads [business] surveillance, it regards citizen privacy as a hindrance to corporate profits.
With a view to updating the Personal Information Protection and Electronic Documents Act (PIPEDA), CPPA was re-introduced in June, It was first proposed by the Liberal government in 2020, when it was designated as C-11. however, it died In the face of criticism from the then Privacy Commissioner Daniel Therrien and the calling of a September 2021 federal election. Despite the criticism, the re-elected government left the CPPA largely the same as the 2020 edition. It continues PIPEDA’s framework of mandating companies to follow privacy principles rather than giving Canadians a right to privacy.
The government counters that the importance of privacy protection has been mentioned In the preamble of the law.
C-27 is now in a second reading in the House of Commons before being referred to a committee for detailed examination. It is unclear which committee the bill will go to: the Ethics and Privacy Committee, chaired by a Conservative, or the Industry Committee, chaired by a Liberal. It may go to a committee before the end of the year.
C-27 is made up of three proposed pieces of legislation, including a proposed bill regulating the use of artificial intelligence applications, but the Citizen Lab report deals only with the CPPA.
Related Content: More Background on CPPA
In a November 4 speech to parliament, the bill’s sponsor, Minister of Innovation François-Philippe Champagne, said the legislation would “strengthen privacy protections for Canadians by giving significantly greater powers to the Privacy Commissioner of Canada, particularly through better protection of minors’ data.” Creating a clear set of rules to encourage Canadian organizations to innovate while using data responsibly.
In response, conservative Rick Perkins said, “Privacy is a fundamental human right. It should be recognized in this bill, but it isn’t.” But needs rewriting and revision.”
It is not yet clear whether the Liberal minority government has the votes to pass C-27 unchanged. The Liberals struck a deal with the NDP to support the government until 2025 on bills of confidence and money. There are no news reports on whether the NDP-backed C-27 is included in the deal. It is not known whether, if the Conservatives sought major changes to C-27, they would get the support of the New Democrats – or vice versa. A partnership of those two parties could override moderate objections to the changes.
The Citizen Lab report largely deals with the problems faced by companies collecting, using and disclosing data from mobile devices. With people increasingly using smartphones, laptops and tablets as their primary telecommunications devices, this data is valuable to businesses – and governments.
report focuses on public controversy that broke out last December That’s when news broke that Telus and a data analytics firm called BlueDot provided de-identified data and aggregated data to the Public Health Agency of Canada at the start of the COVID-19 pandemic to track how and where the virus was spreading. The report notes that data that has been de-identified and collected through particular methods cannot be de-identified again.
Citizens Lab argues that the data collection was likely legal under PIPEDA, but that Ottawa failed to ensure that Telus and BlueDot received meaningful consent from individuals regarding the re-use of their personal data.
Citizen Lab argues that this will happen again if the CPPA is not amended. The worry, Parsons said, is that another government could obtain (or buy) private-sector mobility data and use it to figure out more intrusive things, such as how many women are in the household. Going to health centers.
“Mobility information can be extremely sensitive,” the report said. “It can reveal patterns in the lives of individuals and communities and associative tendencies before the participants themselves are aware of them.”
One of the complaints of the report is that the CPPA distinguishes between the protection of anonymized data (data stripped of personal identifiers so that individuals cannot be re-identified) and de-identified data (data processed in a less strict manner that May allow persons) re-identified). Anonymised data will not be covered by the CPPA. Companies must adhere to the CPPA’s protections in handling de-identified data – but, in some cases, there will be exceptions, allowing businesses to treat it as anonymised data. Citizen Lab says those exemptions should be removed.
Another exemption that should be eliminated, the report says, is one that would allow an organization to disclose de-identified data to a government institution if it serves a “socially beneficial purpose” such as health, public facilities or basic infrastructure. Designed to improve the structure. protection of the environment, “or any other prescribed purpose.”
If the government wants to go ahead with it, the report says each person should be told and given the option to opt out – and the federal privacy commissioner should approve the disclosure.
The CPPA proposes that a business may collect or use an individual’s personal information without their knowledge or explicit consent if it is for an activity in which the firm has a legitimate interest “that outweighs any potential adverse effect on the individual”. gives” unless the personal information is collected or used for the purpose of influencing the individual’s behavior or decisions. Citizen Lab says that in such a case people should be informed and given the right to opt-out.
The CPPA states that the sharing of personal data collected by a business is acceptable under certain conditions. The proposed law states that three factors are to be taken into account, including the sensitivity of the personal information and what purpose it represents.
Legitimate business needs of the organization. Citizen Lab proposes that firms will have to take a new factor into account: the sensitivity of the privacy interest in the information the company has to analyze, and this may be called “sensitivity to quality-affecting contexts”. or linked to personal information.
And if a firm determines that personal information collected by it is to be disclosed for a new purpose, it must renew its obligation to consent from individuals before it can be used.
Finally, while the CPPA gives people the right to sue firms for violating the Act after the Privacy Commissioner finds wrongdoing, Citizen Lab says the condition should be removed because reports to the commissioner Issuance may take some time.