Delighted that Bill C-11 (Consumer Privacy Protection Act) as currently drafted would utterly fail to fix Canada's badly broken subject access rights.

Why fix what might inconvenience businesses? Why enable Canadians to understand how their data is collected, used or disclosed?

Problem 1: Doesn't require organizations to identify specific third-parties with whom information has been disclosed. Result? Individuals can't even hunt down and file requests to each contracting party if they want to

Problem 2: Details about automated decision making shouldn't be in the access provisions but there AND in C-11's transparency and openness section. You shouldn't need to inhabit a roach motel before you can truly figure out it IS a roach motel

(For clarity: some information about algorithmic decision making has to be in privacy policies or whatnot under C-11, but with seemingly far less specificity than in the Access section of the bill.)

Result? You might have vague understandings of how automated decision making takes place before signing up to a service (transparency provisions), only to be upset or concerned after using it + filing a subject access request to the organization in question (Access provision)

Problem 3: Requests must be made in writing. Which means that talking over the phone to a CSR isn't a way to initiate a request, despite what are likely checks that you are who you say you are. Means current processes by some Canadian companies would be invalid under new law.

(Several of Canada's telcos, as an example, have processes to initiate subject access requests over the phone as a result of the Citizen Lab's Access My Info project. The bigger issue is that RESPONSES should be in writing, as opposed to requests.)

Problem 4: There are no requirements to provide data in machine-readable formats. I've gotten requests from Canadian companies using everything from PDFs, screenshots, to excel sheets. Machine-readable and user-friendly data exports should made the norm in the legislation

Problem 5: Canadians can still be charged costs for exercising their rights. For context, I've been on teams where we were charged in excess of $1300 for a small amount of data, and the company wouldn't budge down. And others that have charged hundreds of dollars.

(In one case, a company demanded more money in access fees that the total amount of money they'd billed us for the service we were filing a subject access request about!!)

Result: the 'access' provisions *WILL* fail to provide real access rights to Canadians. This might be solved by ALL costing demands being also sent to the OPC--to compile stats + conduct audits/investigations where costs are being inappropriately charged.

If OPC isn't immediately drawn into that part of the feedback loop they won't know about problems because high costs are a way to disincentivize access and--vis-a-vis that--complaints. It's not right. Unless the point of the legislation is to blow off access requests.

In short: the access provisions are only marginally better--they at least have something about automated decisions, which isn't in existing legislation, and do close off some gaps I've run until with bad faith companies not sharing info if you can find it in their systems-- (con)

but this is embarrassing in terms of what could be done. Legislation might require download/checkouts. It could impose accountability by looping in OPC. It could cut down on 'types' of data language. It could do machine-readable formats.

Instead, access provisions are structured so that individuals will not be able to meaningfully exercise their rights, and businesses can continue to collect data with few/no costs or considerations that might come from actual accountability to their customers using access rights

<fin>