Is Canada’s Proposed Consumer Privacy Protection Act Too High Risk Compared to E.U. Data Protection Law?
By Magali Feys
The Canadian approach to de-identification outlined in Canada’s proposed Consumer Privacy Protection Act Bill C-27 (“Bill C-27”) fails to satisfy the heightened GDPR requirements of pseudonymisation and is likely insufficient to meet the requirements of data protection by design and by default under E.U. law. Embracing a low de-identification standard, rather than heightened obligations for data protection by design and by default like statutory pseudonymisation, could position Bill C-27 unfavourably for an adequacy determination due to obligations under E.U. law requiring technical ”before-the-fact” protection of personal data. Given the interconnected nature of international data flows, and the exposure represented by sub-processor and cloud processing,
Canada should consider following South Korea (the Republic of Korea) in adopting strong requirements for statutory pseudonymisation that helped secure E.U. adequacy determination.
The transmission of E.U. personal data outside of the E.U. and the European Economic Area (EEA) is only lawful if (i) the destination country is determined by the European Commission to provide an adequate level of data protection, (ii) adequate supplementary measures are in place or (iii) the transfer can rely on one of the limited interpretive derogations as set forth in Article 49 of the GDPR. This article presents reasons why Bill C-27 – in its current form – may fail to provide an adequate level of data protection in comparison to rights under E.U. law, and this with regard of the heightened obligations for data protection by design and by default like statutory pseudonymization, being one of the European Data Protection Board’s (EDPB) ‘acceptable use cases’ for lawful international data transfer.
III. Onward Transfers to Sub-Processors
The processing of E.U. personal data outside of the EEA and adequacy countries requires compliance with Schrems II requirements promulgated by the Court of Justice of the European Union (CJEU) and the European Data Protection Board (EDPB), including the use of technical supplementary measures when organisational and contractual supplementary measures cannot prevent surveillance by third-country governments. These obligations extend to onward transfers and processing by sub-processors, with respect to which the EDPB specifically highlights concerns since “a large variety of computing solutions may imply the transfer of personal data to a third country (e.g., for storage or maintenance purposes).” A recent decision by the German Baden-Württenberg 'Vergabekammer', which judges compliance with the requirements for public tender dossiers, ruled on 13 July 2022 that the risk of onward processing by sub-processors using U.S. managed cloud infrastructure is equivalent to an actual transfer of personal data requiring compliance with the GDPR. In addition, a 26 July 2022 Dutch Ministry of Justice and Security (NCSC) legal memorandum stresses that the reach of government surveillance extends to data processed internationally by sub-contractors and cloud processors. Canadian enterprises that leverage non-EEA (e.g., U.S.) managed infrastructure (e.g., public cloud, multiparty data sharing and analytics) will be subject to similar, if not further increased scrutiny, due to Canada’s participation in the Five Eyes intelligence alliance comprising Australia, Canada, New Zealand, the United Kingdom, and the U.S. It should be noted that the heightened GDPR requirements of pseudonymisation have been recognised by the EDPB as well as the European Data Protection Supervisor (EDPS) as a viable means of enabling the lawful transfer of personal data to third countries not offering an equivalent level of protection.
IV. Strict Interpretation of Legitimate Interest Requirements
Under Canada’s current Personal Information Protection and Electronic Documents Act (PIPEDA), organizations must obtain consent for the collection, use and disclosure of personal information. The recognition of Legitimate Interest under Bill C-27 is a welcome alternative to the “Hobson’s choice” of relying exclusively on consent for processing personal data. While the importance of consent is manifest, we cannot ignore the reality that securing meaningful consent under all situations is unrealistic. Having Legitimate Interest as an alternative prevents (a) undermining the intended protections for data subjects by “watering down” the meaningful-consent requirement so data subjects are sufficiently informed and aware of what they are agreeing to, or (b) the restriction of data processing for societal benefits that are too difficult to explain at the time of data collection.
However, positioning “Legitimate Interest” as an exception under Bill C-27 to the general requirement of consent requires a strict interpretation of the exception under EU law, which could be problematic for purposes of an EU adequacy determination. As a result, in addition to likely failing to satisfy the requirements for technical supplemental measures for onward transfers to sub-processors, the low standard of de-identification protection authorised under Bill C-27 is unlikely to satisfy the requirements for lawful Legitimate Interest processing under GDPR Article 6(1)(f).
Under Bill C-27, consent is the default legal basis, with Legitimate Interest serving as an exception to the requirement of consent. Under EU law, when something serves as an exception to a general condition, the room for interpretation is construed more narrowly, and the requirements that must be satisfied are more strictly applied. For example, Intellectual Property (IP) rights under Belgian law are viewed as an exception to the general rule of freedom of trade and commerce. Simplified, the whole regime of IP rights stems from exceptions to the principle of free trade, providing an individual or company with a negative right to prohibit another individual or company from using the same invention. However, because these rights are an exception to the general rule, one must interpret and apply the regime of IP rights in a limited and stringent manner. This explains why most IP rights are territorially bound (restrictive effect on the freedom of trade and commerce). The six legal grounds for processing personal data under the GDPR are equal to each other. As long as the conditions are met to apply any of the legal grounds under Article 6, the six grounds are on an equal footing to each other and thus can be used with the same authority. In contrast, under Bill C-27, Legitimate Interest is seen as an exception, meaning it cannot be invoked only in “exceptional circumstances” in line with the spirit of the bill, requiring a narrower interpretation and increased standard for the satisfaction of requirements. As a result of the preceding, the ground of Legitimate Interest under Bil C-27 is likely to be subject to restrictive interpretation.
V. “De-identification” Under Bill C-27 May Fall Short of Data Protection by Design and by Default
By the strict interpretation required under E.U. law for exceptions as noted above, the definition of “de-identification” proposed under Bill C-27 likely fails to satisfy GDPR mandatory requirements for data protection by design and by default. Bill C-27’s definition of the term “de-identify” in Article 2(1) expressly acknowledges the limited nature of protection afforded:
“de-identify means to modify personal information so that an individual cannot be directly identified from it, though a risk of the individual being identified remains.” (emphasis added)
This low definitional requirement can be satisfied merely by removing direct identifiers, even though the Information and Privacy Commissioner of Ontario, CHEO Research Institute and University of Ottawa, and others have highlighted that “... dealing only with direct identifiers is insufficient to ensure that the information is truly de-identified.”
Given the broad range of express statutory rights afforded to “de-identified data” under Bill C-27, adoption of such a low requirement for de-identification falls far short of the requirements for data protection by design and by default under the GDPR. Rewarding this very low level of protection with express statutory benefits also stands in stark contrast to the significantly higher standard of statutory pseudonymisation to qualify for express statutory benefits under Article 4(5) of the E.U. and U.K. GDPR, and the data protection laws of Brazil, Japan, South Korea and five U.S. states – California, Colorado, Virginia, Utah and Connecticut.
The E.U. and U.K. GDPR (which the other statutes largely emulate) define statutory pseudonymisation as follows:
‘pseudonymisation’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.” (Emphasis added)
However, rather than requiring a heightened level of protection as a prerequisite to enjoying statutory benefits of expanded data processing privileges (as is the case for statutory pseudonymisation under the numerous statutes noted above), Bill C-27 sets a low standard of protection and hopes to discourage the misuse of poorly protected data merely by penalizing improper processing after unlawful processing occurs. This “after-the-fact penalty” versus “technologically-preventative” data protection by design and by default puts the majority of risk from unauthorized re-identification and improper processing on the shoulders of data subjects. This is because Bill C-27’s Article 2(1) self-acknowledged low level of “statutory de-identification” protection is further diminished by imposing after-the-fact penalties under Article 128(a) for organizations improperly processing data, but such penalties will occur – if at all – long after the damage to personal privacy rights of data subjects has irrevocably occurred versus requiring the implementation of preventative controls ensuring data protection by design and by default.
The irony is that “after-the-fact penalty” approach of Bill C-27 premised on ineffective de-identification is inconsistent with the obligations of organizations under Section Article 12(2) to “… collect, use or disclose personal information only in a manner and for purposes that a reasonable person would consider appropriate in the circumstances, whether or not consent is required under this Act” by taking into account: (a) the sensitivity of the personal information; (b) whether the purposes represent legitimate business needs of the organization; (c) the effectiveness of the collection, use or disclosure in meeting the organization’s legitimate business needs; (d) whether there are less intrusive means of achieving those purposes at a comparable cost and with comparable benefits; and (e) whether the individual’s loss of privacy is proportionate to the benefits in light of the measures, technical or otherwise, implemented by the organization to mitigate the impacts of the loss of privacy on the individual. (emphasis added).
More effective de-identification is both possible and readily available, enabling organizations to achieve their objectives while mitigating data protection risk to individuals. As noted by European Data Protection Supervisor (EDPS) Wojciech Wiewiórowski in a EDPS webinar titled “Pseudonymous Data: Processing Personal Data While Mitigating Risks:
“Our legal data protection rules in the European Union and particularly GDPR itself considered pseudonymisation as a sort of model of all risk mitigating measures. This comes only after the first of all obligations, if you do not need the personal data do not process them. But if you need the personal data, then GDPR refers to pseudonymisation when it takes exemplifying the appropriate safeguards in many circumstances.”
GDPR Recital 78 obligates parties to pseudonymise data “as soon as possible,” Article 25(1) obligates parties to “implement appropriate technical and organisational measures, such as pseudonymisation,” and Article 25(2) obligates parties to “implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed.” De-identification, under Bill C-27, does not suffice as equivalent protection for any of these.
VI. Heightened Requirements for Statutory Pseudonymisation
Canada would do well to study the Republic of South Korea’s evolution from relying on less effective principles of de-identification to embracing heightened protection requirements for statutory pseudonymisation. South Korea’s adoption of statutory pseudonymisation was a key element in the EU Commission’s determining adequacy.
Before the GDPR, pseudonymisation was widely understood to mean replacing or “masking” direct identifiers by replacing them with tokens; this protection was applied to individual fields independently within a data set. It was merely a privacy-enhancing technique. However, the definition of pseudonymisation in GDPR Article 4(5) requires that the information value of data must be separated from the identity of data subjects and that additional securely stored information must be necessary to re-identify data subjects, and then only under controlled conditions. It is critical to note that under this new definition, GDPR-compliant pseudonymisation is now defined as an outcome for a data set and not (merely) a technique.
With the elevation of pseudonymisation to an outcome, achieving GDPR-compliant pseudonymisation requires protecting both direct and indirect identifiers. In addition, GDPR-defined pseudonymisation, in combination with the GDPR definition for Personal Data, now requires that the outcome must apply to a data set as a whole (the entire collection of direct identifiers, indirect identifiers and other attributes) instead of only being applied to individual fields, and consideration must be given to the degree of protection applied to all attributes in a data set.
The GDPR Article 4(5) definitional requirement “... that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person ...” makes reference to an outcome for a dataset as a whole, not just treatment of individual fields in isolation, and requires more than mere possession by the data controller or other authorised party of information enabling reidentification. Instead, this statutory language requires that technical and organisational measures be implemented making it impracticable for third parties to identify an individual without access to the additional information held separately by the data controller or other authorised party.
Additional information regarding the heightened requirements for – as well as the many express statutory benefits from – satisfying statutory requirements for pseudonymisation under data protection and privacy laws around the globe was discussed during the “10 Truths of Statutory Pseudonymisation” podcast featuring Steffen Weiss, legal counsel for data protection and member of the board for international affairs at the German Society for Data Protection and Data Security (GDD), Gary LaFever, CEO and general counsel at Anonos, and me. Also available in connection with the 10 Truths of Statutory Pseudonymisation podcast is an instructful publication titled Processing Cleartext – A Clear and Present Danger – Statutory Pseudonymisation Enables Protected Data Processing.
Magali (Maggie) Feys is founder of AContrario.Law, a boutique law firm based in Belgium specializing in IP, IT, data protection and cybersecurity. In addition, Magali acts as a legal advisor of the Belgian Ministry of Health where she advises on privacy matters (such as e-health network, COVID contact tracing and digital EU-COVID-certificate and the Covid Safe Ticket) and is a member of the legal working party e-Health of the Belgian Minister for Public Healthcare. Maggie also represents Anonos (www.anonos.com) as chief strategist of ethical data use.
See §17, 27, 36, 42, 44, 45, 46, 47 and 48, as well as in footnote 24 of the “Commission Implementing Decision of 17.12.2021 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate protection of personal data by the Republic of Korea under the Personal Information Protection Act”, available online at https://ec.europa.eu/info/sites/default/files/1_1_180366_dec_ade_kor_new_en.pdf.
Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain and Sweden.
In addition to the E.U. member states, the EEA also includes Iceland, Liechtenstein and Norway.
The European Commission has recognised Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland , the United Kingdom, and Uruguay as providing an adequate level of data protection.
Such as Standard Contractual Clauses (art. 46 GDPR) or Binding Corporate rules (art. 47 GDPR) and depending on the level of adequate protection which can be provided by the third non-EU country towards the data subject, additional supplementary measures.
See Use Case 2 of the EDPB Guidelines in “Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data - Version 2.0”, Adopted on 18 June 2021, at pages 31 and 32, see Note 8.
Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data - Version 2.0”, Adopted on 18 June 2021, online available through https://edpb.europa.eu/system/files/2021-06/edpb_recommendations_202001vo.2.0_supplementarymeasurestransferstools_en.pdf
Id at paragraph 53.
See FAQ #11 at https://edpb.europa.eu/sites/default/files/files/file1/20200724_edpb_faqoncjeuc31118_en.pdf
See the last paragraph of the 26 July 2022 Dutch Ministry of Justice and Security (NCSC) legal memorandum (on page 15) highlighting that the reach of the CLOUD Act extends to data processed via sub-contractors and cloud processors at https://english.ncsc.nl/binaries/ncsc-en/documenten/publications/2022/augustus/16/memo-cloud-act/Cloud+Act+Memo+Final.pdf.
See Infra Notes 7 & 8 at pages 31 and 32 (Use Case 2: Transfer of Pseudonymised Data).
In a December 2021 EDPS webinar, Thomas Zerdick, Head of Technology and Privacy at the EDPS, stated that “After the Schrems II ruling, the debate on pseudonymisation has gained momentum as many consider it as the most viable ‘supplementary measure’ to transfer personal data to third countries not offering an equivalent level of protection.” See https://edps.europa.eu/press-publications/press-news/videos/ipen-2021-pseudonymous-data-introduction-thomas-zerdick_en
Available on https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/.
If consent is the only basis upon which information can be processed, controllers and processors will often face a “Hobson’s Choice” (see https://www.merriam-webster.com/dictionary/Hobson%27s%20choice) between: (a) securing “uninformed consent” – which is a fiction parties tell one another to make everyone feel better about placing the majority of risk from data misuse and abuse on the backs of data subjects; and (b) not processing data for valuable complex research (health, scientific, marketing or otherwise) purposes because of the complexity of explaining what is happening behind the scenes so that data subjects can fully understand.
See discussion in Section III above regarding Onward Transfers to Sub-Processors.
M. DE JONCKHEERE and G. DEBERSAQUES, Inleiding tot het recht, Bruges, die Keure, 2021, 28; W. VAN GERVEN and S. LIERMAN, Algemeen Deel. Veertig jaar later. Privaat- en publiekrecht in een meergelaagd kader van regelgeving, rechtsvorming en rechtstoepassing in Beginselen van het Belgische Privaatrecht, Mechelen, Kluwer, 2010, 113-117. For a general overview, see also M. MEIRLAEN, Ongeschreven rechtsgrenzen, Antwerp, Intersentia, 2022, 469-472.
F. GOTZEN and M.-C. JANSSENS, Wegwijs in het intellectueel eigendomsrecht, Bruges, Vanden Broele, 2020, 17; B. VAN BRABANT, La propriété intellectuelle Tome 1 – Nature juridique, Brussels, Larcier, 2018, 211-220.
H. VANHEES, Handboek Intellectuele rechten, Brussels, Lefebvre Sarrut, 2020, 5.
Article 6(1) of the EU GDPR provides the following six lawful bases for processing EU personal data: (a) consent; (b) contract; (c) legal obligations; (d) vital interests of the data subject; (e) public interest; or (f) legitimate interests pursued by the data controller.
See discussion in Section IV above regardingStrict Interpretation of Legitimate Interest Requirements.
See GDPR Recitals 78 and 108 and Article 25.
See page 11 of Dispelling the Myths Surrounding De-identification: Anonymization Remains a Strong Tool for Protecting Privacy by the Information and Privacy Commissioner of Ontario and CHEO Research Institute and University of Ottawa (2011) at https://www.ipc.on.ca/wp-content/uploads/2016/11/anonymization.pdf
See: Bill C-27 (a) Article 20 exclusion of processing “de-identified” data from processes requiring the knowledge or consent of individuals; (b) the Article 21 exclusion of processing “de-identified” data for internal research, analysis and development from processes requiring the knowledge or consent of individuals; (c) the Article 22(1) exclusion of processing “de-identified” data for evaluating prospective business transactions from processes requiring the knowledge or consent of individuals; (d) the Article 39(1) exclusion of processing “de-identified” data for socially beneficial purposes from processes requiring the knowledge or consent of individuals, and the Article 2(3) exclusion of “de-identified data” from the obligations of (e) Disposal under Article 55, (f) Accuracy under Article 56, (g) Information and Access under Article 63(1), (h) Amendment under Article 71, and (i) Data Mobility Disclosure under Article 72.
Article 13(4) of LGPD: “For purposes of this article, pseudonymization is the processing by means of which data can no longer be directly or indirectly associated with an individual, except by using additional information kept separately by the controller in a controlled and secure environment.”
Article 2.9 of APPI: “"Anonymously processed information" in this Act means information relating to an individual that can be produced from processing personal information so as neither to be able to identify a specific individual by taking action prescribed in each following item in accordance with the divisions of personal information set forth in each said item nor to be able to restore the personal information. (i) Personal information falling under paragraph (1), item (i); Deleting a part of descriptions etc. contained in the said personal information (including replacing the said part of descriptions etc. with other descriptions etc. using a method with no regularity that can restore the said part of descriptions etc.). (ii) Personal information falling under paragraph (1), item (ii); Deleting all individual identification codes contained in the said personal information (including replacing the said individual identification codes with other descriptions etc. using a method with no regularity that can restore the said personal identification codes).”
Article 2(i-2)) of PIPA: “Pseudonymisation is‘the processing of personal data in such a manner that a specific
individual becomes not identifiable without the use of additional information, rendered by
removing a part of the data, replacing all or a part of the data, etc..”
Article 1798.140(r) of CCPA: ““Pseudonymize” or “Pseudonymization” means the processing of personal information in a manner that renders the personal information no longer attributable to a specific consumer without the use of additional information, provided that the additional information is kept separately and is subject to technical and organizational measures to ensure that the personal information is not attributed to an identified or identifiable consumer.”
Article 6-1-1303(22) of CPA: ““Pseudonymous Data” means personal data that can no longer be attributed to a specific individual without the use of additional information if the additional information is kept separately and is subject to technical and organizational measures to ensure that the person data are not attributed to a specific individual.”
Article 59.1-571 of VCDPA: “"Pseudonymous data" means personal data that cannot be attributed to a specific natural person without the use of additional information, provided that such additional information is kept separately and is subject to appropriate technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable natural person.”
Article 160.103.171(28) of UCPA: ““Pseudonymous data” means personal data that cannot be attributed to a specific individual without the use of additional information, if the additional information is: (a) kept separate from the consumer's personal data; and
(b) subject to appropriate technical and organizational measures to ensure that the personal data are not attributable to an identified individual or an identifiable individual.”
Article 1(24) of CTDPA: “"Pseudonymous data" means personal data that cannot be attributed to a specific individual without the use of additional information, provided such additional information is kept separately and is subject to appropriate technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable individual.”
See https://edps.europa.eu/press-publications/press-news/videos/ipen-2021-pseudonymous-data-keynote-speech-wojciech_en at 4:06
GDPR Recital 78 stipulates that “The protection of the rights and freedoms of natural persons with regard to the processing of personal data require that appropriate technical and organisational measures be taken to ensure that the requirements of this Regulation are met. In order to be able to demonstrate compliance with this Regulation, the controller should adopt internal policies and implement measures which meet in particular the principles of data protection by design and data protection by default. Such measures could consist, inter alia, of minimising the processing of personal data, pseudonymising personal data as soon as possible ... (emphasis added).”
See How to De-identify Personal Data in South Korea: An Evolutionary Tale (August 2, 2020) by Ko, Haksoo. International Data Privacy Law, Forthcoming, available at https://ssrn.com/abstract=3665568
See Supra Note 2.
GDPR Article 4(1) defines Personal Data as “any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
This article originally appeared in LinkedIn. All trademarks are the property of their respective owners. All rights reserved by the respective owners.
CLICK TO VIEW CURRENT NEWS