Will this new proposed law set us back or move us forward? The objective was to “Build trust in a Digital World” (see Canada’s Digital Charter). Will this new law do this? We are concerned that this Bill has just gone through second reading and there are many issues that require some healthy discussion and understanding before it becomes the law here in Canada.
A REVIEW OF CONSENT IN BILL C-11
One must ALWAYS read the fine print – and true to form everything after the “but” negates what was said before it. Section 15 of Bill C-11 states “Consent required”. Meanwhile, Section 18 – 51 describe the “Exceptions to Requirement for Consent” and the exceptions are where the potential mischief lies. Let’s begin with Section 15 and the clear statement it makes:
Consent required
15 (1) Unless this Act provides otherwise, an organization must obtain an individual’s valid consent for the collection, use or disclosure of the individual’s personal information.
To be sure, that is a clear statement that consent is required. The bill goes on to say that an individual’s consent must be obtained at the point of collection:
Timing of consent
(2) The individual’s consent must be obtained at or be- fore the time of the collection of the personal information or, if the information is to be used or disclosed for a pur- pose other than a purpose determined and recorded un- der subsection 12(3), before any use or disclosure of the information for that other purpose.
Sections 15 (3), (4) and (5), along with Section 16, 17 (1) and (2) go on to describe the stringent structure of what consent look like:
Information for consent to be valid
(3) The individual’s consent is valid only if, at or before the time that the organization seeks the individual’s consent, it provides the individual with the following information in plain language:
(a) the purposes for the collection, use or disclosure of 5 the personal information determined by the organization and recorded under subsection 12(3) or (4);
(b) the way in which the personal information is to be collected, used or disclosed;
(c) any reasonably foreseeable consequences of the 10 collection, use or disclosure of the personal information;
(d) the specific type of personal information that is to be collected, used or disclosed; and
(e) the names of any third parties or types of third 15 parties to which the organization may disclose the personal information.
Form of consent
(4) Consent must be expressly obtained, unless the organization establishes that it is appropriate to rely on an individual’s implied consent, taking into account the reasonable expectations of the individual and the sensitivity of the personal information that is to be collected, used or disclosed.
Consent — provision of product or service
(5) The organization must not, as a condition of the sup-
ply of a product or service, require an individual to con- 25 sent to the collection, use or disclosure of their personal information beyond what is necessary to provide the product or service.
Consent obtained by deception
16 An organization must not obtain or attempt to obtain an individual’s consent by providing false or misleading information or using deceptive or misleading practices. Any consent obtained under those circumstances is invalid.
Withdrawal of consent
17 (1) On giving reasonable notice to an organization,
an individual may, at any time, subject to this Act, to federal or provincial law or to the reasonable terms of a con- tract, withdraw their consent in whole or in part.
Collection, use or disclosure to cease
(2) On receiving the notice from the individual, the organization must inform the individual of the consequences of the withdrawal of their consent and, as soon as feasible after that, cease the collection, use or disclosure of the individual’s personal information in respect of which the consent was withdrawn.
On first read, I thought “this is pretty tough”. In fact, prior to the release of Bill C-11, I was pretty sure Canada would adopt something similar to the GDPR standards of requiring a “lawful basis of processing” in order to reduce consent fatigue by the public. If you have to consent for every little thing you do online, it won’t be long before you think twice before downloading a new app, surf a new website or even go online.
In Article 6 of the GDPR, the EU allowed 3 forms of lawful basis for processing for the private sector and 3 forms for the public sector (police & government). The 3 for the private sector are:
- the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
- processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
- processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
(the bold type is my emphasis on the type of “lawful basis”)
But here’s where Bill C-11 does a left turn for me. Sections 18 – 51 outline the “exceptions to requiring consent”. No doubt, some of these exceptions are required in a consent regime. It would be fair to go through them one at a time and look at how these exceptions could be interpreted by those same businesses who are abusing personal data today.
Business activities
18 (1) An organization may collect or use an individual’s personal information without their knowledge or consent if the collection or use is made for a business activity described in subsection (2) and
(a) a reasonable person would expect such a collection or use for that activity; and
(b) the personal information is not collected or used for the purpose of influencing the individual’s behaviour or decisions.
Subsection 2 reads:
business transaction includes
(a) the purchase, sale or other acquisition or disposition of an organization or a part of an organization, or any of its assets;
(b) the merger or amalgamation of two or more organizations;
(c) the making of a loan or provision of other financing to an organization or a part of an organization;
(d) the creating of a charge on, or the taking of a security interest in or a security on, any assets or securities of an organization;
(e) the lease or licensing of any of an organization’s assets; and
(f) any other prescribed arrangement between two or more organizations to conduct a business activity. (transaction commerciale)
commercial activity means any particular transaction, act or conduct or any regular course of conduct that is of a commercial character, taking into account an organization’s objectives for carrying out the transaction, act or conduct, the context in which it takes place, the persons involved and its outcome. (activité commerciale)
Certainly the “test” to meet this is at best ambiguous. “A reasonable person would expect”? I am not a lawyer, yet I would fully expect Facebook’s lawyers to make the case that a “reasonable person” would expect Facebook to use their data in return for providing a “free” account. In fact, I have heard this argument on several occasions. So Bill C-11 might allow Facebook to keep doing what they are doing? Business as usual? And Google can carry on doing what they are doing, amassing a staggering amount of data on an individual and “horse-trading” that in order to sell ads online?
How is this “building trust in a Digital World” meeting the primary mandate of Canada’s Digital Charter?
What about Section 18(b) – isn’t all data captured and used by business done so in order to “influence the individual’s behaviour or decisions”? I can see the legal arguments now, but as a marketer, I am very clear. The use of an individual’s personal data is to influence that person’s purchase decision in our favour. To be clear we are “influencing “behaviour” and “decisions”. So now as a business owner or marketer, do I need to capture meaningful consent or not?
Let’s move on to Section 18(2):
List of activities
(2) Subject to the regulations, the following activities are business activities for the purpose of subsection (1):
(a) an activity that is necessary to provide or deliver a product or service that the individual has requested from the organization;
(b) an activity that is carried out in the exercise of due diligence to prevent or reduce the organization’s commercial risk;
(c) an activity that is necessary for the organization’s information, system or network security;
(d) an activity that is necessary for the safety of a product or service that the organization provides or delivers;
(e) an activity in the course of which obtaining the individual’s consent would be impracticable because the organization does not have a direct relationship with the individual; and
(f) any other prescribed activity.
Some may argue Section 18(2) (a) acts as the “lawful basis of processing” called “Contractual”, but you can hear the corporate loopholes in (b) through (f). “impractical because the organization does not have a direct relationship”? In his blog article posted November 18,2020, – Michael Geist states: “It is one thing to cover direct activities arising out of relationship between an individual and a commercial organization. But to cover activities with no direct relationship? That would seemingly invite all sorts of problems, not the least of which includes online tracking activities where the bill would potentially remove the need for knowledge or consent.” Michael Geist, is a Professor of Law, Canada Research Chair in Internet and E-commerce Law Faculty of Law, Common Law Section Centre for Law, Technology and Society, University of Ottawa, and one of the most respected voices in privacy in Canada.
And there is18 (2) (f) – “any other prescribed activity”, allowing the regulations to throw in “soup to nuts” and everything in between. This law, as written, relies heavily on the writing of Regulations so there are still many unknowns.
Section 19 states:
Transfer to service provider
19 An organization may transfer an individual’s personal information to a service provider without their knowledge or consent.
The GDPR regulates the transfer of personal data across borders. If the service provider is located in the US, your personal data can be transferred without your consent and be subject to all US laws, despite the fact that Canada and US privacy stances are very different (i.e. The Patriot Act). Should an individual be made aware of these prior to the data transfers to processors in other countries like the GDPR provides for?
Once again, how does this “Build trust in a Digital World”?
And Section 20 states:
De-identification of personal information
20 An organization may use an individual’s personal information without their knowledge or consent to de-identify the information.
Michael Geist addressed this (along with the Public Interest Advocacy Centre) in that same article mentioned above – “The Public Interest Advocacy Centre was out quickly with tough criticism of the bill, arguing that the de-identification provisions hollow out consumer privacy and that the bill should be withdrawn. At issue are provisions that provides businesses an express right to use personal information without an individual’s knowledge or consent to de-identify the information. De-identified information plays an important role in a data economy, but many individuals simply do not want their data used, whether identifiable or not. The balance the bill seeks to strike is to create some limitations on de-identification and to feature very tough penalties should organizations re-identify the de-identified data. This represents a major tension between modern data-based commercial activities and privacy safeguards that will no doubt be the subject of much debate in the coming months.”
I agree with Section 21 and 22 which states:
Research and development
21 An organization may use an individual’s personal information without their knowledge or consent for the organization’s internal research and development purposes, if the information is de-identified before it is used.
Prospective business transaction
22 (1) Organizations that are parties to a prospective business transaction may use and disclose an individual’s personal information without their knowledge or consent if
(a) the information is de-identified before it is used or disclosed and remains so until the transaction is completed;
(b) the organizations have entered into an agreement that requires the organization that receives the information
(i) to use and disclose that information solely for purposes related to the transaction,
(ii) to protect the information by security safeguards appropriate to the sensitivity of the information, and
(iii) if the transaction does not proceed, to return the information to the organization that disclosed it, or dispose of it, within a reasonable time;
(c) the organizations comply with the terms of that agreement; and
(d) the information is necessary
(i) to determine whether to proceed with the transaction, and
(ii) if the determination is made to proceed with the transaction, to complete it.
Once again, the GDPR included employment information in their definition of personal information, providing full protection of employment records as PII. Canada has elected not to include that in Section 23 & 24:
Information produced in employment, business or profession
23 An organization may collect, use or disclose an individual’s personal information without their knowledge or consent if it was produced by the individual in the course of their employment, business or profession and the collection, use or disclosure is consistent with the purposes for which the information was produced.
Employment relationship — federal work, undertaking or business
24 An organization that operates a federal, work or business may collect, use or disclose an individual’s personal information without their consent if:
(a) the collection, use or disclosure is necessary to establish, manage or terminate an employment relation- ship between the organization and the individual in connection with the operation of a federal work, undertaking or business; and
(b) the organization has informed the individual that the personal information will be or may be collected, used or disclosed for those purposes.
Sections 25 through 28 are legal exceptions that are reasonable and would be expected in a revised privacy Bill.
But Section 29 – 39 go on to describe Public Interest exceptions, while Section 40 – 42 describe exceptions for Investigations. And then there are Disclosures to Government Institutions covered in Section 43- 48 and Required by Law exceptions Section 49 – 50 and of course the Publicly Available Information covered under Section 51. That reads as follows:
Information specified by regulations
51 An organization may collect, use or disclose an individual’s personal information without their knowledge or consent if the personal information is publicly available and is specified by the regulations.
So anything that is public is fair game? Anything you post on Facebook or search for in Google? And again I ask, how does differ from how it is now? How does this build trust in a Digital World? Truthfully we have to wait for the Regulations to see how this is interpreted, but this sounds like a step backwards to me.
As you can see, we don’t have to be lawyers to determine there is a lot of work to do before this Bill can become the law of the land. In the area of CONSENT, there are many questions to be answered in this first draft. Business wants straight answers to simple questions like: Do I need consent to do X? Stay tuned as we do our best to make changes to this Bill before it is passed as the law of the land. As is, implementation of compliance programs will require a lot of guesswork. Perhaps the Regulations will help.
