The federal Government, prompted by questions raised in the INDU committee hearings, has released the language of proposed amendments to Part 1 of Bill C-27, the Consumer Privacy Protection Act (“CPPA”). These changes largely expand the powers and reach of the Office of the Privacy Commissioner of Canada (“OPC”), creating heightened regulatory uncertainties and potential risk for businesses. Below we focus on the problematic broadening of the appropriate purposes provision.
Background
Earlier this month the Government announced its intention to amend Bill C-27, however the actual legal text remained undisclosed. (Click here to see Denton’s original post with commentary on the proposed changes.)
The Government has now made the language of proposed amendments to Part 1 of Bill C-27 available. Amendments to Part 3, the Artificial Intelligence and Data Act (“AIDA”), which were much more substantial, will be dealt with at a later date when the Committee turns its attention to that portion of the Bill – likely in a month’s time.
Amendments
Click here for Dentons’ blackline version of the amendments to Part 1 of the CPPA.
Analysis
The Government’s amendments relate to three areas:
(1) recognition of the fundamental right to privacy;
(2) increased flexibility for the Privacy Commissioner to reach compliance agreements; and
(3) recognition and reinforcement of the protection afforded to children
With respect to (1), the OPC got its wish by having privacy recognized as a fundamental right, in both the Preamble and the purpose section (s. 5) in the body of the statute. Language located in the Preamble to the statute, while influential, is not “binding”. According to section 3 of the Interpretation Act, RSC 1985, c I-21, “[t]he preamble of an enactment shall be read as a part of the enactment intended to assist in explaining its purport and object.”
That this language has also been added to the body of the statute will mean that it will likely be cited by those seeking to tilt the balance between privacy interests and commercial needs in the direction of the former.
The most significant change created by (2) is the introduction of the ability of the OPC to require organizations to “pay a specified amount” as part of a compliance agreements.
Additional changes state that an individual can utilize the private right of action created by the Bill’s section 107(1) where the OPC has entered into a compliance agreement “and the agreement does not provide for the payment of damages for that loss or injury”. It is unclear whether the amount that could now be payable under a compliance agreement is intended to be “damages”. If not, and it is just a payment, an organization could find itself paying both that and damages under the private right of action.
Furthermore, the language of the amendment does not specify to whom the amount is to be paid. If it is the Receiver General of Canada, it seems unlikely that these amounts would be “damages” and an organization would have very limited incentive to agree to a compliance agreement.
The proposed changes in (3) are framed as relating to children’s privacy, but includes ancillary changes that will have a much larger impact beyond children’s privacy rights. The proposed amendments render section 12, pertaining to appropriate purposes, open to broader interpretation and could affect all handling of personal information by organizations.
The amendments are as follows (boldface indicates new text):
Appropriate purposes amendments12 (1) An organization may collect, use or disclose personal information only in a manner and for purposes that a reasonable person would consider appropriate in the circumstances, whether or not consent is required under this Act.
Factors to consider
(2)
The followingAll relevant factors must be taken into account in determining whether the manner and purposes referred to in subsection (1) are appropriate, including:(a) the sensitivity of the personal information, including by reason of being in relation to a minor;
(b) whether the purposes represent legitimate business needs of the organization;
(c) the effectiveness of the collection, use or disclosure in meeting the organization’s legitimate business needs;
(d) whether there are less intrusive means of achieving those purposes at a comparable cost and wit comparable benefits; and
(e) whether the individual’s loss of privacy is proportionate to the benefits in light of the measures, technical or otherwise, implemented by the organization to mitigate the impacts of the loss of privacy on the individual.
This provision’s significance cannot be understated – it’s a cornerstone of federal privacy law (current and forthcoming). As the Commissioner recently emphasized during his INDU Committee testimony, this section is the “heart of the bill”. It sets out a framework for assessing what is and is not considered to be a reasonable collection, use and disclosure of personal information. This threshold analysis must be considered even if an organization has legal authority to proceed (via consent or an exception to consent).
The amendments, if passed, provide the OPC with significant latitude to determine what factors to include when determining what is appropriate, without providing a definitive list. Organizations will face challenges in determining whether they have considered “all the relevant factors”, as it is open the OPC to determine (according to its own perspective) whether something is relevant.
This will reduce the predictability and certainty for organizations regarding the interpretation of the appropriate purposes provision and could lead to unpredictable interpretation by the OPC. There has been increasing reliance by the OPC on the current PIPEDA appropriateness section (s. 5(3)), particularly in several recent cases.[1] This section can be used by the OPC to elevate a collection, use or disclosure to “inappropriate”, meaning an organization will suddenly find itself offside the legislation.
This is especially problematic as the OPC has, in a number of instances in the past, relied on inferences and speculation to conclude whether a particular activity is one that a reasonable person would consider appropriate in the circumstances.
For instance, in the recent Tim Horton’s Report of Findings addressing among other things the collection of location information by the organization’s app, the OPC concluded that while targeted advertising can be an appropriate purpose for the collection, use and/or disclosure of personal information in some cases, “a reasonable person would not consider Tim Hortons’ purpose to be appropriate in the circumstances of this case.” This was because the OPC determined that “large volumes of granular location data like that collected by the App can be highly sensitive personal information”. It speculated that (emphasis added):
…a company could use information about an individual’s daily movements to develop sensitive insights about that individual. For example, trips to a medical clinic can be indicative of specific medical treatments or illness, while other locations can lead to deductions about an individual’s religious beliefs, sexual preferences, social and political affiliations and more. While the evidence indicates that Tim Hortons did not use Radar Location Data to develop such sensitive insights, the real potential for the information to be used in this way renders it sensitive.
Broadening the language of the CPPA’s section 12, and further increasing the discretion of the OPC (in the absence of robust procedural protections) is likely to create increased business uncertainty.
“Manner and purposes”
Further, while not a new addition in this round of amendments (but introduced as part of the original Bill C-27), the inclusion of the words “in the manner and” in section 12 is challenging. Again, it broadens the current approach taken under PIPEDA, and could potentially apply to the actual mechanics of the collection, use or disclosure of personal information, but not the actual collection, use or disclosure itself.
For example, the OPC has repeatedly signaled an interest in engaging on issues related to privacy and artificial intelligence (“AI”). While an organization’s purpose of collecting and using personal information to train AI models may be appropriate, the inclusion of the words “in the manner” open the door to the OPC finding an organization actually went about it in the wrong way, rendering the whole activity “inappropriate”.
In the existing PIPEDA, once a purpose is appropriate, there is no further inquiry into the mechanics. Nor should there be – the “how” of a collection, use or disclosure should be left up to the organization once it has determined the purpose is otherwise appropriate.
[1] PIPEDA Findings #2022-001, Joint investigation into location tracking by the Tim Hortons App; PIPEDA Findings #2021-001, Joint investigation of Clearview AI, Inc. by the Office of the Privacy Commissioner of Canada, the Commission d’accès à l’information du Québec, the Information and Privacy Commissioner for British Columbia, and the Information Privacy Commissioner of Alberta; and Canada (Privacy Commissioner) v. Facebook, Inc., 2023 FC 533 (CanLII), https://canlii.ca/t/jwq5k