Canada’s privacy gamble
Europe is serious about data protection, and imposing its standards on trading partners. But will Canada's Bill C-11 meet the adequacy threshold?
Canada’s new privacy bill, introduced on November 17, 2020, remedies some of the blatant flaws of the current regime, not least of which is the ombudsman model of privacy protection, and what evolved over the years into an often baroque structure. But the question we must ask ourselves is whether it addresses the elephant in the room: Canada’s ability to maintain adequacy status in the eyes of the European Union.
Arguably one of Bill C-11’s raisons d’être, maintaining adequacy enables organizations regulated by PIPEDA to trade personal information with entities in the European Union without having to implement a series of corporate compliance measures like binding corporate rules or standard contractual clauses – measures that are costly and time-consuming. The EU grants adequacy status based on the understanding that the jurisdiction benefiting from the status has a data protection regime similar, or at least “adequate” when compared to the General Data Protection Regulation (GDPR). In theory, this status is subject to review and revocation if a country falls short of what the EU deems adequate.
At present, organizations regulated under our federal law, the Personal Information Protection and Electronic Document Act (PIPEDA), benefit from adequacy status. However, those regulated by either British Columbia’s or Alberta’s Personal Information Protection Act or by Quebec’s Act Respecting the Protection of Personal Information in the Private Sector (under amendment by Bill 64) do not. In fact, in 2014 Quebec’s legislation was deemed not to be adequate by the EU’s Working Party 29, thus prompting the present overhaul of Quebec’s data protection legislation in both the private and public sectors.
In brief, adequacy is something worth hanging onto as it reduces compliance costs and uncertainties. But is Bill C-11 strong enough to enable Canada to maintain its status? Below are a few of the bill’s features that provide cause for concern.
Individual rights and sensitive information
The GDPR both created and strengthened a series of rights that an individual could exercise against an entity that processed their personal information. In Europe, an individual may access and correct their personal information. They may ask that an entity transfer their information to another entity in machine-readable format (right to portability). They may ask an entity to erase their personal data, and erase any personal information it has made public and inform any entity to which the information was transferred to do the same (right to forget). An individual also has the right to restrict any processing in certain instances and the right to object to automated decision-making using their personal information.
The individual rights Bill C-11 confers pale in comparison to the GDPR. The bill recognizes the already existing rights to obtain access to and amend personal information. Although it contains a provision labelled “Mobility of Personal Information,” the right it describes is to have an organization disclose to another organization designated by the individual the personal information it collected from the individual, so long as both organizations are subject to a data mobility framework designated in a regulation. It is unclear how a right to access information qualifies as a mobility right or a portability right as understood by the GDPR. Likewise, the bill’s answer to the right to forget is the individual’s right to request that an organization dispose of their personal information. There is no obligation for the organization to erase any information it has made public or ask third parties to whom it has transferred the information to do so. There is no indication that an individual may restrict the processing of personal information by an organization, and an individual does not have the right to oppose automated decision-making, only the right to be informed that it is being carried on.
Another discrepancy between the GDPR and Bill C-11—all the more glaring because it was one of the omissions that justified the finding that Quebec was not adequate —is the failure to define sensitive or “special categories” of personal information that require heightened protection when processing.
Disclosure to government institutions
A particularly surprising feature of Bill C-11, especially in light of the Schrems II decision by the European Court of Justice this summer, is s. 44. The provision allows an organization to disclose personal information without the individual’s knowledge or consent "to a government institution or part of a government institution that has made a request for the information, identified its lawful authority to obtain the information and indicated that the disclosure is requested for the purpose of enforcing federal or provincial law or law of a foreign jurisdiction, carrying out an investigation relating to the enforcement of any such law or gathering intelligence for the purpose of enforcing any such law."
Although this provision currently exists under PIPEDA (s. 7(3)(c.1)(ii)), and has been applied by the courts to justify transfers of personal information to the United States without the knowledge or consent of the individual, s. 44 is precisely the behaviour that the ECJ targets in Schrems II. In this case, the ECJ held that the standard contractual clauses —or SCCs—used by Facebook, while compliant with the GDPR, did not sufficiently protect personal information transiting from Europe to the U.S. American companies were still subject to disclosure requests from the U.S. government and these requests pre-empted any contractual protection afforded by the SCCs. If Bill C-11 s. 44 is not amended to exclude requests from a foreign jurisdiction, PIPEDA regulated organizations may have to comply with U.S. government requests which in turn means that they cannot offer the personal information protection the EU requires.
Organizations and service providers
A third feature that may compromise Canada’s adequacy status is the relationship Bill C-11 establishes between organizations and service providers. The bill moves toward a more European recognition of an organization as the controller of the information it processes provided the organization in question determines the purposes of collecting, using or disclosing the information. The organization must protect the individual’s personal information and ensure that any service provider it engages offers the same protection.
The bill, however, allows the organization to transfer personal information to its service provider without the individual’s knowledge and consent. This directly contradicts the GDPR, which requires the controller (European equivalent to the organization) to disclose the name of any entity to which it transfers personal information. But recent ECJ decisions, such as Fashion Id and Wirtschaftakademie, have demonstrated how important this disclosure is even if it means describing all the uses Facebook may make of an individual’s personal information simply because a controller installed a Facebook “Like” button on its website.
While Bill C-11 may appear more accessible than PIPEDA with larger fines and a more coercive structure, it remains a gamble on how far the EU is prepared to bend to find our law adequate. It’s an unwise gamble, too, given the message sent by recent ECJ decisions that not only is Europe serious about data protection, it is serious about imposing its standards on its trading partners. If Canada loses its bet, it will prove exceedingly costly for Canadian businesses.