In response to criticisms about Bill C-27, the Digital Charter Implementation Act, 2022, and especially criticisms related to AIDA, the Government disclosed amendments it proposes to make while the Bill is before the INDU Committee. This blog focuses on the proposed amendments and, in particular, the areas where the Minister’s proposed amendments have helped to move the Bill in the right direction or have failed to address or failed adequately to address criticisms of the Bill.
I first provide some background explaining the genesis of the amendments and then provide an analysis of the amendments. This Part 1 of the blog focuses on the proposed amendments to the CPPA.
Minister Letter with Proposed Amendments
At the INDU Committee studying Bill C-27 Minister François-Philippe Champagne told the Committee on September 26, 2023 that he had “good news” for them because he came prepared “to propose a number of amendment[s]” which would enable the Committee “to move forward very quickly” on the Bill. This proposal was undoubtedly the result of the substantial and sustained criticisms of Bill C-27.
After pressing unsuccessfully for the Minister to table the amendments before the Clause by Clause, on September 28, 2023 the INDU Committee ordered the Minister and his department “to produce the amendments, briefing notes and memos referencing the amendments discussed by the minister in his opening remarks to the committee on September 26, 2023” within five business days. In response, the Minister provided the Committee with a letter stating that the proposed amendments were not yet drafted. Instead, the Minister provided a high level summary of amendments in a letter and an attached annex “for consideration by the Committee as you advance your study of the Bill”. The Minster did not provide the briefing notes or memos referencing the amendments, as ordered by the Committee, nor did he explain the failure to do so.
Amendments to the CPPA
According to the Annex of proposed changes to the CPPA, the Minister is proposing to make only three changes:
- Explicitly recognize a fundamental right to privacy for Canadians.
- Recognize and reinforce the protection afforded to children.
- Provide the Commissioner more flexibility to reach “compliance agreements”
It is surprising that the Minister is only proposing three changes to the CPPA. When the Minister appeared before the INDU Committee he referred to extensive consultations on the Bill and told the Committee that amendments were proposed based on what was heard.
My office and department have had more than 300 meetings with academics, businesses and members of civil society regarding his bill. We have also heard important contributions from the committee and our fellow parliamentarians. I also spoke directly with the Privacy Commissioner and listened to his recommendations. Not only did we consult and listen to him, we also followed through with amendments based on his requests. I think my colleagues will be pleased to see the amendments we are proposing…
I think the bill shows that we have listened to Canadians and parliamentarians, as we have done for other legislation. I gather there were more than 300 meetings or consultations with individuals who provided input into the process. Based on what we heard, we have proposed many amendments. (emphasis added)
The Minister’s statement that “we have proposed many amendments” cannot be squared with the very few changes being proposed to the CPPA based on the significant problems with this new privacy law.
The CPPA is a sweeping new privacy law. While it is well intentioned, there are still numerous problems in the draft privacy law that many have noted need amending. I provided an overview of some of the serious problems in the blog post The Digital Charter Implementation Act: problems and criticisms – the preamble. Here is an extract of post.
- The CPPA is very prescriptive and rule-based and is much less flexible than PIPEDA. Examples are the stringent test and limitations on the use of implied consents.
- The CPPA creates ambiguous new standards that are often difficult or impossible in practice to apply, along with detailed record keeping and assessment standards. Examples are the appropriate purposes limitation, the numerous standards that are based on what is reasonable or appropriate to expect, standards for obtaining valid consents, the legitimate interests exception, and requirement for explainability of decisions made using automated systems.
- The CPPA is far more onerous than international standards. It is not interoperable in many respects with the GDPR or the laws of our major trading partners in the United States, provincial or other international standards. Examples are standards for obtaining consents, exceptions to consent such as for R&D, provisions related to anonymization of personal information, the disposal/erasure of data, and service provider obligations.
- The CPPA has extremely harsh penalties. These are exacerbated by the nearly anorexic procedural protections including processes before the Commissioner and the non-existent appeal rights on findings of fact and mixed questions of fact and law made by the Commissioner. When one considers the ambiguous standards contained throughout the CPPA with the combination of weak procedural safeguards and the unappealability of key decisions including findings of liability (that can also trigger class actions with no due diligence defense), the very high AMPs that can be imposed (fines by any other word) and new order making powers of the Commissioner (without even any automatic right to appeal interim orders of the Commissioner), the lack of fairness and natural justice and risks to Canadian innovators and innovation is evident.
There are many technical and policy problems with the drafting of the CPPA including in the provisions dealing with automated decision making, anonymization and pseudonymization, service provider obligations, the appropriate purposes override, the liability regime, the impacts on small business, and the exception for legitimate interests. I outlined many of them – and the policy consequence of leaving them unaddressed – in these blog posts:
- CPPA: problems and criticisms – automated decision making – Barry Sookman and Using privacy laws to regulate automated decision making – Barry Sookman
- CPPA: problems and criticisms – anonymization and pseudonymization of personal information – Barry Sookman and Personal data deidentification under CPPA (barrysookman.com)
- CPPA: problems and criticisms – service provider obligations – Barry Sookman and CPPA: transfers of personal information to service providers – Barry Sookman
- CPPA: problems and criticisms – appropriate purposes – Barry Sookman
- Liability under the CPPA – Barry Sookman and The CPPA’s Privacy Law Enforcement Regime | McCarthy Tétrault
- CPPA and small business (barrysookman.com)
- Legality of search engines and AI systems under PIPEDA and CPPA: Google v Privacy Commissioner – Barry Sookman
These are not minor issues. By way of example only, the OPC has taken the position that search engines are subject to PIPEDA and the recent decision of the Court of Appeal in the Google decision suggests the journalism exception does not apply. If that is so, then either it is likely there is no legal basis for search engines to operate in Canada under the CPPA or the CPPA will be held to be unconstitutional and they can legally operate but without being bound by privacy obligations. The same problem exists for generative AI systems that harvest personal information from the publicly available sources. As I explained in a prior blog post, the CPPA exception for legitimate interests does not fix the problem and in fact tethers the exception to already adopted technologies and hinders innovation in new ones. As I also explained, in the EU search engines and generative AI systems can operate legally, but must comply with fundamental privacy principles in order to protect the public. Does the Government seriously believe it is a good policy for Canada that search engines, AI systems, and new technologies that need to rely on the legitimate interests exception to operate be illegal in Canada, even if they comply with other fundamental privacy requirements?
By way of further example, the new standards for anonymization being proposed in the CPPA are not interoperable with standards provincially or internationally and are not commercially reasonable. The standard being proposed is harsher than the standard for anonymization under the GDPR. Does the Government believe that it is good policy for Canadian standards for anonymization to be so out steps with international standards that Canadians should be put at disadvantages to their international competitors?
As I explained in another blog post, there are problems with the automated decision provisions that are also out of step with international standards. I explained that the problem with these provisions exhibits the Government’s failure to recognize how its policies towards AI will unnecessarily inhibit and not enable innovation.
It is unclear why the Government’s policy towards privacy law amendments in Bill C-27 (including the provisions dealing with automated decision making) favours enacting laws more stringent than those of any our trading partners. It may rest on the assumption that if strong privacy laws are good then even stronger privacy laws are better and that the strongest privacy laws promote innovation and have no zero sum gain effects. But, even if privacy is viewed as a fundamental right, this assumption is incorrect. As in other areas, as the Privacy Commissioner recently pointed out in a speech, “we can and must also have privacy while fostering the public interest and innovation” “as in so many things, we must reject extremes in either direction”.
The automated decision making provisions in Bill C-27 are yet further examples of choices being made to enact a privacy law for Canada that is at odds with not only international standards, but even the most onerous standards set by the GDPR. If the Government is firmly intending on regulating disclosure and explainability for automated decisions, a more prudent approach would be to align Canadian standards to the disclosure and access standards required in the EU. If, and to the extent, these standards evolve, Canada could re-amend the law to keep it consistent with these standards.
It is inconceivable that if the Minister and his officials have had such extensive consultations on the Bill and have proposed “many” amendments in response, that there would only be three changes to the CPPA. It is possible that the list of proposed amendments is incomplete and that these are being held back for some strategic reason. But, we have no way of knowing if this is true.
Coming soon- comments on the proposed amendments to AIDA.
@ After being ordered by the INDU Committee to produce the actual wording of the CPPA amendments, the Minster wrote to the Chair of the INDU Committee tabling a letter containing the draft wording of the 3 CPPA amendments. They can be accessed here.