Ottawa\u2019s second attempt at overhauling federal legislation regulating how businesses collect and use personal data of Canadians still favours the private-sector, says a leading technology and human rights group.<\/p>\n
The University of Toronto\u2019s Citizen Lab today released a critical analysis<\/a> of the proposed Consumer Privacy Protection Act (CPPA, also known as C-27), complaining it allows \u201cprivate individuals\u2019 and communities\u2019 data to be exploited for the benefit of the economy and society alike\u201d rather than do what its name says: protect consumers.<\/p>\n The report calls for significant amendments before the bill is passed, including expanding the powers and responsibilities of the federal privacy commissioner; giving the commissioner the power to levy fines for violating the act instead of taking alleged offenders to a privacy tribunal; getting rid of the proposed distinction between de-identified and anonymous data; removing exemptions given to businesses for collecting data without the consent of individuals; and giving data sovereignty to Indigenous groups.<\/p>\n There are 19 recommended changes to the wording of C-27, enough that the group says the government should start all over again, beginning by giving Canadians the right to privacy.<\/p>\n \u201cWe think that the legislation would be best to be withdrawn and re-introduced,\u201d co-author Christopher Parsons said in an interview.<\/p>\n \u201cLikely the government will not do that,\u201d he admitted, so the goal of the recommendations \u201cis to remove as many sharp edges as we can.\u201d<\/p>\n \u201cIt\u2019s meant to let the government see what could be done to still enable the commercial and socially-beneficial uses of [personal] data that the government seems to be inclined towards, while also trying to mitigate some of the worst harms that could come, based on the way the legislation is written now.\u201d<\/p>\n \u201cI don\u2019t think the legislation is principally designed with privacy in mind,\u201d Parsons added. \u201cOur analysis of the legislation is that it is very deliberately designed to be very friendly to business and to enable the free flow of personal information in the service of the information economy.\u201d<\/p>\n The Citizen Lab analysis follows the release of a report last month by the non-profit Centre for Digital Rights,<\/a> which says C-27 \u201cnot only expands [business] surveillance, it treats citizen privacy as an obstacle to corporate profits.\u201d<\/p>\n Aimed at updating the Personal Information Protection and Electronic Documents Act (PIPEDA), the CPPA was re-introduced in June<\/a>. The first time the Liberal government proposed it was in 2020, when it was designated as C-11. However, it died in the face of criticism from then Privacy Commissioner Daniel Therrien<\/a> and the calling of the September 2021 federal election. Despite the criticism, the re-elected government largely left CPPA the same as the 2020 version. It continues PIPEDA\u2019s framework of obliging companies to follow privacy principles rather than give Canadians the right to privacy.<\/p>\n The government counters that the importance of privacy protection is mentioned in the legislation\u2019s preamble.<\/a><\/p>\n C-27 is now in second reading in the House of Commons, before being referred to a committee for detailed examination. It isn\u2019t clear which committee the bill will go to: The Ethics and Privacy Committee, chaired by a Conservative, or the Industry committee, chaired by a Liberal. It may go to a committee before the end of the year.<\/p>\n C-27 is composed of three proposed pieces of legislation, including a proposed bill regulating the use of artificial intelligence applications, but the Citizen Lab report only deals with the CPPA.<\/p>\n In a November 4th speech to Parliament, the bill\u2019s sponsor, Innovation Minister Fran\u00e7ois-Philippe Champagne, said the legislation \u201cwould strengthen privacy protection for Canadians by giving the Privacy Commissioner of Canada significantly more powers, better protecting the data of Canadians, especially minors, and creating a clear set of rules to encourage Canadian organizations to innovate while using data responsibly.\u201d<\/p>\n In response, Conservative Rick Perkins said, \u201cPrivacy is a fundamental human right. It should be recognized in this bill, but it is not.\u201d Conservative Ryan Williams went further saying C-27 \u201cneeds massive rewrites and amendments to properly protect privacy.\u201d<\/p>\n It isn\u2019t clear yet whether the Liberal minority government has the votes to pass C-27 unchanged. The Liberals struck a deal with the NDP to support the government until 2025 on confidence and money bills. There are no news reports on whether the deal includes the NDP backing C-27. It isn\u2019t known whether, if the Conservatives demand major changes to C-27, they will be supported by the New Democrats \u2014 or vice versa. A partnership of those two parties can override Liberal objections to changes.<\/p>\n The Citizen Lab report largely deals with problems of companies collecting, using, and disclosing data from mobile devices. With individuals increasingly using smartphones, laptops, and tablets as their principal telecommunications devices, this data is valuable to businesses \u2014 and governments.<\/p>\n The report focuses on the public controversy that broke out last December<\/a> when news came out that Telus and a data analytics firm called BlueDot gave de-identified data and aggregated data to the Public Health Agency of Canada early in the COVID-19 pandemic, to help figure out how and where the virus was spreading. Data that has been de-identified and aggregated in particular ways likely can\u2019t be re-identified, the report notes.<\/p>\n Citizen Lab argues that the data collection was likely legal under PIPEDA, but Ottawa failed to ensure that Telus and BlueDot got meaningful consent from individuals about the re-use of their personal data.<\/p>\n If the CPPA isn\u2019t amended, Citizen Lab argues, that will happen again. The worry, Parsons said, is that another government might get (or buy) and use private sector mobility data to find out more intrusive things, like how many women are going to family health centres.<\/p>\n \u201cMobility information can be intensely sensitive,\u201d the report says. \u201cIt can reveal individuals\u2019 and communities\u2019 patterns of life and reveal associational trends before participants themselves are aware of them.\u201d<\/p>\n Among the report\u2019s complaints is that the CPPA makes a distinction between the protection of anonymous data (data stripped of personal identifiers so individuals cannot be re-identified) and de-identified data (data processed in a less strict way that could allow persons to be re-identified). Anonymized data wouldn\u2019t be covered by the CPPA. Companies would have to follow CPPA\u2019s protections in handling de-identified data \u2014 but, there would be exceptions in certain cases, allowing businesses to treat it as anonymized data. Those exemptions should be removed, says Citizen Lab.<\/p>\n Another exemption that should be abolished, says the report, is one that would allow an organization to disclose de-identified data to a government institution if it is made for \u201ca socially beneficial purpose\u201d such as health, improvements of public amenities or infrastructure, the protection of the environment, \u201cor any other prescribed purpose.\u201d<\/p>\n If the government wants to go ahead with that, every individual should have to be told and given the choice of opting out, says the report \u2014 and the federal privacy commissioner should have to approve the disclosure.<\/p>\n The CPPA proposes that a business can collect or use an individual\u2019s personal information without their knowledge or explicit consent if it\u2019s for an activity in which the firm has a legitimate interest \u201cthat outweighs any potential adverse effect on the individual\u201d as long as the personal information isn\u2019t collected or used for the purpose of influencing the individual\u2019s behaviour or decisions. In that case, says Citizen Lab, people should be told and given the right to opt-out.<\/p>\n The CPPA says the sharing of personal data collected by a business is acceptable under certain conditions. The proposed legislation says three factors are to be taken into account, including the sensitivity of the personal information and\u00a0whether the purposes represent And if a firm determines that the personal information it has collected is to be disclosed for a new purpose, it has to renew its consent obligation from individuals before it can be used.<\/p>\n Finally, while the CPPA gives individuals the right to sue firms for violating the act after the privacy commissioner has made a finding of wrongdoing, Citizen Lab says that the condition should be removed because it may take some time for the commissioner to issue a report.<\/p>\n The post Proposed privacy law lets personal data be \u2018exploited\u2019 by Canadian firms: Citizen Lab<\/a> first appeared on IT World Canada<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":" Two reports from rights groups are the first attacks on the proposed updating of the federal-private sector law before it goes to a parliamentary<\/p>\n","protected":false},"author":17,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[58,361,16],"tags":[691,391,415,527,396,275],"class_list":["post-31641","post","type-post","status-publish","format-standard","hentry","category-government-public-sector","category-privacy","category-security","tag-citizen-lab","tag-di","tag-government-of-canada","tag-legislation","tag-postmedia","tag-top-story"],"acf":[],"_links":{"self":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts\/31641","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/users\/17"}],"replies":[{"embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/comments?post=31641"}],"version-history":[{"count":2,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts\/31641\/revisions"}],"predecessor-version":[{"id":31690,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts\/31641\/revisions\/31690"}],"wp:attachment":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/media?parent=31641"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/categories?post=31641"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/tags?post=31641"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}Related content: More background on CPPA<\/a><\/strong><\/h5>\n
\nlegitimate business needs of the organization. Citizen Lab proposes firms have to take a new factor to take into account: The company has to do an analysis of the sensitivity of the privacy interest in the information, and what it calls \u201cthe sensitivity of quality-impacting inferences that could be derived from or associated with the personal information.\u201d<\/p>\n