Bill C-11 (the Digital Charter Implementation Act) was introduced on November 17, 2020, proposing the new Consumer Privacy Protection Act (“CPPA”) as a replacement for the existing Personal Information Protection and Electronic Documents Act (“PIPEDA”), the federal legislation regulating privacy in the private sector.
This is the fifth of a series of articles addressing specific issues raised by the proposed CPPA. This article addresses the CPPA’s proposed introduction of a data mobility right that would allow individuals to request that their personal information be shared between organizations, subject to certain limitations and qualifications.
Click here for a more general discussion of the changes introduced by the Bill; scroll to the bottom for links to other posts in the CPPA: In Depth series.
The CPPA recognizes the concept of “data mobility”
PIPEDA does not recognize or address the concept of “data mobility,” which Innovation, Science and Economic Development Canada (the “government”) defined in its 2019 Proposals to modernize the Personal Information Protection and Electronic Documents Act paper (“PIPEDA Modernization paper”) as “enabling individuals to request that the personal information that they have provided to an organization, be provided to another organization.”
To address this gap, the CPPA explicitly references a right of mobility of personal information. Proposed section 72 states:
Subject to the regulations, on the request of an individual, an organization must as soon as feasible disclose the personal information that it has collected from the individual to an organization designated by the individual, if both organizations are subject to a data mobility framework provided under the regulations.
Why is data mobility important?
In theory, data mobility allows individuals to better and more easily control who has access to their information. When a framework for data mobility is in place, individuals are able to direct the movement and sharing of their information between organizations in a lawful and trusted way.
Absent such a framework, this type of data sharing can be fraught with risks, both for the organization sharing the data (for example, the reputational risk that comes with sharing personal information with another organization in a manner that could harm an individual) and the individual wishing to have that personal information shared (who may have their personal data misused or shared in a manner that otherwise harms them). Bi-lateral agreements between the transferring organization and the receiving organization can mitigate some risk via appropriate contractual terms, however bi-lateral agreements only allow the individual to request their information be provided to an organization chosen by the transferor, not by the individual.
A well-articulated framework can help mitigate these risks and create certainty for organizations that share personal information, and allow greater choice for individuals. According to the government, this certainty in turn helps foster innovation by providing transparent and consistent rules for organizations to adhere to when developing new products that leverage personal information. As the government noted in its PIPEDA Modernization Paper:
Studies in other jurisdictions have determined that data mobility has the potential to enhance consumer choice thus fostering the emergence and growth of innovative new goods and services, in addition to supporting greater individual control over data and encouraging competition.
From reading section 72 above, it is clear that it is simply the first step (albeit an important one) in the establishment of a data mobility framework for Canadians. Even though enabling regulations are not yet available, some key elements of data mobility under the CPPA are clear.
The individual directs the sharing
Under the CPPA, data sharing would be initiated at the request of the individual, not the organization sharing the data. A core concept of data mobility is individual empowerment, allowing individuals to direct and control the ways in which their data is shared.
Personal information must be shared as soon as feasible
The disclosure of information must be “as soon as feasible” – speed is important in the digital world. A data-sharing framework that allowed an organization to delay that sharing would render the framework ineffective.
However, there are some elementary considerations that will influence “as soon as feasible”. For instance, there needs to be agreement on how the information to be shared (e.g., API? Excel spreadsheet?) and in what format – and organizations must have the technical compatibility to do so. These elements will presumably be addressed by the data mobility framework.
Participation in the data mobility framework
An organization can only share data with another participant in the framework. If an individual wishes to port their data to an organization that operates outside the framework, the protections and standards afforded by the regulations will not apply (however, it does not appear that that individuals will be prohibited from sharing their personal information from non-participating organizations; it is just that they will have to do it themselves instead of via direct transfer from organization to organization).
Participation in any data mobility framework will likely be contingent upon the organization’s adoption of and adherence to certain security standards, requirements for format, specifications for transfer mechanisms, and so on. It is also probable that the “data mobility framework” will not be a single framework, but a series of sector-specific frameworks rolled out over time. This was the approach taken in Australia, with its equivalent consumer data right.
Scope of information subject to the mobility right
The language of section 72 of the proposed CPPA suggests that the right encompasses “personal information [the organization] has collected from the individual”. This is a fairly narrow scope of information and suggests that information the organization has collected from third parties (e.g., a credit score) or that it itself generates about an individual (e.g., identity verification or a customer preferences profile) would not be subject to this right.
Interestingly, the emphasis here on “collection” is in contrast with the notion of an accountable organization, which would change under the CPPA. Under PIPEDA, the organization accountable for personal information was the one that collected the personal information. Under the CPPA, the accountable organization would be the one “that decides to collect [the personal information] and that determines the purposes for its collection, use or disclosure, regardless of whether the information is collected, used or disclosed by the organization itself or by a service provider on behalf of the organization.”
For some business models, there is a potential here for a disconnect. For instance, for a business in which a central organization has multiple other entities, the entities may be the actual collectors of the information from the individual, which they then provide to the central organization, and it is the central organization which is the one making decisions about the collection, use and disclosure of that information. In this scenario, the mobility right appears to apply to the entities, because they “collect” the personal information from the individual, even though it is the central organization which is accountable organization. If this is true, organizations (and affiliated entities) will need to think about how they the data mobility right might apply to them, and how they are going to manage it.
In addition, implicit in section 72 is the idea that an organization has a repository of personal information on each individual that it is easily identified, organized and shared. It is likely that most Canadian organizations have never maintained data in this manner. Separating personal information from all other corporate information an organization maintains on an individual could be technically difficult and so costly that it acts as a barrier to entry into the framework. Since the framework can be thought of as enabling a network of interconnected organizations, it would benefit from a network effect, with the value of the framework increasing as more organizations sign on to it. Providing tools and resources for organizations to organize and store their personal information in a manner that allows them to securely share it in a compliant manner could help determine the overall success of data mobility rights in Canada. Industry organizations, interest groups, and even the government itself may wish to consider this.
What are the next steps?
Like so many legislative proposals, when it comes to data mobility, the devil is truly in the details. Bill C-11 references a “data mobility framework” to be provided for under the regulations. However, at this early stage, draft regulations have yet to be proposed. Until they are, section 72 puts a stake in the ground, signaling that the government believes data mobility is a key piece in moving privacy regulation firmly into the digital age.
Other posts in the CPPA: In Depth series:
For more information about Denton’s data expertise and how we can help, please see our Transformative Technologies and Data Strategy page and our unique Dentons Data suite of data solutions for every business, including enterprise privacy audits, privacy program reviews and implementation, and training in respect of personal information. Subscribe and stay updated.