Does Bill C-27 strike the right balance?

From the C-Suite newsletter: Here's what marketers need to consider about the new implications.

pexels-lucia-barreiros-silva-12598630This story was originally published in the Winter 2023 issue of strategy.

By Will Novosedlik

This past June, Ottawa tabled the new federal privacy bill, C-27, or the Digital Charter Implementation Act. The legislation targets private sector personal information protection practices, and is designed to repeal Part 1 of the Personal Information and Electronic Documents Act (PIPEDA) and replace it with the Consumer Privacy Protection Act (CPPA).

While orgs like the IAB and CMA have found some positives in the proposed bill, academics and consumer advocates are expressing concerns. Here are a few issues that marketers should consider.

Privacy protection

Says Sonia Carreno, president of Canada’s Interactive Advertising Bureau, “Bill C-27 provides the industry with clarity on several areas of privacy. With an emphasis on consent and accountability, the bill would allow for a balanced approach to privacy that protects individuals’ personal information while allowing businesses to innovate and provide services in a frictionless way.”

Sara Clodman, VP public affairs and thought leadership at the CMA, adds that she believes the proposed law provides significantly enhanced protections of personal information for consumers, including expanded recognition of individual privacy rights (in the preamble), new transparency requirements for automated decision systems, enhanced individual control over personal information held by organizations (deletion, mobility, etc.) and a significantly strengthened enforcement regime – including new order-making powers for the privacy commissioner and some of the highest monetary penalties in the world.

But Bryan Short, a digital rights campaigner at Vancouver-based advocacy group OpenMedia, argues that this legislation “does the absolute bare minimum for privacy protections in Canada, and in some cases will actually make things worse.” Professor Teresa Scassa, Canada research chair on information law policy at the University of Ottawa, counters by saying, “Innovation is great, but not at the expense of human rights. Privacy is a human right.”

Consent and accountability

So how could C-27 make things worse? Consider the issue of consent, one of the key concerns of legislation like the EU’s GDPR and Quebec’s Bill 64. Short points out that while PIPEDA puts the onus on companies to generate meaningful consent with Canadians before collecting and using personal information, CPPA proposes that it’s the responsibility of Canadians to find out how their data is being used and requires companies to explain their privacy policy in plain language.

Also attracting attention is a new provision around the concept of “implied consent.” Bill C-27 proposes to introduce a new consent exception for the collection and use of personal info for identified business activities and legitimate interests. Says Scassa, “The idea is that businesses can collect and use this information without knowledge or consent, as long as it’s for a ‘legitimate business interest’ – and not for influencing behaviour.”

Given that marketing’s core purpose is to influence behaviour, does that mean no form of marketing should be considered a “legitimate business interest”? According to IAB’s Carreno, “This provision is for situations where the legitimate interest outweighs any potential adverse effect on the individual. It is there to allow business to operate while protecting the consumer. Organizations relying on the legitimate interest exception will be required to complete a privacy impact assessment and provide copies of the assessment to the Commissioner on demand.”

This suggests that individual marketers will need to spend more time considering the potential privacy impacts of their data use, to which up until now, they may not have needed to dedicate significant resources. Clodman says it will add complications: “Organizations that choose to rely on the new ‘legitimate interest’ exception would have to formalize and retain records of their impact assessments. The extent to which marketing resources are impacted by this new administrative obligation will vary widely based on many factors, such as current practices, and the type and nature of the data being used.”

The Commissioner’s new clothes

There are also significant changes to the role of the Office of the Privacy Commissioner in the bill. In the current legislation, the buck stops with the Commissioner. He or she can investigate and make findings, and that’s the end of it. Under the new scheme, another layer of authority has been added in the form of a six-person tribunal. The Commissioner may have broader audit powers and can recommend fines – which have been increased to anywhere from $10 million to $25 million for companies found to be in breach of the laws – but the final decision rests with the tribunal.

Says Professor Scassa, “Now you’re going to have the Commissioner doing the same work, but being subject to appeal. And instead of the Commissioner – who has considerable expertise – we’ll have this tribunal deciding if the commissioner made the correct findings, only three of whom are required to be experts in privacy law. And their decisions will be final, with no possibility of appeal to the courts, unless the tribunal goes way off the rails.”

Carreno believes the new scheme will force marketers to be more accountable and ready for any investigation. But, like Scassa, she’d like to understand more about how decisions will be made, who is on the tribunal and what qualifications they would be required to have in the realm of privacy.

 

“Innovation is great, but not at the expense of human rights. Privacy is a human right.”

 

Right to be forgotten

Something new in the proposed bill is the “right to be forgotten,” which will allow individuals to request, in writing, a disposal of their personal information, either by deletion or by rendering the data anonymous. This would apply to any information under the organization’s control. If the organization refuses to dispose, it needs to inform the individual of the reason. The question here is, how is the organization meant to prove that it has executed the disposal?

Scassa has concerns. “There are so many loopholes in this provision. An organization can refuse a request for disposal if the data that they’re being asked to delete is part of a scheduled disposal for this kind of personal information. If they have that kind of scheme in place, then the company can send a letter back saying, ‘Your information will be disposed of according to the schedule, thank you.’”

Here, marketers need to find ways to be transparent about disposal, and to develop a mechanism by which verification is determined. Doing so would ultimately build brand trust.

Then there’s the related murky issue of data de-identification, said by OpenMedia’s Short to be one of the greatest failings of the current legislation because it gives companies the ability to say the data they are collecting, using and potentially selling has been de-identified. But, according to a study cited by the International Association of Privacy Professionals, location and mobility data can never be fully anonymized. Researchers showed that knowing when and where you take your morning coffee was enough to uniquely identify you 95% of the time in a dataset of 1.5 million people. That leaves the door open to creating more brand trust issues.

In an analysis published on his blog in December, Barry Sookman expressed his concerns about how the bill defines the word “anonymize” – which could be a potential issue for advertisers to consider. A senior counsel at McCarthy Tétrault’s Toronto office, Sookman flagged that the word had been defined in a way that would force Canadian businesses – including advertisers – to “adopt only ‘best practices,’” regardless of costs or commercial practicality.

“While the high standards might theoretically be achievable by very large multinational firms with significant capital, they would not likely be, or always be, commercially reasonable for smaller innovative firms,” he warns. The current language of the bill, he adds, fails to balance the costs of those “best practices” against real-world risks, which could handcuff smaller companies. Sookman makes several recommendations, including offering exceptions for uses like research and “socially beneficial” purposes.

Artificial intelligence

Bill C-27 also proposes to introduce a new act (the Artificial Intelligence and Data Act) specifically intended to address artificial intelligence systems and data.

The act will require organizations or individuals responsible for AI to, among other things, assess these systems’ potential to cause a “high impact,” develop mitigation plans to reduce or eliminate these risks, publicly disclose when high-impact systems are being used and notify the Minister of Innovation, Science and Industry when the system results, or is likely to result, in “material harm” among other obligations.

The big question here is, what’s “high impact”? Says Scassa, “Well, you’ll have to wait to find out because it’ll be defined in regulations. I think this is asking parliament to write a blank cheque.”

Carreno shares some concerns. “Our biggest concern about the new legislation is the inclusion of AI with very limited details or regulations. As we develop self-regulatory frameworks on ethical and transparent use of AI, it would be beneficial to have this addressed separately.”

The Speaker of the House appears to have heard and addressed that concern, recently ruling that the AI aspect of the new bill will now be voted on separately to the other two acts.

For marketers, all this ultimately means that just waiting for regulations to be etched in stone is probably not a good idea. This calls for engagement and input from the marketing professionals in companies that will benefit from the putative powers of AI. Which is everyone.