This is the last correspondence from me for 2023. I hope you and your loved ones are able to enjoy a happy, peaceful and relaxing holiday season.
I'll end the year by doing what I've been doing a lot this year: Summarizing what's being said about the legislation contained in Bill C-27. This week, the privacy regulators from Alberta, British Columbia and Quebec appeared before the House of Commons of Canada's Standing Committee on Industry and Technology, which is studying the proposed law.
For me, a few things stood out from their testimony regarding the proposed Consumer Privacy Protection Act:
- Like several other witnesses, they have advocated that the proposed privacy law cover federal political parties. They pointed out that, provincially, this is starting to happen with British Columbia and Quebec leading the way. It's high-time for the federal government to acknowledge that our political parties are among the largest data brokers we have in this country and leaving them without regulation is simply unacceptable.
- The three provincial regulators also advised the committee to scrap the whole idea of having an expert privacy tribunal. The idea behind the tribunal is so that organizations that disagree with the commissioner's orders would appeal to this new interim level, that would come before a proceeding in Federal Court. The tribunal would also be the entity that would set monetary penalties once recommended by the commissioner. The regulators suggested this tribunal will just create barriers to justice and slow the process down. Having the court remain as the overseer of commissioner proceedings ensures faster resolutions. Secondly, if the tribunal becomes the entity that imposes fines, it would have to do so without the ability to coordinate with provincial regulators.
- Alberta Information and Privacy Commissioner Diane McLeod expressed her worry that the new "legitimate interests" exemption found in section 18 of the proposal was potentially too expansive. I think she sees that exemption as prone to abuse. I'm not sure about this one. In the EU, they have had the legitimate interest exception since 2018 and there have only been a small handful of decisions where the regulators have disagreed with an organization's reliance on that provision. I think it is a smart addition to our privacy law and I see it working to end the plethora of times we have to click "I agree" to indicate our consent to various things. If the collection, use and disclosure is what a reasonable person would expect, then we should be able to do away with the fallacy of expressing consent at every turn. Those are my two cents on that one!
Ok, I'll leave it there. I have a few weeks now to think about what my privacy-related resolutions will be. Do you have any already? If yes, let me know what they are, either via comments or by email. Heck, if we have enough maybe this will be good fodder for an early 2024 message.
Have a good weekend, a great holiday season and a wonderful New Year.
