by Salome Chari
Of late, the privacy field has been dominated by discussions surrounding the Bill C-27 proposed by the Federal government on 16 June 2022. The Bill, among other things, seeks to strengthen privacy protection for children, impose fines for non-compliant digital platforms and introduce new rules for the utilization of Artificial Intelligence (AI).
Undeniably, like any ‘hot potato’ the Bill was received with many mixed feelings particularly on its sustainability and impact on the protection of personal data. The questions that immediately arise are, ‘Will the Bill do enough justice in its fulfilment of personal data protection?’ Tapping into the key tenet of data privacy protection, ‘how much privacy is good and how do we distinguish it from control?’
While we ponder and wait for the Bill to be debated in the House of Commons after summer break, it is probably critical to interrogate whether privacy on the internet is achievable or a realistic possibility under this Bill. Well, it is almost impossible that we can participate in society in a meaningful way and still have complete privacy. However, when it comes to Data protection where we have complete control over usage of personal information, that is very possible, and the new Bill is taking us towards that route. It is not a perfect Bill, but it makes a lot of progress.
The Bill-27 is a rewrite of Bill C-11 which “died on the order table” in 2021, meaning it did not pass into law as planned. Bill C-11 was introduced by the Federal Government back in November 2020 and included the proposed Consumer Privacy Protection Act (CPPA). Bill C-11 was part of Canada’s Digital Charter Implementation Act and consisted of two parts: Consumer Privacy Protection Act (CPPA) and Personal Information and Data Protection Tribunal Act (PIDPT).
Maybe we need to agree that anything that comes now is better than what we had before. Canada’s privacy law came into effect in the year 2000, the same year the iPod came out, four years before Facebook, five years before YouTube, six years before Twitter and seven years before the iPhone. For the past 22 years, we have been stuck with this law despite this technological advancement.
Though Bill C-27 is far from perfection, it is way better than the existing law. One thing to be proud of as Canadians is that since 2000, the privacy law is the first one in the world to be based on accountability. That means it is not prescriptive unlike some of the dogmatic privacy laws that still outline rules on fax machine privacy even though they are very few in use today. Instead, the Bill puts full accountability on organizations to make risk-based decisions and profess responsibility on outcomes.
What it is likable about this bill is the fact that it is getting away from this notion of consent for use of data. It sounds a bit weird to say that we should consent to the way that our data is used. In the past, if a company had permission from somebody to use their data, they would proceed with it. Ultimately, that means subjection to these very fine print legalistic documents confusing or misleading ways of collecting information. Consent therefore must be meaningful, and individuals should be given a right to say no. If individuals are not given the opportunity to reject, then the consent loses its value. It then brings other ways of being responsible and accountable for data without putting the honours on individuals to make decisions about things they might care about, might not understand, and might not even have time to read the fine print. It is our hope that the law will sail in this direction for it to be progressive and impact lives in a meaningful way.
For the first time in 22 years, the Privacy Commissioner, under this Bill if passed will have authority to issue fines and orders meaning they can restrain specific loopholes they would have identified. We wait in anticipation of the best outcome in the deliberations of this Bill.