While we are in the supposed lazy hazy days of summer (and, I would add, a massive heat wave in Ottawa), there’s still plenty to keep us privacy pros busy. It may not be the most exciting beach reading, but now is the time to pay attention to Bill C-27. This is the bill that introduces three new federal laws, one of which will replace the Personal Information Protection and Electronic Documents Act.
I know I mentioned this last week, but I hope everyone reads this proposed new law closely and pays attention to how smart people in our field are interpreting it, because the fall will arrive quickly and as an industry we need to consider the ramifications of some of the provisions.
There are several big changes proposed. One big change I want to focus on here is how the new law treats deidentified and anonymized personal information. My business partner, Shaun Brown, who continues to be quite focused on this particular issue since the last round with C-11, recently wrote an article in the IAPP’s Privacy Perspectives about this topic and it’s the type of exciting reading I’m referring to.
In a nutshell, he suggests the new law encourages organizations to anonymize their data sets so the law becomes inapplicable. The problem is that the proposed definition of "anonymize" is very strict and I imagine many data scientists out there would argue it will be scientifically impossible to ever anonymize data if that definition in C-27 remains.
With respect to deidentified data, Shaun argues that it moves away from time-honored definitions we and the courts use under PIPEDA because if passed, the law expands the definition of what is personal information. I think we need to make sure we don’t inadvertently expand or reduce the scope of our privacy law in a way that is problematic and not necessarily intended.
While I’m at it, let me point out another suggestion being made in terms of regulation. A few days ago through thinktank CD Howe Institute, Elizabeth Denham, former U.K. Information Commissioner, and Konrad von Finckenstein, former Canadian Radio-television and Telecommunication Commission Chair and former Competition Commissioner, issued a joint letter as regulatory reform gets underway in Canada. They’re calling for more and better collaboration and coordination across agencies involved in regulating the digital economy and suggesting this hasn’t necessarily been at the top of the government’s agenda. I know many of our clients would certainly appreciate this idea, as navigating the silos and overlaps between regulators can be a challenge.
Anyway, I’m not suggesting you forgo your beach read completely, just that you add some privacy content to the pile. Because if you work for an organization that processes the personal information of people from within Canada, this new law — as well as how privacy is going to be regulated in Canada going forward — will have a big impact on you, your organization and your clients. Now is the time to make sure all the important issues get proper consideration when Parliament resumes in just a few short weeks.