Bill C-11: Digital Charter Implementation Act Of Canada

Remember that proposed Digital Charter from 2019, in response to a shooting in New Zealand? Well, it’s finally come to Canada. Also, this sounds silly, but is DCIA a euphamism for “Dee CIA”?

1. Free Speech Is Under Constant Threat

Check here for the series free speech. It’s a crucial topic, and is typically intertwined with other categories. Topic include: hate speech laws, Digital Cooperation; the IGF, or Internet Governance Forum; ex-Liberal Candidate Richard Lee; the Digital Charter; Dominic LeBlanc’s proposal. There is also collusion, done by UNESCO, more UNESCO, Facebook, Google, and Twitter lobbying.

2. The Media Is Not Loyal To The Public

Truth is essential in society, but the situation in Canada is worse than people imagine. In Canada (and elsewhere), the mainstream media and fact-checkers are subsidized, though they deny it. Post Media controls most outlets in Canada, and many “independents” have ties to Koch/Atlas. Real investigative journalism is needed, and some pointers are provided.

3. Important Links

The Christchurch Call
Fact Sheet: Digital Charter Implementation Act
https://archive.is/0QioZ
Bill C-10: CRTC Amending Broadcast Act
Bill C-11 Introduced As HoC Legislation (November 2020)
Office Of The Lobbying Commissioner Of Canada
Mastercard’s Lobbying Information
Visa Canada’s Lobbying Information
American Express Canada’s Lobbying Information
PayPal’s Lobbying Information
GlaxoSmithKline’s Lobbying Information

4. Digital Charter Bait-And-Switch

Originally, the proposed “Digital Charter” was formed as part of the Christchurch Call, in response to a mass shooting in New Zealand on March 15, 2019. This was promoted as fighting violent extremism. However, the DC Implementation Act seems to be much more broadly applied.

5. Pitching The Digital Charter Implementation Act

What does the Digital Charter Implementation Act, 2020 mean for me?
.
[A] Meaningful consent: Modernized consent rules would ensure that individuals have the plain-language information they need to make meaningful choices about the use of their personal information.
.
[B] Data mobility: To further improve their control, individuals would have the right to direct the transfer of their personal information from one organization to another. For example, individuals could direct their bank to share their personal information with another financial institution.
.
[C] Disposal of personal information and withdrawal of consent: The accessibility of information online makes it hard for individuals to control their online identity. The legislation would allow individuals to request that organizations dispose of personal information and, in most cases, permit individuals to withdraw consent for the use of their information.
.
[D] Algorithmic transparency: The CPPA contains new transparency requirements that apply to automated decision-making systems like algorithms and artificial intelligence. Businesses would have to be transparent about how they use such systems to make significant predictions, recommendations or decisions about individuals. Individuals would also have the right to request that businesses explain how a prediction, recommendation or decision was made by an automated decision-making system and explain how the information was obtained.
.
[E] De-identified information: The practice of removing direct identifiers (such as a name) from personal information is becoming increasingly common, but the rules that govern how this information is then used are not clear. The legislation will clarify that this information must be protected and that it can be used without an individual’s consent only under certain circumstances.

All of these items sound perfectly reasonable on the surface. Who WOULDN’T want greater privacy and transparency? Reading a bit further on the webpage, it becomes a bit concerning.

Simplifying consent: In the digital economy, the use of personal information is often core to the delivery of a product or service, and consumers can reasonably expect that their information will be used for this purpose. Currently, organizations are required to seek consent for such uses, making privacy policies longer and less accessible and creating burden. The legislation would remove the burden of having to obtain consent when that consent does not provide any meaningful privacy protection.

Data for good: Greater data sharing and access between the public and private sectors can help to solve some of our most important challenges in fields such as public health, infrastructure and environmental protection. The legislation would allow businesses to disclose de-identified data to public entities (under certain circumstances) for socially beneficial purposes.

Recognition of codes of practice and certification systems: To help organizations understand their obligations under the CPPA and demonstrate compliance, the legislation would allow organizations to ask the Privacy Commissioner to approve codes of practice and certification systems that set out rules for how the CPPA applies in certain activities, sectors or business models.

So the requirement to obtain consent can be removed if the consent “would not provide any meaningful privacy protection”? What standards would be applied to determine if it’s meaningful? Or would it all be subjective?

Greater sharing of data between public and private sectors? Such as what? Bank records? Health information? Political beliefs? And coupled with watering down the need for consent, that’s unsettling.

It would allow also allow for private organizations to contact the Privacy Commissioner and ask to have certain practices permitted. Interesting.

6. Digital Charter IA Guts Privacy

Exceptions to Requirement for Consent
Business Operations
Business activities
18 (1) An organization may collect or use an individual’s personal information without their knowledge or consent if the collection or use is made for a business activity described in subsection (2) and
(a) a reasonable person would expect such a collection or use for that activity; and
(b) the personal information is not collected or used for the purpose of influencing the individual’s behaviour or decisions.
,
List of activities
(2) Subject to the regulations, the following activities are business activities for the purpose of subsection (1):
(a) an activity that is necessary to provide or deliver a product or service that the individual has requested from the organization;
(b) an activity that is carried out in the exercise of due diligence to prevent or reduce the organization’s commercial risk;
(c) an activity that is necessary for the organization’s information, system or network security;
(d) an activity that is necessary for the safety of a product or service that the organization provides or delivers;
(e) an activity in the course of which obtaining the individual’s consent would be impracticable because the organization does not have a direct relationship with the individual; and
(f) any other prescribed activity.
.
Transfer to service provider
19 An organization may transfer an individual’s personal information to a service provider without their knowledge or consent.
.
De-identification of personal information
20 An organization may use an individual’s personal information without their knowledge or consent to de-identify the information.
.
Research and development
21 An organization may use an individual’s personal information without their knowledge or consent for the organization’s internal research and development purposes, if the information is de-identified before it is used.

Think that’s bad? It’s about to get even worse. More exceptions to the requirement for consent are written into Bill C-11. It’s like the Do-Not-Call lists about 15-20 years ago. Is there anything that doesn’t make the list of exceptions?

Information produced in employment, business or profession
23 An organization may collect, use or disclose an individual’s personal information without their knowledge or consent if it was produced by the individual in the course of their employment, business or profession and the collection, use or disclosure is consistent with the purposes for which the information was produced.
.
Employment relationship — federal work, undertaking or business
24 An organization that operates a federal, work or business may collect, use or disclose an individual’s personal information without their consent if
(a) the collection, use or disclosure is necessary to establish, manage or terminate an employment relationship between the organization and the individual in connection with the operation of a federal work, undertaking or business; and
(b) the organization has informed the individual that the personal information will be or may be collected, used or disclosed for those purposes.
.
Disclosure to lawyer or notary
25 An organization may disclose an individual’s personal information without their knowledge or consent to a lawyer or, in Quebec, a lawyer or notary, who is representing the organization.

How is any of this fighting violent extremism?

An organization can share a person’s personal information –without their knowledge or consent — if they deem it necessary for their business functions. They can also share the data of 3rd parties, if they don’t have a direct business relationship with that person.

Organizations can provide (sell?) data to research and marketing firms, with the caveat being that items that would identify a person must be removed. However, even with that, people can be re-identified from partial profiles.

Employers and Governments can also share a person’s private information without their knowledge or consent if it’s regarded as needed in their business operations. What else?

Statistical or scholarly study or research
35 An organization may disclose an individual’s personal information without their knowledge or consent if
(a) the disclosure is made for statistical purposes or for scholarly study or research purposes and those purposes cannot be achieved without disclosing the information;
(b) it is impracticable to obtain consent; and
(c) the organization informs the Commissioner of the disclosure before the information is disclosed.
.
Records of historic or archival importance
36 An organization may disclose an individual’s personal information without their knowledge or consent to an institution whose functions include the conservation of records of historic or archival importance, if the disclosure is made for the purpose of such conservation.
.
Disclosure after period of time
37 An organization may disclose an individual’s personal information without their knowledge or consent after the earlier of
(a) 100 years after the record containing the information was created, and
(b) 20 years after the death of the individual.
.
Journalistic, artistic or literary purposes
38 An organization may collect an individual’s personal information without their knowledge or consent if the collection is solely for journalistic, artistic or literary purposes.
.
Socially beneficial purposes
39 (1) An organization may disclose an individual’s personal information without their knowledge or consent if
(a) the personal information is de-identified before the disclosure is made;
(b) the disclosure is made to
(i) a government institution or part of a government institution in Canada,
(ii) a health care institution, post-secondary educational institution or public library in Canada,
(iii) any organization that is mandated, under a federal or provincial law or by contract with a government institution or part of a government institution in Canada, to carry out a socially beneficial purpose, or
(iv) any other prescribed entity; and
(c) the disclosure is made for a socially beneficial purpose.
.
Definition of socially beneficial purpose
(2) For the purpose of this section, socially beneficial purpose means a purpose related to health, the provision or improvement of public amenities or infrastructure, the protection of the environment or any other prescribed purpose.

As long as it’s claimed that the information was needed for research, historical work, some vaguely-defined social benefit, personal information can be disclosed without the person’s knowledge or consent. They do mention stripping the information from details that would lead to the identity of the person, but it’s still easy to reestablish who it was.

“Impractical to obtain consent” refers to companies disclosing person data not of THEIR customers, but the customers of other people. In fact, an obvious loophole is not to do any of this yourself, but simply to partner with another organization who can do the dirty work.

And after 20 years after a person’s death, information can be disclosed anyway. No reason or pretense is needed to pretend to justify it.

Now we get to disclosures to Government Institutions. Presumably, this was the original content considered with the Digital Charter.

7. DCIA: Disclosure To Government Institutions

Disclosures to Government Institutions
.
Administering law
43 An organization may disclose an individual’s personal information without their knowledge or consent to a government institution or part of a government institution that has made a request for the information, identified its lawful authority to obtain the information and indicated that the disclosure is requested for the purpose of administering federal or provincial law.
.
Law enforcement — request of government institution
44 An organization may disclose an individual’s personal information without their knowledge or consent to a government institution or part of a government institution that has made a request for the information, identified its lawful authority to obtain the information and indicated that the disclosure is requested for the purpose of enforcing federal or provincial law or law of a foreign jurisdiction, carrying out an investigation relating to the enforcement of any such law or gathering intelligence for the purpose of enforcing any such law.
.
Contravention of law — initiative of organization
45 An organization may on its own initiative disclose an individual’s personal information without their knowledge or consent to a government institution or a part of a government institution if the organization has reasonable grounds to believe that the information relates to a contravention of federal or provincial law or law of a foreign jurisdiction that has been, is being or is about to be committed.
.
Proceeds of Crime (Money Laundering) and Terrorist Financing Act
46 An organization may disclose an individual’s personal information without their knowledge or consent to the government institution referred to in section 7 of the Proceeds of Crime (Money Laundering) and Terrorist Financing Act as required by that section.
.
Request by government institution — national security, defence or international affairs
47 (1) An organization may disclose an individual’s personal information without their knowledge or consent to a government institution or part of a government institution that has made a request for the information, identified its lawful authority to obtain the information and indicated that it suspects that the information relates to national security, the defence of Canada or the conduct of international affairs.
Collection
(2) An organization may collect an individual’s personal information without their knowledge or consent for the purpose of making a disclosure under subsection (1).
Use
(3) An organization may use an individual’s personal information without their knowledge or consent if it was collected under subsection (2).
.
Initiative of organization — national security, defence or international affairs
48 (1) An organization may on its own initiative disclose an individual’s personal information without their knowledge or consent to a government institution or a part of a government institution if the organization suspects that the information relates to national security, the defence of Canada or the conduct of international affairs.
Collection
(2) An organization may collect an individual’s personal information without their knowledge or consent for the purpose of making a disclosure under subsection (1).
Use
(3) An organization may use an individual’s personal information without their knowledge or consent if it was collected under subsection (2).

The Government may collect personal information without your knowledge or consent if it believes (or claims to believe), that it’s done for a legitimate purpose, or may help with the investigation of Government affairs.

Furthermore, institutions can, on their own free will, simply choose to hand over personal information without knowledge or consent. All that is required is a vague standard that they believe a crime has been, or is about to be committed.

Getting back to the topic of the Christchurch Call: the original purpose of the proposed Digital Charter was to combat online extremism, before violence broke out. Under this Bill, can Governments simply seize data, or can companies just provide it on a whim? Could having incorrect opinions be viewed as a public security risk?

Could telling the truth about the Covid-19 hoax be grounds for detaining or de-platforming people, under the guise of “public health and safety”?

8. Lobbying Registry Search: “Digital Charter”

Entering “Digital Charter” into the Lobbing Registry website flags 84 hits: 80 registrations, and 4 communications reports. Let’s take a look into that.

The 4 communications were with Facebook Canada, and took place between April 15, 2020, and December 17, 2020. They involved: Facebook, the Prime Minister’s Office and the Policy Advisor on Canada’s Digital Charter.

Small aside: Official Opposition Leader, Erin O’Toole. was a lobbyist for Facebook when he worked for the law firm, Heenan Blaikie. Could explain why he’s silent on this issue.

9. More “Digital Charter” In Lobbying Registry

Want to do banking of rely on credit for your business or personal life? It may become much harder if these institutions refuse to associate with you, for whatever reason.

10. GlaxoSmithKline, “Digital Charter” Lobbying

Seems pretty strange that GSK (GlaxoSmithKline), is involved in discussions concerning the Digital Charter. On the surface, it also looks like a conflict of interest.

11. What’s Really Going On Here?

The idea of a “Digital Charter” was shoved onto the Canadian public, under the pretense that it would be used to stop violent and unstable people from committing serious crimes. Instead, it seems like an open invitation to throw out privacy protections altogether.

It’s quite stunning the reasons and ways that personal information can be shared “without knowledge or consent” of the people involved. Far from ensuring privacy protections, it codifies the right to share others’ data. The reasons for doing so are also (intentionally?) defined in very vague ways. This ensures that loopholes will always exist.

Leave a Reply