From: Konrad von Finckenstein and James Mitchell
To: Navdeep Bains, Minister of of Innovation, Science and Industry
Date: December 11, 2020
Re: There is a Better Way to Amend Framework Laws
The government recently introduced Bill C-11, An Act to enact the Consumer Privacy Protection Act and the Personal Information and Data Protection Tribunal Act.
This Bill replaces the 20 year-old Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s legislation dealing with privacy in the commercial sphere. While this new legislation was mentioned in the minister’s mandate letter, the bill in its present form still came as a great surprise.
The Department of Innovation, Science and Industry is in charge of five major framework statutes: the Bankruptcy Act, the Competition Act, the Canada Business Corporations Act, the Weights and Measures Act and PIPEDA. Normally these are reformed on roughly a 20-year cycle and the process is fairly well established. An expert panel is created, it seeks submissions from interested parties and stakeholders, and issues a report full of recommendations. The government studies the report, listens to the comments on the report, identifies the portions it finds need to be addressed and presents legislation for reform.
While there have been reviews of the Act by parliamentary committee, and proposals for change from the Privacy Commissioner and the Industry department, there has been no specific initiative that followed the traditional model of panel/public input/report/draft legislation. Consequently, Bill C-11 came as a surprise to many interested parties.
PIPEDA reform is badly needed and the government is to be commended for tackling the issue. Canada is currently way out of step with world developments in terms of privacy and trailing in particular the European Union. Its General Data Protection Regulation (GDPR) has become the effective world standard since its 2016 enactment because it applies to any company doing business in the EU.
Bill C-11’s way of addressing the issue raises a host of questions:
- Who was consulted during the drafting of this bill? Why was the traditional model for the development of framework law reform not followed?
- Do the proposed exceptions strike the right balance between protecting privacy and facilitating maximum use of digital information for innovation and commercial exploitation?
- Does this Act sufficiently mirror the principles of the GDPR, so that it enjoys equivalency status under the GDPR?
- Why does the Act not create a right to privacy, but instead only gives individuals the possibility to request data portability, erasure or an explanation regarding automated decisions?
- Are the rules around informed consent too broad, too oriented toward the interests of data collectors?
- What is the rationale for establishing rules by which entities can adopt a code of conduct which is then certified by the Commissioner, thereby practically relieving them from complying with the Act?
- Why does the Commissioner have power to make orders but not to assess fines?
- Why does the Act provide for situations where no consent is required to collect and use personal information?
- Why do we need a new tribunal – the Personal Information and Data Protection Tribunal?
- Why is only one of the three members of the tribunal required to have data expertise?
- Why does the federal Act not follow the model of provincial acts that already exist in BC, Alberta and Quebec?
A multitude of questions also exist around the terminology used and concepts applied. For instance, how does one assess “sensitivity of information,” one of the criteria to be taken into account in several places?
Given the process under which the act was created, no one knows who was consulted, who gave what input and what special interests were addressed.
The bill is now in Parliament, has had second reading and will now be subject to scrutiny by committee. According to the minister, it will go to the House Ethics Committee. History shows that major rewriting and changing of concepts in committee hearing is unlikely. To a large extent, the die is cast.
However, in this digital age it is crucial that we get the central issue of privacy right. This bill raises too many issues and leaves too many questions unanswered to be redrafted substantially in committee. One can only hope that, given the numerous questions it raises, that the bill will get stuck in either house of Parliament.
The government would be well advised to withdraw the bill, and table it instead as a green paper and seek public input. Following such input and careful assessment thereof, it could then table a new bill that, one hopes, would reflect a constructive consensus from all stakeholders around a new more principled regime.
Konrad von Finckenstein is a Senior Fellow at the C.D. Howe Institute, and was formerly the Chair of the Canadian Radio and Telecommunications Commission, a Federal Justice, and Commissioner of Competition. James Mitchell is a former head of the machinery of government secretariat in the Privy Council Office.
To send a comment or leave feedback, email us at blog@cdhowe.org.
The views expressed here are those of the authors. The C.D. Howe Institute does not take corporate positions on policy matters.