The Consumer Privacy Protection Act, or CPPA, which is part of Bill C-27, is “solid in its underlying principles and balanced in its approach,” says a submission by the Privacy and Access Law Section of the Canadian Bar Association. But it requires a few amendments to enhance its effectiveness, while supporting a fair process. Some of the suggested amendments are summarized below.
Anonymization
The Personal Information Protection and Electronic Documents Act, or PIPEDA, restricts the collection, use and disclosure of information if it is reasonable to expect or there is a serious possibility that an individual could be identified from that information or that information in combination with other information.
The proposed CPPA keeps the same definition of personal information but adds two concepts: De-identification, which modifies personal information so an individual cannot be directly identified, and anonymization, which aims to “irreversibly and permanently modify personal information, in accordance with generally accepted best practices, to ensure that no individual can be identified from the information, whether directly or indirectly, by any means.”
The Section says it is unclear why anonymization is required at all. And its threshold is impossible for most Canadian organizations to meet. It recommends amending the definition to “irreversibly and permanently modify personal information, in accordance with generally accepted best practices, to ensure that there is no reasonably foreseeable risk in the circumstances that an individual can be identified from the information, whether directly or indirectly, by any means.”
Disposal
PIPEDA currently forces organizations to delete or anonymize personal information in its files once it’s no longer necessary for identified purposes or following an individual’s access request. The proposed CPPA adds a new explicit right for individuals to request disposal of their personal information in specific circumstances and a corresponding explicit obligation for organizations to dispose of the information, with exceptions.
The CBA Section has many concerns about the wording of some of those exceptions, including those related to “clearly recognized reasonable business purposes, such as fraud prevention or detection, security and investigations,” and information related to minors. The submission recommends deleting the reference to minors since it creates significant operational difficulties (and the rights of minors are protected elsewhere in the legislation), and introducing a new exception for already recognized reasonable business purposes.
Procedural and substantive fairness at the OPC
The CPPA creates several roles for the Office of the Privacy Commissioner and the Section believes this can lead to serious procedural and substantive fairness concerns for organizations and individuals. Safeguards should be added to the legislation, in particular concerning inquiries, interim and final orders.
If the OPC is to have both investigative and adjudicative powers, the CBA submission says, there must be strict segregation of duties to protect procedural and substantive fairness. Among its recommendations, the CBA Section says the legislation “should be amended to allow for the appeal of interim orders to the Tribunal as of right, rather than with leave as proposed in s.102(1).”