We looked at Bill C-11, Canada's proposed commercial privacy legislation, and focused on:

1. Organizational transparency requirements
2. Individuals' abilities to compel organizations to disclose the personal information that organizations possess about them
3. Whistleblowing
For transparency, we argue organizations should be specific about the kinds of information they collect, use, and disclose, and how they make automated decisions. Also, organizations should publish transparency reports + their rules for receiving & processing government requests
When you request your information from organizations they should have to be accountable for the personal information they've collected. So we recommend that organizations be required to tell you what information they've collected, used, or disclosed about you.
A lot's been made of the provisions in the legislation around transparency and automated decision making. In our assessment, those provisions are insufficient.

1. Individuals should be able to opt-out from such decisions;
2. When decisions could have legal effects a human needs to be added into the loop;
3. If an individual disputes the output of an automated decision system, they should be able to appeal to the company and have it reviewed by someone who has knowledge of how the system operates
4. You should be able to make these requests orally, nor just in writing;
5. Data companies send you should have to be secured from third-parties;
6. When a company charges you for your data, @PrivacyPrivee should be notified of the cost charged to ID overly high fees.
Finally, we argue the whistleblowing parts of the legislation should be bolstered. Either by assuming a complaint is legitimate, as a default, & providing whistleblower protections OR by limiting when @PrivacyPrivee can tell an organization someone has blown the whistle on them.
This legislation is not designed to protect human rights, and it shows in all the worst ways. We strongly think the Canadian government needs to massively redraft this legislation given that it will principally advance business interests instead of individuals' interests.
And I would conclude by noting there are other serious deficiencies with the legislation around meaningful consent, de-identification, data mobility, and more. Check out @TeresaScassa, @Lisa_M_Austin, @EmilyLaidlaw, @tamir_i, @cancivlib, and others for more information.
Oh! And If you want a quick video intro to the legislation plus many of our recommendations, then check out
You can follow @caparsons.
Tip: mention @twtextapp on a Twitter thread with the keyword “unroll” to get a link to it.

Latest Threads Unrolled: