Expanding the scope of privacy legislation under Canada's Consumer Privacy Protection Act – International Association of Privacy Professionals

The day’s top stories from around the world
Where the real conversations in privacy happen
Original reporting and feature articles on the latest privacy developments
Alerts and legal analysis of legislative trends
Exploring the technology of privacy
A roundup of the top Canadian privacy news
A roundup of the top European data protection news
A roundup of the top privacy news from the Asia-Pacific region
A roundup of the top privacy news from Latin America
A roundup of US privacy news
Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.
Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.
Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.
Locate and network with fellow privacy professionals using this peer-to-peer directory.
Review a filterable list of conferences, KnowledgeNets, LinkedIn Live broadcasts, networking events, web conferences and more.
Understand Europe’s framework of laws, regulations and policies, most significantly the GDPR.
Steer a course through the interconnected web of federal and state laws governing U.S. data privacy.
Learn the intricacies of Canada’s distinctive federal/provincial/territorial data privacy governance systems.
Develop the skills to design, build and operate a comprehensive data protection program.
Add to your tech knowledge with deep training in privacy-enhancing technologies and how to deploy them.
Introductory training that builds organizations of professionals with working privacy knowledge.
Learn the legal, operational and compliance requirements of the EU regulation and its global influence.
Meet the stringent requirements to earn this American Bar Association-certified designation.
The global standard for the go-to person for privacy laws, regulations and frameworks
The first and only privacy certification for professionals who manage day-to-day operations
As technology professionals take on greater privacy responsibilities, our updated certification is keeping pace with 50% new content covering the latest developments.
Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.
The first title to verify you meet stringent requirements for knowledge, skill, proficiency and ethics in privacy law, and one of the ABA’s newest accredited specialties.
The IAPP’S CIPP/E and CIPM are the ANSI/ISO-accredited, industry-recognized combination for GDPR readiness. Learn more today.
Mostre seus conhecimentos na gestão do programa de privacidade e na legislação brasileira sobre privacidade.
Certification des compétences du DPO fondée sur la législation et règlementation française et européenne, agréée par la CNIL.
Use the Vendor Demo Center, Privacy Vendor List and Privacy Tech Vendor Report to easily identify privacy products and services to support your work.
This year’s governance report goes back to the foundations of governance, exploring “the way that organizations are managed, and the systems for doing this.”
Access all reports and surveys published by the IAPP.
Access all white papers published by the IAPP.
The IAPP’s US State Privacy Legislation Tracker consists of proposed and enacted comprehensive state privacy bills from across the U.S.
This tracker organizes the privacy-related bills proposed in Congress to keep our members informed of developments within the federal privacy landscape.
IAPP members can get up-to-date information here on the California Consumer Privacy Act and the California Privacy Rights Act.
The IAPP’s EU General Data Protection Regulation page collects the guidance, analysis, tools and resources you need to make sure you’re meeting your obligations.
On this topic page, you can find the IAPP’s collection of coverage, analysis and resources related to international data transfers.
The IAPP presents its sixth annual “Privacy Tech Vendor Report.” This issue, the IAPP lists 364 privacy technology vendors.
The world’s top privacy event returns to D.C. in 2023. More high-profile speakers, hot topics and networking opportunities to connect professionals from all over the globe.
Europe’s top experts predict the evolving landscape and give insights into best practices for your privacy programme.
Gain exclusive insights about the ever-changing data privacy landscape in ANZ and beyond.
Explore the full range of U.K. data protection issues, from global policy to daily operational details.
Save 100€ by registering by Friday, 16 December for the IAPP Data Protection Intensive: France 2023.
View our open calls and submission instructions.
Increase visibility for your organization — check out sponsorship opportunities today.
Review upcoming IAPP conferences to see which need to be included in your schedule for the year ahead.
Start taking advantage of the many IAPP member benefits today
See our list of high-profile corporate members—and find out why you should become one, too
Don’t miss out for a minute—continue accessing your benefits
Review current member benefits available to Australia and New Zealand members
In 2020, I wrote about what I considered a significant flaw under the proposed Consumer Privacy Protection Act in Bill C-11, which was tabled in November 2020, and then died when the federal election was called in 2021.
Bill C-11 retained the definition of personal information — information about an identifiable individual — but introduced a new concept of “deidentify.” This seemed to, by implication, alter the concept of personal information, expanding the scope of federal privacy legislation and tossing away years of judicial guidance in the process. Bill C-27 would do this as well, though in a slightly more complicated way.
The current Personal Information Protection and Electronic Documents Act defines “personal information” as “information about an identifiable individual.” There are two related lines of inquiry to consider: The first is whether the information is “about” an individual (as opposed to, for example, an object), and the second is whether an individual is “identifiable.”
Courts have used somewhat different language to explain “identifiability.” In 2007, the Federal Court of Appeal stated an individual is identifiable if it is “reasonable to expect” that an individual could be identified from the information alone or combined with “sources otherwise available.” A year later, the Federal Court of Canada adopted the standard put forward by the Privacy Commissioner of Canada: There must be a “serious possibility” of identifying an individual through the information alone or combined with “other available information.”
More recently, the Federal Court found “serious possibility” and “reasonable to expect” are effectively the same thing: more than mere speculation or possibility, but not probable on a balance of probabilities. 
So, under PIPEDA, the law only applies, in theory, if there is a serious possibility an individual can be identified. The proposed CPPA would retain the existing definition of personal information while adding two more:
The CPPA would therefore include three separate concepts, which apply as follows:
This is a significant change from PIPEDA, though exactly how much is unclear. First, the definition of “deidentify” is vague. It seems unhelpful to state there is a risk of reidentification with deidentified data because there is always a risk; the question is exactly how much risk must remain. If the definition of deidentify is roughly equivalent to the definition of personal information today, organizations may not gain anything from introducing this concept. For example, the CPPA would allow an organization to use deidentified personal information for “internal research, analysis and development purposes” without consent. Organizations can currently do this under PIPEDA without consent so long as the information is rendered not identifiable in accordance with judicial guidance. If “deidentify” ends up being roughly equivalent to a “serious possibility,” this could actually impose new restrictions on the ability to innovate with information. 
Then there is the concept of anonymization. For the CPPA not to apply, organizations will need to “ensure that no individual can be identified from the information, whether directly or indirectly, by any means.” This is certainly a higher standard than “serious possibility,” as it appears to leave no risk of reidentification. The CPPA would therefore seem to alter rather than codify existing judicial interpretations, implying that the definition of personal information must be broader to begin with. In other words, the serious possibility standard established by the Federal Court will no longer be relevant.
It appears the CPPA under Bill C-27 would expand the scope of privacy legislation by lowering the threshold for when information is “identifiable.” Although they take different paths, Bill C-11 and C-27 seem to arrive at the same place, defining tests for identifiability organizations may be pre-ordained to fail. With the potential to penalize a business out of existence, this is a significant shift: The scope of privacy legislation will expand, organizations will have to relearn where the boundaries lie, and courts may be unable to rely on precedence to challenge findings of the Privacy Commissioner and Data Protection Tribunal. 
Submit for CPEs
If you want to comment on this post, you need to login.
The IAPP is the largest and most comprehensive global information privacy community and resource. Founded in 2000, the IAPP is a not-for-profit organization that helps define, promote and improve the privacy profession globally.
The IAPP is the only place you’ll find a comprehensive body of resources, knowledge and experts to help you navigate the complex landscape of today’s data-driven world. We offer individual, corporate and group memberships, and all members have access to an extensive array of benefits.
© 2022 International Association of Privacy Professionals.
All rights reserved.
Pease International Tradeport, 75 Rochester Ave.
Portsmouth, NH 03801 USA • +1 603.427.9200


Leave a Comment