Bill C-11 and exceptions to consent for de-identified personal information

 
Schwartz Reisman Research Leads Lisa Austin (Law) and David Lie (Electrical and Computer Engineering) comment on aspects of Canada’s newly-proposed privacy law reform. This piece is the second in a series of posts on the features, implications, and controversies surrounding privacy law reforms in Canada and around the world in an increasingly digital and data-rich context.

Schwartz Reisman Research Leads Lisa Austin (Law) and David Lie (Electrical and Computer Engineering) comment on aspects of Canada’s newly-proposed privacy law reform. This piece is the second in a series of posts on the features, implications, and controversies surrounding privacy law reforms in Canada and around the world in an increasingly digital and data-rich context.


Canada’s proposed Bill C-11 largely follows the Personal Information Protection and Electronic Documents Act’s (PIPEDA) model of requiring “knowledge and consent” for the collection, use, or disclosure of personal information. However, Bill C-11 also creates some new exceptions to consent, including for “business activities”—as discussed in a previous blog post—and for personal information that has been “de-identified” (see sections 21, 22, 39 of the Bill).

In this post we will discuss this new de-identification regime.

View the Government of Canada’s proposed Bill C-11, first reading, November 17, 2020.

Under PIPEDA, if information is not identifiable then it is not within the scope of the Act. This means that organizations are free to collect, use, or disclose this information for any purpose without being bound by PIPEDA’s obligations (including consent). In their recent Cadillac Fairview investigation, the Information and Privacy Commissioners of Alberta and BC and the Privacy Commissioner of Canada stated (at para. 61) that courts have “found that information will be considered personal where it is reasonable to expect that a person can be identified from the information at issue when combined with information from sources otherwise available.” They found that Cadillac Fairview’s collection of media access control (MAC) addresses (a unique identifier on mobile devices) to track shoppers was not “personal information” because it was not identifiable in the circumstances. Therefore, its collection and use did not require consent. (They found, however, that the use of Anonymous Video Analytics (AVA) did involve the collection of personal information and therefore required consent.)

Bill C-11 takes a different approach. First, it defines “de-identify” as something that is done to personal information. The definition (see s.2) is as follows:

“[D]e-identify” means to modify personal information—or create information from personal information—by using technical processes to ensure that the information does not identify an individual or could not be used in reasonably foreseeable circumstances, alone or in combination with other information, to identify an individual.” 

Lisa Austin and David Lie

Lisa Austin and David Lie

Second, it then exempts some uses and disclosures from the “knowledge and consent” obligations when personal information has been de-identified. The result is that C-11 effectively brings de-identified information within the scope of the legislation and regulates it, even though it regulates it differently from personal information that has not been de-identified (ss. 21, 22, 39). It also prohibits re-identifying individuals except to test security safeguards (s.75).

It has always been problematic to try to draw a bright line between what is identifiable and what is not identifiable for the purposes of determining what is regulated and what is not. A large body of research now tells us that there is no such line, just a variety of methods to reduce the risk of re-identification and a lot of skepticism regarding eliminating this risk (for a deep dive on this issue, stay tuned for an upcoming blog post). We cannot have a regulatory architecture premised on a binary classification (identifiable/not-identifiable) if what it regulates is a spectrum of risk.

This question of whether de-identified information falls within the scope of the legislation has also detracted from another issue, which is that “de-identifying” personal information is an important security strategy. C-11 clarifies that an organization can use personal information without consent in order to de-identify this information, which makes it easier for this to be a security default (s.20). 

We cannot have a regulatory architecture premised on a binary classification (identifiable/not-identifiable) if what it regulates is a spectrum of risk.

But re-identification risks are not the only issue. There is also increasing social concern about the uses of de-identified data quite apart from re-identification risks—such as its use in forms of profiling and other kinds of predictive modeling. There are social harms and social benefits associated with the use of de-identified information that need to be addressed. Bringing de-identified information within the regulatory scope of C-11 provides the basis for doing this. Under C-11, some uses and disclosures of de-identified personal information do not require consent but some still do. Moreover, de-identified personal information remains subject to other obligations including security, transparency, and appropriate purposes.

re-identification risks are not the only issue. There is also increasing social concern about the uses of de-identified data quite apart from re-identification risks—such as its use in forms of profiling and other kinds of predictive modeling.

Despite the many advantages of C-11’s approach to de-identified personal information, we want to flag three potential problems. First, C-11 does not fully resolve the question of whether de-identified information lies within or outside of the scope of the legislation. Second, Big Tech might be advantaged by the new rules at the expense of other organizations and uses that might be in the public interest. Third, the new prohibition against re-identification is too weak.

Scope of Bill C-11

Bill C-11’s approach to de-identification is premised on the idea that personal information has been collected but that subsequent uses or disclosures might be subject to different rules (such as the exemption from consent) if de-identified. But does that mean that there is still some information that is not personal information at all, such that it can be collected without being regulated by the legislation? 

For example, would the recent investigation into Cadillac Fairview’s mobile tracking come to the same conclusion under C-11 as it did under PIPEDA? In that case, the MAC addresses were not considered personal information because, in the circumstances, it was not reasonable to expect that a person could be identified. The problem is that the test for identifiability that was used is virtually identical to the definition of “de-identify” in C-11. This could lead to the following very strange scenario:

  • If you collect information where it is not reasonable to expect that a person can be identified, then it is not personal information and therefore is not regulated. Consent is not necessary for its collection but also there are no further obligations regarding its subsequent use or disclosure, security, transparency, etc.

  • If you collect personal information and then “de-identify” it so that it can not be used in reasonably foreseeable circumstances to identify an individual, then it is regulated and there are further obligations regarding its use or disclosure, security, transparency, etc.

In both cases the information could have the same risk of re-identification and yet be subject to very different treatment. 

Addressing this is not straightforward. C-11 could add a provision allowing organizations to collect de-identified information without consent, at least in some circumstances. However, it would need to address its definition of de-identify, which is premised on the idea that one starts with personal information and then performs actions on this information that render it de-identified. Or C-11 could create a category of “anonymous” information that is indeed outside of the scope of the legislation. We will return to these questions of revising the definition, and the policy choices involved, in a later post. 

The Big Tech advantage

There are several exceptions to “knowledge and consent” for personal information that has been de-identified. One is for prospective business transactions (s.22), which we find reasonably straightforward. Questions arise more in relation to the other two exceptions. One is when an organization uses de-identified information for “internal research and development purposes” (s.21). Another is when an organization discloses de-identified information for  “socially beneficial purposes” (defined in s.39 of the legislation, with a number of additional limits). 

The question of Big Tech arises out of this distinction between use and disclosure. Companies like Google and Facebook are great hoarders of data and the exception for internal use allows them to use de-identified personal information for purposes that were not originally consented to (see s. 14(2)). Although these internal uses would still be subject to the “appropriate purposes” provision (see s. 12), the “factors” that are used to determine appropriateness are restricted to factors that consider individual privacy interests. Potential concerns about the uses of de-identified information go beyond individual privacy and impact group privacy as well as highlight the broader societal impacts of forms of profiling—as we saw in the Cambridge Analytica scandal. Bill C-11 would not address this.

Companies like Google and Facebook are great hoarders of data and the exception for internal use allows them to use de-identified personal information for purposes that were not originally consented to.

Organizations who require access to another organization’s data for research and development purposes will not have the same advantages as Big Tech, as sharing data requires one organization to disclose it to another. Disclosures of de-identified information without consent are restricted in C-11 to the “socially beneficial purposes” exception (s.39) or the more limited exception relating to prospective business transactions (s.22). The socially beneficial purposes exception restricts both the recipient of the information (e.g., government, universities, public libraries, health care institutions, organizations mandated by the government to carry out a socially beneficial purpose, and other prescribed entities) and the purposes of the disclosure (“a purpose related to health, the provision or improvement of public amenities or infrastructure, the protection of the environment or any other prescribed purpose”). 

The result of this distinction between internal uses and external disclosures is that Big Tech data hoarders will be able to use de-identified personal information for a much broader set of purposes than other organizations, and some of these uses might not be socially beneficial.

What should be the response? The government should consider amending s.12 (appropriate purposes) to reflect concerns that go beyond individual privacy (they should also do this in s.5’s purpose clause). And it should consider expanding the socially beneficial purposes exception. 

Prohibition on re-identification

C-11 includes a prohibition on re-identification (s. 75) but it has a number of limitations that weaken its important role. First, this prohibition applies to organizations regulated by the Act. However, the new “socially beneficial purposes” provision contemplates the sharing of de-identified information with organizations that are not regulated by the Act. University of Ottawa Professor Teresa Scassa has suggested that such sharing be accompanied by data-sharing contracts to limit downstream uses. It is also important to impose obligations ensuring sufficient safeguards regarding re-identification, as these organizations will not be subject to the new prohibition on re-identification. 

Bill C-11 includes remedies that PIPEDA lacks, including the possibility of penalties for breach of some obligations (up to the higher of $10,000,000 or 3 per cent of gross global revenue) and fines for offences under the Act (up to $20,000,000 or 5 per cent of gross global revenue). It is an offence to “knowingly” violate s.75 (see s.125). However, if an organization re-identifies an individual through negligent practices then it is not subject to the new penalties (see s. 93) even though organizations have a “due diligence” defence available to them (see s.94(3)).

This significantly weakens the ability of Bill C-11 to address re-identification risks.

Editor’s note: Bill C-11 failed to pass when Canada’s federal parliament was dissolved in August 2021 to hold a federal election. In June 2022, many elements of C-11 were retabled in Bill C-27. Read our coverage of C-27.


Browse stories by tag:

Related Posts

 
Previous
Previous

To guarantee privacy, focus on the algorithms, not the data

Next
Next

Who decides? Consent, meaningful choices, and accountability