On April 13th the Federal Court sided with Facebook in a decision arising from a 2019 investigation into whether Facebook violated the Personal Information Protection and Electronic Documents Act (PIPEDA) and the B.C. Personal Information Protection Act (PIPA) by failing to obtain appropriate consent and safeguard the data of its users. The Cambridge Analytica scandal that received a great deal of publicity during the Donald Trump election involved a researcher who developed a Facebook app that collected user data and subsequently disclosed that data to third parties who developed “psychographic” models for the purposes of targeting political messages towards segments of Facebook users. The complaint was lodged against Facebook rather than the app developer specifically and the court stated there was an “evidentiary vacuum” with regards to users’ expectations of privacy and a lack of expert evidence presented by the Commissioner regarding what Facebook might have done differently.
It is evident that PIPEDA has become so out-of-date and that the Federal Commissioner is treading on shifting sands, trying to stretch the law to address controversial data practices. The court concludes that ultimately, “given the purpose of PIPEDA is to strike a balance between two competing interests, the court must interpret it in…a pragmatic manner”.
I highly recommend an excellent blog post by Dr. Teresa Scassa that analyzes this decision that is so much more than a scathing commentary on the Commissioner’s application to the court. It highlights the limitations of PIPEDA in-depth. With a law that has so much room for interpretation and that has the balancing of business interests and privacy interests at its very core, the need to for a human rights based approach to privacy couldn’t be more urgent.
If the Consumer Privacy Protection Act (CPPA) proposed by Bill C-27 was in force today, the Commissioner would be empowered to recommend a penalty to the Personal Information and Data Protection Tribunal if he found that an organization has contravened certain provisions in the Act. The administrative tribunal would be able to impose penalties for contraventions of the CPPA, and, separately, to hear appeals from decisions of the Commissioner. In determining whether it is appropriate to impose a penalty on an organization, the CPPA will require the Tribunal to rely on the findings set out in the Commissioner’s decision. Only on appeal from a decision of the Commissioner will the Tribunal be allowed to substitute its own findings for those of the Commissioner.
Stronger Enforcement is Coming
Under PIPEDA, the Commissioner has no order-making power whereas under the CPPA the Commissioner and Tribunal will each have order-making powers. Any decision made by the Tribunal regarding non-compliance or penalties to be imposed (up to higher of three percent of gross global revenue or $10 million) could be enforced by the Federal Court or any Superior Court. Thus, Bill C-27 represents an entirely new enforcement regime for privacy compliance, and an entirely new level of exposure to penalties for non-compliance.
Bill C-27 Past Second Reading…Now What?
On April 24th, Bill C-27 passed second reading and the bill now moves forward to consideration by the Standing Committee on Industry and Technology. Given the House will rise for the summer in just over a month, the bill is unlikely to get to third reading until the Fall. If the Bill does receive Royal Assent by end of this calendar year, we can expect the federal government to give organizations some time, not to mention time needed to structure the new tribunal, before the CPPA comes fully into force. I believe we can expect this long-awaited revamp to Canada’s privacy framework to be in-force by earliest mid-2024, but likely the last quarter of 2024. This lines up with the coming into force of the data portability right in Law Quebec’s Law 25 for Quebec residents. In time, we can also expect reform initiatives for the B.C. and Alberta PIPAs. All important steps forward in updating Canada’s privacy legal framework that has fallen so far behind global initiatives forcing organizations around the world to take privacy protection seriously.
Contact PRIVATECH for assistance with your privacy compliance obligations.
A great way to mature your privacy skillset is to get certified as a privacy professional! CLICK HERE for information about our Fall courses, or let us know if you would like to be informed when registration opens!