In fall 2021, the Public Policy Forum convened a group of academics, lawyers, representatives from the private sector and members of civil society to revive discussions around modernizing privacy law in Canada under the Chatham House rule.

EXECUTIVE SUMMARY

In fall 2021, the Public Policy Forum convened a group of academics, lawyers, representatives from the private sector and members of civil society to revive discussions around modernizing privacy law in Canada under the Chatham House rule. These conversations sought to explore five key questions of interest:

  1. How is Canada situated compared to other jurisdictions and countries, and with respect to inter-provincial differences?
  2. What are the priorities for changes to a modified Bill C-11: An Act to enact the Consumer Privacy Protection Act and the Personal Information and Data Protection Tribunal Act and to make consequential and related amendments to other Acts?
  3. Where are the widest gaps among experts and stakeholders on C-11, and are there different approaches, directions or principles that will help bridge them in effective legislation?
  4. Are there steps outside of modernized legislation that the private sector should be taking?
  5. Can a human rights approach co-exist with data-driven, private sector innovation?

On the question of how Canada is situated compared to other countries and jurisdictions, and with respect to inter-provincial differences, many participants expressed concern that a “patchwork” of frameworks are emerging as a few provinces (Alberta, British Columbia, Ontario and Quebec) have started to take the lead in modernizing Canada’s private-sector privacy laws. This may be an expression of policy impatience, whereby provinces are unwilling to “wait” for Canada’s federal government to modernize privacy law (through a revised Bill C-11) and instead seek to solve perceived gaps in private-sector privacy regulations.

So while this is a national conversation, it is increasingly a provincial one as well. Though the word “patchwork” came up with some frequency, it is possible to reframe this federated approach more positively as a productive opportunity for inter-provincial collaboration to develop a truly pan-Canadian, harmonized and interoperable private-sector privacy law that can both better protect Canadians’ privacy rights and better support innovation and the growth of business.

Our roundtables reflected the challenge that highly knowledgeable participants came with particular perspectives, and the instrument for integrating them — a draft piece of legislation — is highly imperfect. Modern privacy and consumer protection legislation will need to operationalize the balance of these interests in a larger and broader debate regarding the “legitimate commercial use” of data inside legislation. Many discussants felt that further substantiation of this carve-out was required and observed that it lacked sustained championship. Policymakers need to build and protect both the trust of individuals and organizations so that Canadian innovation flourishes and thrives. It is difficult to have a comprehensive innovation conversation within a piece of privacy legislation. Further, the efforts to “protect” consumers may be read as charged or accusatory by private actors that are anticipating new restrictions on their potential ability to innovate through the collection of data, or are concerned about the costs imposed by potentially new requirements, such as through the strengthened right for consumers to request access to personal data held by an organization, and request that the organization delete it, or transfer it to another organization. Many discussants expressed that the broad business exemptions included in the proposed legislation are a source of potential weakness and concern. However, if this debate is framed as one between businesses and the state, we lose the centrality of the digital citizen. Ultimately, conversations about Bill C-11 are about power and revising the rights that people have regarding how their personal information is collected and used.

Due to some regulatory inertia — many discussants expressed agitation, disappointment and surprise that the proposed legislation was abandoned to “die on the vine” — the passing of time may act to normalize or pseudo-legitimize business practices that may otherwise not “fit” under the previously proposed legislation. It is easy to understand why that is likely to agitate business leaders that have been investing in talent and systems to maximize the value and derive insights from big data that can contribute to their economic growth to have those “innovative” norms called into question. At worst, it may seem disingenuous for the state to almost retroactively revise privacy norms in a pushback against surveillance capitalism.

The roundtables discussed priorities for changes to Bill C-11. Participants focused on the mechanisms for creating new accountabilities between businesses and individuals who have a data relationship with them. Another facet of the potential revised legislation that was of interest to discussants was related to resourcing and investments enforcement to avoid situations like the lack of capacity detailed in the 2020 report from Brave, a privacy-preserving browser that looked at “How Europe’s Governments are Failing the GDPR,” and detailed data protection authorities” (DPAs) capacity to enforce against tech infringements of the GDPR. There was alignment in the aspiration to both enhance individual’s individual privacy rights while also supporting the needs of business and other organizations in the pursuit of responsible innovation.

In terms of some of the widest gaps among experts and stakeholders on C-11, there was skepticism regarding the utility of a new privacy Tribunal that could be separate from that of the privacy commissioner. Bill C-11 grants order-making enforcement power to the Privacy Commissioner (subject to approval by a Tribunal body) that could bring more teeth to legislation. Another profound gap was simply regarding what the “legitimate commercial use(s)” of data are — both currently, and what they could or should be in the future. Again, this interpretation is the crux of the privacy law conversation in Canada and must be discussed with greater clarity; perhaps in connection to the broader [political] narrative that many discussants felt was absent from the previous introduction of the Bill.

Regarding the approaches, directions or principles that could help to bridge these gaps: a more frank and direct conversation that engages everyday people regarding how their data may be used, how it is protected and how this may contribute to innovation is warranted. Other policy interventions may better empower consumers to make decisions about how they want to engage online. These interventions would be adjacent and complementary to privacy legislation reform.

The two roundtable conversations did not directly address non-legislative interventions. That being said, the private sector could be leading on supplementary work to protect consumer privacy and empower their customers with new abilities to tailor their online experiences. For instance, to what extent could a commitment to data minimization act as a competitive advantage for a firm? Often businesses argue that consumers benefit from the data that businesses collect about their habits and purchase history, so that they receive more appropriate or efficient ads. This may be true in many cases, but customers deserve the ability to turn “off” these targeting practices. We saw the remarkable response to this when Apple gave iPhone users the ability to turn off the “Personalized Ads” toggle and directly asked iOS users to opt-in to track their activity within each individual app.

New policy interventions for algorithmic transparency, accountability and auditability are privacy-adjacent and worthy of exploration in a Canadian context. For instance, Canadian policymakers are only beginning to engage in conversations about competition and the role of consumer data in creating or maintaining barriers to market entry, or new ways to potentially abuse dominance.

Many aspects of the previously proposed Bill C-11 were promising, such as the right to an explanation of why an artificial intelligence (AI) system made a decision about a person, or the right to opt out of having data collected in the first place — simply having better explanations available will be useful. But it still places a high burden on the individual to seek understanding on a case-by-case basis, which is time-intensive and may be irrational to expect. However, should individuals have a desire to more proactively manage their online engagements, perhaps they should have the power to reject recommendation systems. This could come in the form of a stand-alone piece of legislation, such as the recently proposed legislation Filter Bubble Transparency Act (“A bill to require that internet platforms give users the option to engage with a platform without being manipulated by algorithms driven by user-specific data”) would enable end users on social media to reject a recommender system.

Another area worthy of further discussion is related to collective data rights and intermediaries. California’s consumer privacy law includes a mechanism for this kind of collective representation. And, in a recent proposal by the EU Commission, Europe is considering something similar. Perhaps Canada should do more to put people directly in charge of their data as individuals seek to demystify the bargain between themselves and digitally driven firms. The new legislation will help people both understand what may be done with their data, why, and give them the ability to opt-out.

With regards to whether a human-rights approach — whereby the privacy of individuals is treated as a fundamental right — can co-exist with data-driven, private sector innovation, participants expressed optimism that this was possible, and generally held the view that a human-rights approach was not incompatible with innovation. Canadians crave better custodianship of their information, more transparency over how it is used and more rights to manage their information online.

Another area of misalignment that should be corrected going forward is related to the legislation potentially exempting political parties from new requirements placed on the private sector. Non-profit and charitable organizations similarly manage and mine large volumes of information. Given that Ontario’s Information and Privacy Commissioner has recommended that Ontario’s privacy law apply to provincial political parties and federal riding associations, consistency would be valuable. More discussion of data management in automated decision systems (ADS) would also be welcome. Canadians should understand fairness, transparency, security and accountability rules for the responsible use of their personal information in these systems.

Finally, the enthusiasm and good will toward continued efforts at modernizing privacy law should be noted. Not only can we continue to learn from international peers, but we have the benefit of being informed by more recent approaches put forward by some of the provinces. Achieving harmonization through interoperability and re-introducing a coherent privacy framework that better protects consumers and empowers responsible innovation is achievable with sustained political championship.

Debating the Right Balance(s) for Privacy Law in Canada

Summary and Discussion of Two Roundtables January 2022

Download Report