In 2020, I wrote about what I considered a significant flaw under the proposed Consumer Privacy Protection Act in Bill C-11, which was tabled in November 2020, and then died when the federal election was called in 2021.
Bill C-11 retained the definition of personal information — information about an identifiable individual — but introduced a new concept of “deidentify.” This seemed to, by implication, alter the concept of personal information, expanding the scope of federal privacy legislation and tossing away years of judicial guidance in the process. Bill C-27 would do this as well, though in a slightly more complicated way.
The current Personal Information Protection and Electronic Documents Act defines “personal information” as “information about an identifiable individual.” There are two related lines of inquiry to consider: The first is whether the information is “about” an individual (as opposed to, for example, an object), and the second is whether an individual is “identifiable.”
Courts have used somewhat different language to explain “identifiability.” In 2007, the Federal Court of Appeal stated an individual is identifiable if it is “reasonable to expect” that an individual could be identified from the information alone or combined with “sources otherwise available.” A year later, the Federal Court of Canada adopted the standard put forward by the Privacy Commissioner of Canada: There must be a “serious possibility” of identifying an individual through the information alone or combined with “other available information.”
More recently, the Federal Court found “serious possibility” and “reasonable to expect” are effectively the same thing: more than mere speculation or possibility, but not probable on a balance of probabilities.
So, under PIPEDA, the law only applies, in theory, if there is a serious possibility an individual can be identified. The proposed CPPA would retain the existing definition of personal information while adding two more:
- Deidentify “means to modify personal information so that an individual cannot be directly identified from it, though a risk of the individual being identified remains.”
- Anonymize “means to irreversibly and permanently modify personal information, in accordance with generally accepted best practices, to ensure that no individual can be identified from the information, whether directly or indirectly, by any means.”
The CPPA would therefore include three separate concepts, which apply as follows:
- Personal information: All requirements of the law apply.
- Deidentified personal information: Some requirements of the law apply.
- Anonymized information: The law does not apply.
This is a significant change from PIPEDA, though exactly how much is unclear. First, the definition of “deidentify” is vague. It seems unhelpful to state there is a risk of reidentification with deidentified data because there is always a risk; the question is exactly how much risk must remain. If the definition of deidentify is roughly equivalent to the definition of personal information today, organizations may not gain anything from introducing this concept. For example, the CPPA would allow an organization to use deidentified personal information for “internal research, analysis and development purposes” without consent. Organizations can currently do this under PIPEDA without consent so long as the information is rendered not identifiable in accordance with judicial guidance. If “deidentify” ends up being roughly equivalent to a “serious possibility,” this could actually impose new restrictions on the ability to innovate with information.
Then there is the concept of anonymization. For the CPPA not to apply, organizations will need to “ensure that no individual can be identified from the information, whether directly or indirectly, by any means.” This is certainly a higher standard than “serious possibility,” as it appears to leave no risk of reidentification. The CPPA would therefore seem to alter rather than codify existing judicial interpretations, implying that the definition of personal information must be broader to begin with. In other words, the serious possibility standard established by the Federal Court will no longer be relevant.
What this means
It appears the CPPA under Bill C-27 would expand the scope of privacy legislation by lowering the threshold for when information is “identifiable.” Although they take different paths, Bill C-11 and C-27 seem to arrive at the same place, defining tests for identifiability organizations may be pre-ordained to fail. With the potential to penalize a business out of existence, this is a significant shift: The scope of privacy legislation will expand, organizations will have to relearn where the boundaries lie, and courts may be unable to rely on precedence to challenge findings of the Privacy Commissioner and Data Protection Tribunal.
If you want to comment on this post, you need to login.