Federal Privacy Commissioner Calls for Stronger Privacy Protections in Bill C-11
Written by Ruth Promislow, Sébastien Gittens and Michael Whitt, Q.C.
In November 2020, the federal government tabled Bill C-11, the proposed new private-sector privacy law that would replace the current regime under the Personal Information Protection and Electronic Documents Act (PIPEDA).We reported on Bill C-11 in Understanding the Draft Consumer Privacy Protection Act: A Summary of the Key Changes Proposed.
At the request of the House of Commons Standing Committee on Access to Information, Privacy and Ethics, the federal Privacy Commissioner shared his submission on Bill C-11. Calling Bill C-11 as "a step back overall" for privacy, the Commissioner's submission sets out in excess of 60 recommendations, including the following concerns:
- The Privacy Commissioner asserts that Bill C-11 does not include a requirement that individuals understand the consequence of what they are consenting to in order for consent to be meaningful. He argues that the language in Bill C-11 which provides that "[c]onsent must be expressly obtained, unless the organization establishes that it is appropriate to rely on an individual's [implied] consent" should be revised to remove the wording permitting the organization to determine that implied consent is appropriate.
- The Privacy Commissioner also criticizes the exceptions to consent in Bill C-11 which provide that an organization does not have to obtain consent where it is impractical to do so.
- Flexibility without accountability
- The Privacy Commissioner asserts that Bill C-11 weakens the accountability provisions by leaving organizations to self-regulate. He asserts that organizations should be required to undertake privacy impact assessments for new, higher-risk activities, and should be subjected to proactive audits by his office.
- Responsible innovation
- The Privacy Commissioner asserts that the exceptions to the requirement of obtaining consent for the collection, use or disclosure of information are too broad or ill-defined to promote responsible innovation.
- A rights-based foundation
- The Privacy Commissioner asserts that Bill C-11 prioritizes commercial interests over the privacy concerns of individuals, and seeks the entrenchment of privacy as a human right in the legislation.
- Access to quick and effective remedies
- The Privacy Commissioner asserts that the list of violations that could lead to administrative penalties is too narrow, as it does not include obligations related to the form or validity of consent, the exceptions to consent, or violations of the accountability provisions.
- The Privacy Commissioner further asserts that the creation of a Tribunal (to review his exercise of power and consider his recommendations for penalties) adds an unnecessary layer to the process. He recommends that he be empowered to impose the penalties directly, rather than making a recommendation to the Tribunal.
- Cross-Border transfers
- The Privacy Commissioner has made 14 recommendations specifically with respect to trans-border data flows, including a recommendation that the Commissioner: (i) "… may request an organization to demonstrate the effectiveness of any safeguards put in place to govern data transfers"; and (ii) be " empowered to prohibit, suspend, or place conditions on, offshore transfers of data where substantially similar protection is not in place".
The Privacy Commissioner's submission to the Standing Committee might be a signal that significant changes could be made to the current draft of Bill C-11. Organizations should actively monitor developments in this area to ensure their compliance efforts are aligned with upcoming changes to the legal regime. If you have questions regarding how Bill C-11 may impact your organization and obligations, please contact the Bennett Jones Privacy and Data Protection team.