Chapter 2: The Framework of Big Data Law in Canada, and Its Privacy Law Core

HTML VERSION

Chapter 2:
The Framework of Big Data Law in Canada, and Its Privacy Law Core

I. The Canadian Big Data Legal Framework

(a) Privacy as the Starting Point

The Canadian big data legal framework emphasizes privacy at its core, and expands beyond privacy at its outer layers. As a general starting point in the private sector context, personal information can be collected, used or disclosed “only for purposes that a reasonable person would consider … appropriate in the circumstances.” This standard applies, for example, to “repurposing” data for analytics-based insights, marketing campaigns, and various other cases.

[See PIPEDA, s.5(3); consent, collection and safeguarding issues as discussed in Chapter 4; big data market issues as discussed in Chapter 11; use of big data in artificial intelligence as discussed in Chapter 10; use of big data in the context of marketing as discussed in Chapter 6.]

In the case of analytics, the practice of anonymizing data post-collection is not a panacea to consent and collection issues. Parliament is presently considering a recommendation to enact “rules and guidelines regarding data ownership and data sovereignty[,] with the objective of putting a stop to the non-consented collection and use of citizens’ personal information.”

[See ETHI Committee Report, “Democracy Under Threat: Risks and Solutions in the Era of Disinformation and Data Monopoly” (Dec 2018) at 73, Recommendation 21.]

Moreover, in the private sector, the required privacy law standard is not met when the collection, use, or disclosure is for the following six purposes, also known as “no-go zones” under PIPEDA:

1. collection, use, or disclosure is otherwise unlawful;
2. profiling or categorization leads to unfair, unethical or discriminatory treatment contrary to human rights law;
3. collection, use or disclosure is likely to cause significant harm;
4. publishing personal information with the intent to charge a fee for its removal;
5. requiring passwords to social media accounts for employee screening purposes; and
6. surveillance through a person’s own device.

[See OPC, “Guidance on inappropriate data practices: Interpretation and application of subsection 5(3)” under “Inappropriate purposes or No-Go Zones” (May 24, 2018).]

Beyond the foregoing, the Canadian big data legal framework exists as a patchwork of statutes, regulations, and case law. As previously stated, privacy is at the core of this framework, with other areas of law building off the core. It is helpful to consider the entire patchwork in seven layers.

(b) First Layer

The first layer involves core privacy legislation at the federal level, constitutional privacy protections, and federal policy:

• The Personal Information Protection and Electronic Documents Act (“PIPEDA”) is federal legislation. It applies to private sector personal information, and to public sector employee or applicant information when the Privacy Act does not apply. PIPEDA does not apply in certain cases involving a personal, domestic, journalistic, artistic, or literary purpose;
• The federal Privacy Act covers personal information held by federal government institutions, and establishes the federal Office of the Privacy Commissioner (“OPC”);
• The federal Access to Information Act covers access to personal information in the custody of federal government institutions;
• The Canadian Charter of Rights and Freedoms (“Charter”), through judicial interpretation, provides privacy rights in respect of dealings with government entities;
• Canada’s Digital Charter serves as the federal government’s foundation to guide policy and action for a “people-centred and inclusive digital and data economy”.

(c) Second Layer

The second layer applies provincially, and replaces the material parts of PIPEDA in the referenced provinces:

• British Columbia’s Personal Information Protection Act;
• Alberta’s Personal Information Protection Act;
• Quebec’s An Act Respecting the Protection of Personal Information in the Private Sector.

(d) Third Layer

The third layer also applies provincially, or with respect to the territories, but does not exempt application of PIPEDA. This layer is vast, covering both public and private activities. A non-exhaustive list of relevant statutes, exclusive of regulations, includes the following:

• Ontario’s Freedom of Information and Protection of Privacy Act;
• Ontario’s Municipal Freedom of Information and Protection of Privacy Act;
• Ontario’s Consumer Reporting Act;
• British Columbia’s Privacy Act;
• British Columbia’s Freedom of Information and Protection of Privacy Act;
• Alberta’s Freedom of Information and Protection of Privacy Act;
• Saskatchewan’s Privacy Act;
• Saskatchewan’s Freedom of Information and Protection of Privacy Act;
• Manitoba’s Privacy Act;
• Manitoba’s Freedom of Information and Protection of Privacy Act;
• Manitoba’s Personal Information Protection and Identity Theft Prevention Act;
• Quebec’s Act Respecting Access to Documents Held By Public Bodies and the Protection of Personal Information;
• Quebec’s Civil Code, arts. 3 and 35-37;
• Quebec’s Charter of Human Rights and Freedoms;
• New Brunswick’s Right to Information and Protection of Privacy Act;
• Nova Scotia’s Personal Information International Disclosure Protection Act;
• Newfoundland and Labrador’s Privacy Act;
• Newfoundland and Labrador’s Access to Information and Protection of Privacy Act;
• Prince Edward Island’s Freedom of Information and Protection of Privacy Act;
• Yukon’s Access to Information and Protection of Privacy Act;
• Northwest Territories’ Access to Information and Protection of Privacy Act;
• Nunavut’s Access to Information and Protection of Privacy Act.

(e) Fourth Layer

The fourth layer is based on industry. For example, with respect to the healthcare industry, the following statutes apply and replace the material parts of PIPEDA in the referenced provinces:

• Ontario’s Personal Health Information Protection Act;
• New Brunswick’s Personal Health Information Privacy and Access Act;
• Nova Scotia’s Personal Health Information Act;
• Newfoundland and Labrador’s Personal Health Information Act.

All other provinces and territories, with the exception of Nunavut, also have legislation specifically governing the protection of personal health information. However, such legislation does not exempt the application of PIPEDA:

• British Columbia’s E-Health (Personal Health Information Access and Protection of Privacy) Act;
• Alberta’s Health Information Act;
• Saskatchewan’s Health Information Protection Act;
• Manitoba’s Personal Health Information Act;
• Yukon’s Health Information Privacy and Management Act;
• Northwest Territories’ Health Information Protection Act;
• Quebec’s Act respecting health services and social services;
• Quebec’s Act respecting health services and social services for Cree Native persons;
• Prince Edward Island’s Health Information Act.

Within the health sector, there is an additional sublayer of federal legislation that prevents the mandatory disclosure of genetic material in a commercial context. The relevant statute is the Genetic Non-Discrimination Act (“GNDA”), which adds to the underlying body of health-related privacy protections. The Quebec Court of Appeal has held this statute to be unconstitutional, and an appeal to the Supreme Court of Canada was heard in October 2019. As of the date of this book’s publication, the Supreme Court’s decision is still pending.

[See Quebec’s reference re constitutionality of GNDA, 2018 QCCA 2193; SCC matter summary no. 38478 re Canadian Coalition for Genetic Fairness v. Attorney General of Quebec, et al. (undated).]

With respect to the financial and investment sectors, the following statutes and regulatory guidelines have federal application, but do not replace PIPEDA:

• Bank Act;
• Trust and Loan Companies Act;
• Guidelines issued by the Office of the Superintendent of Financial Institutions (“OSFI”);
• Guidelines issued by the Canadian Securities Administrators (“CSA”);
• Guidelines issued by the Investment Industry Regulatory Organization of Canada (“IIROC”);
• Guidelines issued by the Mutual Fund Dealers Association of Canada (“MFSA”).

(f) Fifth Layer

The fifth layer comprises federal statutes and international treaties which apply to privacy, in addition to other areas of big data regulation which extend beyond the privacy core. These statutes encompass various commercial and governmental activities under the broader big data umbrella:

• Canada’s Anti-Spam Legislation, with a longer official name shortened to “CASL”, contains several prohibitions regarding commercial electronic messages, installing software without consent, and causing installed software to communicate externally without consent. This legislation is discussed more fully in Chapter 6.
• The right to be forgotten / right of erasure in Canada is still in development. Although it is uncertain whether or how this right will materialize, the very prospect of this right should be considered as part of the larger big data legal framework in Canada. This developing right is discussed further in Chapter 7.
• The transfer of data across borders is an important, developing topic of international law, as discussed in Chapter 8.
• Cyber-surveillance and related espionage activity is covered by a framework of statutes arguably competing with the Charter, as discussed in Chapter 9.
• The Directive on Automated Decision Making (“DADM”), and the CIO Standard, represent the current state of artificial intelligence regulation in Canada. The emerging international and domestic standards for artificial intelligence, with respect to both development and operation, are discussed in Chapter 10.
• The Competition Act aims to protect big data marketplaces, and data subjects/consumers with respect to deceptive marketing tactics. Various anti-trust issues are discussed in Chapter 11, in the big data context.
• The Canadian Radio-television and Telecommunications Commission Act, Broadcasting Act, and Telecommunications Act, along with various additional statutes and regulations, cover broadcasting-related activity. Consideration of these statutes is beyond the scope of this book, aside from passing analysis of net neutrality issues, for example with respect to blocking orders and data flows.

(g) Sixth Layer

The sixth layer involves federally applicable criminal offences, and provincially applicable statutory torts for a breach of privacy without damages:

• The CriminalCode contains criminal offences related to intercepting private communications and computer systems (ss. 184, 1);
• British Columbia’s Privacy Act (previously mentioned);
• Saskatchewan’s Privacy Act (previously mentioned);
• Manitoba’s Privacy Act (previously mentioned);
• Newfoundland and Labrador’s Privacy Act (previously mentioned).

(h) Seventh Layer

The seventh layer is an extension of the sixth layer. It covers various additional rights of action which usually require damages. These rights of action are found in the common law and provincial statutes:

• privacy torts including intrusion upon seclusion, breach of confidence, defamation, nuisance, non-consensual distribution of private intimate images, etc.;
• negligence including employee negligence and negligent hiring;
• breach of contract;
• breach of provincial consumer protection legislation;
• breach of trust, bailment, or other fiduciary duty;
• breach of good faith;
• emotional suffering and inconvenience;
• unjust enrichment.

The case law arising from data breaches is discussed in greater detail in subsection IV of Chapter 4.

(i) The Direction of Core Privacy Law in Canada

Substantive privacy rights and obligations, and the powers of relevant regulatory bodies, are expected to evolve with upcoming legislative reform. That evolution will tighten the law with respect to privacy and broader big data issues. The most recent sign of reform is a 2019 joint resolution, signed by all Canadian privacy regulators, to “call on their respective governments to modernize [privacy] legislation.”

[See Government of Canada, “Strengthening Privacy for the Digital Age” (May 21, 2019) re PIPEDA and Privacy Act reform; ETHI Committee Report, “Democracy Under Threat: Risks and Solutions in the Era of Disinformation and Data Monopoly” (Dec 2018); OPC, “Canada’s access to information and privacy guardians urge governments to modernize legislation to better protect Canadians” (Nov 6, 2019); OPC, “Privacy Law Reform - A Pathway to Respecting Rights and Restoring Trust in Government and the Digital Economy” (Dec 10, 2019) at 2: “In the last year, the government has finally agreed the time for reform ha[s] come. ... The question is no longer whether privacy laws should be modernized, but how.”]

The likely direction of privacy law in Canada—which will significantly impact the broader big data legal framework—was recently alluded to by the Privacy Commissioner of Canada, Daniel Therrien. He publicly stated, “In Canada, the starting point … should be to give the law a rights-based foundation worthy of privacy’s quasi-constitutional status in this country.” This view was followed with a statement that the “GDPR is an excellent starting point” for Canadian national privacy law reform.

[See ETHI Committee Evidence Hearing, Meeting 154 (May 28, 2019); Nammo v. TransUnion of Canada Inc., 2010 FC 1284 at para. 74; OPC, “Privacy Law Reform - A Pathway to Respecting Rights and Restoring Trust in Government and the Digital Economy” (Dec 10, 2019) at 2-3, 10, 12 re a rights-based privacy framework in Canada.]

As will become evident throughout the rest of this book, the recent drips of change in Canadian privacy law are precipitating a fast-approaching flood, which will broadly wash over the entire big data industry. With some legal foresight, planning for upcoming reform is possible and prudent. Legal preparations can—and should—be made today to stay afloat tomorrow.

II. Privacy Weaknesses in the Federal Public Sector

As previously stated, privacy law at the federal public level is primarily governed by the federal Privacy Act. There are several deficiencies in the wording and outlook of this statute, and various surrounding documents, that deserve mention.

To start, the federal public sector’s privacy obligations are far too light with respect to collecting personal data. Specifically, under the Privacy Act, there is no requirement to obtain the data subject’s informed consent before or during the collection of personal data. In other words, it appears that the data subject has no choice in the matter. The only requirements for collecting personal data are:

• the collection must be directly from the individual concerned (unless an exception applies); and
• the collection must relate “directly to an operating program or activity of the institution.”

[See Privacy Act, ss.4-5, 8(2); Government of Canada, Directive on Privacy Practices (Apr 1, 2010), s.6.2.11; OPC, “Privacy Law Reform - A Pathway to Respecting Rights and Restoring Trust in Government and the Digital Economy” (Dec 10, 2019) at 14.]

Moreover, a federal public entity’s non-consensual use or disclosure of such personal data only requires:

• a use consistent with the purpose for which the personal data is collected; or
• one of various other circumstances.

[See Privacy Act, ss.7, 8(1)-(3).]

The first of these paths to non-consensual use or disclosure provides almost no privacy protection at all, since virtually any use may be “consistent” with the purpose of data collection. For this reason, the term “demonstrably necessary to execute” would have been preferred in place of “consistent with”. The former would raise the bar for non-consensual use and disclosure to a standard that has meaning.

[See OPC, “Privacy Law Reform - A Pathway to Respecting Rights and Restoring Trust in Government and the Digital Economy” (Dec 10, 2019) at 4-5, 56; Union of Canadian Correctional Officers v. Attorney General of Canada, 2016 FC 1289 at para. 141 (“Union of CCO case”); OPC, PIPEDA 2016-17 Annual Report (Sept 21, 2017) re appeal status of the Union of CCO case.]

At present, the non-consensual use and disclosure of personal data includes the non-consensual transfer of personal data to foreign parties. This issue is a prevalent feature of upcoming privacy law reform, as discussed in Chapter 8. Until such reform takes place, however, it stands to reason that any non-consensual transfer of personal data across borders, for custody or processing, should at least require a significant vetting process.

Unfortunately, the expressed mandate for vetting foreign data controllers/processors is also weaker than desired. Privacy impact assessments (“PIAs”) are mandatory in the public sector, pursuant to a Directive on Privacy Impact Assessment (“Directive”). However, the Directive and complementary Policy on Privacy Protection (“Policy”) each focus on ensuring baseline compliance with the Privacy Act, which, as discussed, does not provide a suitable standard for data handling.

[Government of Canada, Directive on Privacy Impact Assessment (Apr 1, 2010), ss.3.3-3.4, 5.1, 5.2.2; Government of Canada, Policy on Privacy Protection (Jun 29, 2018), ss.4.2.10, 4.2.17, 6.1; Privacy Act, s.71(1)(d).]

Thankfully, federal institutions contracting with foreign data controllers/processors are at least urged to implement the following measures:

• “risk mitigation strategies related to the USA PATRIOT Act”; and
• “concrete steps to identify and minimize potential privacy risks.”

[See Treasury Board of Canada, “Privacy Matters…” (2006), part 6; Government of Canada, Policy on Privacy Protection (Jun 29, 2018), ss.3.2.4, 4.2.17, 6.1; Government of Canada, Directive on Privacy Practices (Apr 1, 2010), s.5.1.1.]

These measures would appear to trigger the Treasury Board of Canada’s vendor-contracting guidance (“Guidance”), applicable to federal government institutions. However, the Guidance does not have the full force of law. Moreover, in many respects, the Guidance is outdated. For example, it requires government institutions to “ensure … against any possible risks related to the transborder flow of information.”

[See Treasury Board of Canada, “…Taking Privacy into Account Before Making Contracting Decisions” (2010) under “Transborder data flows”.]

Such a high standard is impossible to meet, for example, in the case of a contracted foreign data controller, unexpectedly forced by its government or its nation’s courts to disclose the private data of Canadians. In fact, a similar scenario was acknowledged by the OPC in 2007, when it was forced to interpret PIPEDA in a manner recognizing “that some organizations operate in more than one jurisdiction,” and may therefore be subject to foreign law.

[See OPC’s 2007 finding re SWIFT (Apr 2, 2007) at paras. 46-50.]

The Guidance also suggests “to have the work done in Canada and to have personal information segregated to a system not accessible by entities outsideCanada….” However, such measures would likely conflict with law Canada will be required to implement under the USMCA, discussed in greater detail in Chapter 8, subsection III: “Data Localization”.

There are numerous additional problems with privacy regulation in the federal public sector. The above discussion has shed light on only a few. Suffice it to say, the need for reform of privacy law in the federal public sector is particularly urgent. As stated by the OPC, “[t]he Privacy Act should, at a minimum, … make it clear that, when government work is outsourced, the government institution remains accountable for personal information [under its control].”

[See OPC, “Government Accountability for Personal Information: Reforming the Privacy Act” (June 2006).]

For now, federal government entities should consider their obligations according to stricter standards, which can largely be anticipated in advance on the basis of:

• PIPEDA (governing the Canadian federal private sector);
• GDPR (governing the European Union); and
• CCPA (governing California and quickly gaining persuasive force across the rest of the U.S.).

The stricter foreseeable standards should factor into each federal public institution’s PIAs. The assessment of foreseeable standards, and their incorporation into PIAs, should be done by data privacy counsel with a pulse on international privacy law developments, and procedural fairness relating to digital matters.

III. Privacy and Blockchain Technology

The electronic flow of payments—and digital assets in general—depend on the secure flow and custody of data. This has been recognized by the CSA, IIROC, and OPC along with various other privacy regulators.

[See CSA/IIROC Consultation Paper 21-402 (Mar 14, 2019) at 9 (5.2.1 “Custody and verification of assets”) and at 12 (5.2.4 “Systems and business continuity planning”); OPC, “Joint statement on global privacy expectations of the Libra network” (Aug 5, 2019).]

One example of blockchain technology used to further privacy objectives involves an immutable, distributed log of user activities and network operations. This measure is understood to minimize the risk of such logs being altered when a centralized system succumbs to a hack.

[See Bloksec Technologies, “Why Blockchain for BlokSec” re “an auditable, indisputable record of information that is more secure than any centralized record-keeping system” (undated, public disclosure permission granted).]

Considered more broadly, blockchain technology can also trigger privacy law complications. For example: when private data is written to a global public blockchain, designed to retain data indefinitely. Such operations will almost certainly offend the fundamental privacy principles of retractable consent, limited periods of data retention, and permitting a data subject’s correction or deletion of her personal information at will. Complications with applicable data localization requirements, as discussed in Chapter 8, may also arise.

[See the author’s video discussion on this topic, “Future of Privacy” panel at the Futurist Conference (Toronto: Aug 13, 2019); PIPEDA, Sch. 1, Principles 4.3.8, 4.5.2, 4.5.3, 4.9.5.]

Moreover, the very nature of distributed ledgers raises difficulties in the enforcement of privacy law. The distribution of data across computers all over the world is challenging traditional concepts of focused liability, and forcing development of new theories in “distributed liability”.

[See Chetan Phull, “Liability with no control” (CBA Nat. Mag., June 2019).]

One legal solution is to consider the blockchain’s network of nodes as an “organization” under PIPEDA. There is U.S. precedent for such legal interpretation, in the context of a conceptually certain cryptocurrency development and marketing team. However, the inference of an organization is much more difficult in the case of nodes that have no formal or constructive relationship.

[See James et al. v. Valo et al., E.D. Texas (Nov 4, 2019) E.D. Tex. 4:19-cv-801 at para. 5; Chetan Phull, “Liability with no control” (CBA Nat. Mag., June 2019).]

Clearly, privacy law reform in Canada will need to consider various problems posed by blockchains. Reform efforts should consider the following blockchain-
specific issues, in the context of balancing privacy protection and innovation:

• nodes as third-party data processors;
• a requirement to store personal information centrally (i.e. off the immutable ledger), in order to respect a person’s right to withdraw consent, to be forgotten, to correct personal information, to object to processing, etc.;
• ledger integrity controls, to guard against a majority of miners colluding to overpower and take control of the blockchain;
• emergency procedures to minimize the effect of blockchain vulnerabilities;
• individual and class dispute resolution.