Canada’s new privacy bill, introduced on November 17, 2020, remedies some of the blatant flaws of the current regime, not least of which is the ombudsman model of privacy protection, and what evolved over the years into an often baroque structure. But the question we must ask ourselves is whether it addresses the elephant in the room: Canada’s ability to maintain adequacy status in the eyes of the European Union.
Adequacy status
Arguably one of Bill C-11’s raisons d’être, maintaining adequacy enables organizations regulated by PIPEDA to trade personal information with entities in the European Union without having to implement a series of corporate compliance measures like binding corporate rules or standard contractual clauses – measures that are costly and time-consuming. The EU grants adequacy status based on the understanding that the jurisdiction benefiting from the status has a data protection regime similar, or at least “adequate” when compared to the General Data Protection Regulation (GDPR). In theory, this status is subject to review and revocation if a country falls short of what the EU deems adequate.
At present, organizations regulated under our federal law, the Personal Information Protection and Electronic Document Act (PIPEDA), benefit from adequacy status. However, those regulated by either British Columbia’s or Alberta’s Personal Information Protection Act or by Quebec’s Act Respecting the Protection of Personal Information in the Private Sector (under amendment by Bill 64) do not. In fact, in 2014 Quebec’s legislation was deemed not to be adequate by the EU’s Working Party 29, thus prompting the present overhaul of Quebec’s data protection legislation in both the private and public sectors.
In brief, adequacy is something worth hanging onto as it reduces compliance costs and uncertainties. But is Bill C-11 strong enough to enable Canada to maintain its status? Below are a few of the bill’s features that provide cause for concern.
Individual rights and sensitive information
The GDPR both created and strengthened a series of rights that an individual could exercise against an entity that processed their personal information. In Europe, an individual may access and correct their personal information. They may ask that an entity transfer their information to another entity in machine-readable format (right to portability). They may ask an entity to erase their personal data, and erase any personal information it has made public and inform any entity to which the information was transferred to do the same (right to forget). An individual also has the right to restrict any processing in certain instances and the right to object to automated decision-making using their personal information.
The individual rights Bill C-11 confers pale in comparison to the GDPR. The bill recognizes the already existing rights to obtain access to and amend personal information. Although it contains a provision labelled “Mobility of Personal Information,” the right it describes is to have an organization disclose to another organization designated by the individual the personal information it collected from the individual, so long as both organizations are subject to a data mobility framework designated in a regulation. It is unclear how a right to access information qualifies as a mobility right or a portability right as understood by the GDPR. Likewise, the bill’s answer to the right to forget is the individual’s right to request that an organization dispose of their personal information. There is no obligation for the organization to erase any information it has made public or ask third parties to whom it has transferred the information to do so. There is no indication that an individual may restrict the processing of personal information by an organization, and an individual does not have the right to oppose automated decision-making, only the right to be informed that it is being carried on.
Another discrepancy between the GDPR and Bill C-11—all the more glaring because it was one of the omissions that justified the finding that Quebec was not adequate —is the failure to define sensitive or “special categories” of personal information that require heightened protection when processing.
Disclosure to government institutions
A particularly surprising feature of Bill C-11…
Privacy Isn’t Dead. Far From It.
Welcome! The fact that you’re reading this means that you probably care deeply about…
Schrems II Judgment Day
The Court of Justice of the European Union (“CJEU“) issued its judgment today in …
