“Made in Canada” – What is happening to Privacy by Design under the CPPA?

February 5, 2021 | David Krebs, Samantha Santos

Privacy by Design” has long been understood as the “gold standard” of data protection and at the core of how to sustain privacy rights in the digital age. It is a concept that can be said to have been “made in Canada,” developed by former Ontario Information and Privacy Commissioner Dr Ann Cavoukian around and about 1997. It is seen as a way to balance commercial interests, as well as the promise of leveraging and processing ‘big data’, with the right to privacy, which, according to many, should be seen as fundamental human right, as discussed in a previous blog post. Bill C-11, An Act to enact the Consumer Privacy Protection Act (“CPPA”) and the Personal Information and Data Protection Tribunal Act (also known as the Digital Charter Implementation Act), is currently in its second reading in the House of Commons. It is Canada’s first attempt since the coming-into-force of the Personal Information Protection and Electronic Documents Act (“PIPEDA”) over 15 years ago, to modernize, strengthen, and clarify Canada’s approach to privacy law.

The main driving forces behind the proposed CPPA are (i) the desire to maintain Canada as an “adequate” jurisdiction for European personal data transfers under the European General Data Protection Regulation (“GDPR”), (ii) the apparent and understood need to modernize Canadian privacy law so it is appropriate for contemporary technology and uses of data and (iii) recent high profile data breaches affecting Canadians’ personal information that illustrated the impacts of breaches and limitations Canadian regulators have with respect to enforcement. Read more about data breaches in our recent blog post.

The  CPPA includes an overhaul to the current PIPEDA framework as it relates to enforcement, with significant fines and penalties and enforcement mechanisms, along with other significant changes.  While at the same time, retaining familiar tenets of Canadian federal privacy law, such as “consent” and the focus on “accountability.” Surprising to many, however, is the fact that the principle of privacy by design is nowhere to be found, either explicitly or by indirect reference to its seven foundational principles.

What is privacy by design?

Broadly speaking, privacy by design requires designing a system or process in a manner that protects the privacy rights of individuals, rather than considering the associated privacy implications of a system or process only after deployment. It is a principle that many consider to be a crucial element in protecting privacy rights meaningfully and is an explicit legal obligation under the GDPR:

“Art 25 (1) Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects. (2) The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. (2)That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. (3) In particular, such measures shall ensure that by default personal data are not made accessible without the individual’s intervention to an indefinite number of natural persons. An approved certification mechanism pursuant to Article 42 may be used as an element to demonstrate compliance with the requirements set out in paragraphs 1 and 2 of this Article.”

Privacy by design is the marriage of two ideals: (i) protection of personal information; and (ii) its coinciding sustainable commercial use, centered around seven foundational principles. These seven principles are:

  1. Proactive not reactive: preventative not remedial.
  2. Privacy as the default setting.
  3. Privacy embedded into design.
  4. Full functionality: positive-sum, not zero-sum.
  5. End-to-end security: full lifecycle protection.
  6. Visibility and transparency: keep it open.
  7. Respect for user privacy: keep it user-centric.

Privacy by Design’s Future in Canada

 On June 12, 2020, Bill 64, An Act to Modernize Legislative Provisions Respecting the Protection of Personal Information (“Bill 64”) was introduced in the Quebec National Assembly aimed to amend Quebec’s provincial privacy regime. Bill 64 is a strong statement to align Quebec’s provincial regime quite closely with that of the GDPR.

As part of the proposed amendments, Bill 64 will introduce a requirement for enterprises which is rooted in privacy by design concepts, apparently inspired by Article 25 of the GDPR. Under the relevant section of Bill 64, organizations will need to ensure “that the parameters of the technological products or services they use to collect personal information provide the highest level of confidentiality by default, without any intervention by the person concerned.

As noted above, explicit mention of privacy by design is missing from CPPA and, if both Bill 64 and CPPA moved ahead as currently drafted, would create the potential for different approaches to privacy protections across the country. Businesses will need to keep a close eye on these developments, together with the debates and proposed amendments under the CPPA (as well as in other provinces, please see our previous article) to ensure their practices and operations are compliant.

As a further illustrative example, with the passing of Bill 64, any business or organization that is developing, integrating, or using artificial intelligence (“AI”), would need to consider and take steps to look at technological means to limit the personal information they collect as part of a privacy by design approach. As discussed in a previous article, this is not always easy since if an AI system is developed relying on limited data, whether in diversity or volume, there is a significant risk that the outputs that system provides will be biased based on the sample size utilized. A balance will need to be struck between protecting an individual’s privacy and fostering innovation and ensuring that AI systems can provide unbiased and meaningful results.

In a previous report from the Standing Committee on Access to Information, Privacy and Ethics  regarding required changes to Canada’s privacy laws, the Committee recommended that privacy by design become an explicit part of Canadian privacy law. In the report the Committee stated that it “believes that privacy by design is an effective way to protect the privacy and reputation of Canadians”; and that privacy by design should become a “central principle” of PIPEDA.”1 Despite this, however, the concept is missing in the draft legislation. It is not referred to directly or indirectly. That being said, it can be argued that the CPPA is based on the ten (10) privacy principles and compliance with the law means privacy by design has been implemented. This is the position a spokesperson to (former) Minister Bains took when confronted about the issue.2 While that may be the case, this is not the same as requiring organizations to specifically comply with articulated obligations in the law.

Arguably, including the requirement of privacy by design in the CPPA would also create an opportunity to provide organizations with some clarity on what it means for each actor in the supply chain. What, for example, is the role of the manufacturer of the program or piece of equipment to be used in the clinical space. What are the obligations of the purchaser to ensure that a process, product, or service has been designed  to comply with the law. Integrating and mandating the concept of privacy by design into the CPPA would also be an opportunity for Canada to align more closely with the GDPR and Bill 64.

We will continue to follow this along with other salient issues as the CPPA moves through the legislative process.

1     http://www.ourcommons.ca/Content/Committee/421/ETHI/Reports/RP9690701/ethirp12/ethirp12-e.pdf

2    https://www.itworldcanada.com/article/new-canadian-privacy-regime-are-steps-in-the-right-direction-but-experts-are-baffled-and-troubled-by-key-missing-pieces/438435


This blog sets out a variety of materials relating to the law to be used for educational and non-commercial purposes only; the author(s) of this blog do not intend the blog to be a source of legal advice. Please retain and seek the advice of a lawyer and use your own good judgement before choosing to act on any information included in the blog. If you choose to rely on the materials, you do so entirely at your own risk.