Public consultation on the Privacy Act – Submission – Alliance for Safe Online Pharmacies

Executive Summary: Our Recommendations for Bill C-11

Introduction

We welcome the opportunity to participate in consultations on the Digital Charter Implementation Act – Bill C-11. The Alliance for Safe Online Pharmacies Canada (ASOP Canada)Footnote 1 is a project of ASOP Global, a global non-profit organization dedicated to keeping the public safe from illegal online sellers of prescription medicines and protecting the integrity of our legitimate pharmaceutical supply chain. We have a diverse membership that includes pharmacists, pharmacies, distributors, and our observers include the National Association of Pharmacy Regulatory Authorities (NAPRA), Canadian Patient Safety Institute (CPSI), GS1 Canada, among others.

We wish to thank our government for tackling the pressing and interconnected issues of privacy, transparency, and safety in the digital arena. Canadians are growing concerned about their growing dependence on data and the seen and unseen ways in which digital technologies and the sharing of personal data are impacting their lives.

At the same time, most Canadians appreciate the benefits of the digital economy and understand that the growth of Canada’s data-driven economy presents opportunities to improve our lives. It is therefore an appropriate time to re-examine the laws, regulations and customs governing online privacy, the use of data and the behaviour of online marketplaces, search engines, social media platforms, and other digital entities.

Striking a Balance: Transparency and Privacy to Protect Health and Safety

As reflected in Bill C-11, there are several facets to consider in updating Canada’s online privacy laws to accord with Canadians’ rights and expectations. The most important from our perspective concerns the balance between transparency and privacy for the purpose of protecting the health and safety of Canadians.

As we will examine, where the online sale of illicit and dangerous drugs is concerned, striking this appropriate balance is critical to the health and safety of Canadians and to building trust in the institutions that govern our digital spaces.

The digital economy has transformed the way Canadians live, work and play. This is true in all facets of the economy and our lives, including the way we obtain prescription medications. For many years, Canadians have been able to count on a secure, reliable pharmaceutical supply chain that allows them to obtain their necessary medications no matter where they live. The advent of digital technologies has provided yet another way for Canadians to access their medications, but it has also created considerable risks and challenges. Our country’s pharmaceutical supply chain—long considered one of the safest and most secure in the world—is now at risk due to several interrelated factors including illicit online pharmacies, the proliferation of counterfeit drugsFootnote 2 and the diversion of drugs from legitimate channels to the black and grey markets.

The COVID-19 outbreak has exposed the risk of online harms to our health and safety.

Over the past year, we have seen an increase in misinformation over the internet, and enterprising individuals and organizations seeking to take advantage of Canadians feeling vulnerable and situated at home by making false or misleading claims about products to address COVID-19.Footnote 3 Many of these products were found through online sources. Health Canada has also issued an advisory to warn Canadians not to purchase counterfeit vaccines for COVID-19 over the internet.Footnote 4

This issue is not limited to products for COVID-19; controlled substances including opioids, other prescription medications and medicinal cannabis are sold through unlicensed sites, causing harm through inappropriate use or selling counterfeit drugs.

Raising awareness among Canadians is an important measure to reduce the risk of illegal online sellers to their health and safety. At the same time, we believe it is critical to strengthen the measures wehave in place to stop bad actors from placing Canadians lives at risk or hold them accountable for doing so.

To this end, we ask: Does our government have the tools to stop a website from illegally selling products that can impact our health and safety? How does Bill C-11 strengthen or weaken the tools we currently have available to keep Canadians safe?

Background: Illegal Online Drug Sellers

To operate legally in Canada, an online pharmacy must be linked with a legitimate pharmacy licensed by the appropriate provincial regulatory authority. However, many illicit online pharmacy websites are designed to look legitimate and confuse unwary customers. This is a serious danger.

The U.S. National Association of Boards of Pharmacy (NABP) recently reviewed more than 100 online pharmacy websites with “Canada” or “Canadian” in their names or URLs. It found that almost 96 per cent of these sites were operating illegally.Footnote 5 Many were overseas companies posing as Canadian online pharmacies but selling medications that are not approved by either Health Canada or the U.S. Food and Drug Administration (FDA)Footnote 6.

In recent years, Health Canada has issued numerous warnings to Canadians about online drug sales, including one in May 2017 advising that multiple unauthorized products available for purchase on Amazon.ca could pose serious health risksFootnote 7. These situations do not end well for Canadians. In one tragic incident, two days after a Nova Scotia man died of an accidental overdose, his family received a package in the mail addressed to the deceased. It was said to contain the widely used anti-anxiety medicine Ativan, but in fact the drug turned out to be Etizolam, a drug ten times more potent than Valium that is not approved for sale in either Canada or the U.SFootnote 8.

The accessibility of counterfeit prescription medicines through social media is a concerning trend that demands a whole-of-government approach. Recently, at our organization’s annual meeting, we heard the emotional story of Ed and Mary Ternan, and their 22-year old son, Charlie, who tragically died in June 2020 after taking what he thought was a common prescription painkiller medication. He was weeks away from graduating from university. The supposed medication was laced with fentanyl, and Charlie died almost immediately. Charlie ordered the medicine through a seller on Snapchat. Ed and Mary have since established a non-profit organization, Song for CharlieFootnote 9 to help raise awareness regarding the risk posed by online sites to the health and safety of adolescents. While this case occurred in the United States, these sites do not confront physical borders, and are easily accessible to Canadians as well.

Tragically, these outcomes will persist if nothing is done to address illegal online sales of prescription medications. But in order to hold illegal drug sellers accountable for their crimes and protect the safety of Canadians, the modernization of Canada’s digital laws must strike the right balance between transparency and privacy. Critically, we must not allow efforts to protect the privacy of individuals to hamper transparency across the commercial internet.

Recommendations: Bill C-11

In order to strike a balance between privacy and transparency to keep Canadians safe, we believe it is vital to balance innovation without overlooking the need for law enforcement and organizations to obtain information without compromising important investigations. Negatively impacting legitimate investigations due to overbroad and overreaching rights given to individuals (who, for example, are able to withdraw consent, and erase their basic personal data) must not take place.

Additionally, there are several instances where organizations should share information with intellectual property rights owners in the context of online infringement. For example, businesses often possess information such as a name and contact information that are required by rights owner to enforce its rights (to allow a rights owner to enforce its rights and protect Canadian consumers from substandard counterfeit products, or dangerous pharmaceuticals).

Recommendations and Interpretations

Privacy remains a fundamental value in a modern digital world where individuals are spending more time online and immersed in digital applications. Data will continue to drive the global economy.

However, the proposed legislation does not emphasize security nearly as much as it tries to balance an individual’s privacy. Without proper security measures in place (i.e. protection against widespread data hackers), privacy and consent laws are trivial. In addition to protecting against bad actors who target online data and create schemes to target companies and databases, the proposed legislation should not make it more difficult for law enforcement and government agencies to obtain pertinent information related to ongoing investigations.

Many bad actors will thrive when their enhanced individual rights enable them to transfer, de-identify, challenge and ultimately delete their personal information held by an organization. Additionally, it is already very difficult for law enforcement to obtain relevant information from organizations relating to online investigations and this legislation will likely make it *more* challenging.

With respect to the exceptions to the consent to disclose personal data, the language in the proposed legislation is too broad. It is not clear who determines if disclosure is in the public interest, or reasonable? Additional parameters should be included to address sections where exceptions to consent are permitted. It may be practical to categorize data and certain categories that can be made exempt from privacy protection. This would also address the above-mentioned issue of an organization’s hesitance to disclose information risking significant fines. With proposed legislation as important as Bill C-11, it is vital to limit any interpretation.

We recommend transparent rules and regulations with respect to sections where consent is not required. Additionally, it would be beneficial to include plain language related to secondary uses of data that would be reasonable to be disclosed. If individuals have the reasonable expectation that their data will be shared, explicit consent would not be required. If the Government is transparent with individuals as to how their personal information will be used, if necessary, we can better balance the power given to individuals with the need to compel information when required.

We find it necessary to review, amend and improve particular sections, as follows:

Investigations
Breach of agreement or contravention

40 (1) An organization may collect an individual’s personal information without their knowledge or consent if it is reasonable to expect that the collection with their knowledge or consent would compromise the availability or the accuracy of the information and the collection is reasonable for purposes related to investigating a breach of an agreement or a contravention of federal or provincial law.

Use

An organization may use an individual’s personal information without their knowledge or consent if the information was collected under subsection (1).

Disclosure

An organization maydisclose an individual’s personal information without their knowledge or consent if the disclosure is made to another organization and is reasonable for the purposes of investigating a breach of an agreement or a contravention of federal or provincial law that has been, is being or is about to be committed and it is reasonable to expect that disclosure with the knowledge or consent of the individual would compromise the investigation.

Suggested Improvement: There is no guidance or criteria in the proposed law for organizations relating to investigations. Organizations should be compelled to disclose the requested personal information without the individual’s knowledge or consent, since the individual’s knowledge or consent of the disclosure may negatively impact the investigation.

Law enforcement — request of government institution

An organization may disclose an individual’s personal information without their knowledge or consent to a government institution or part of a government institution that has made a request for the information, identified its lawful authority to obtain the information and indicated that the disclosure is requested for the purpose of enforcing federal or provincial law or law of a foreign jurisdiction, carrying out an investigation relating to the enforcement of any such law or gathering intelligence for the purpose of enforcing any such law.

Suggested Improvement: disclosure to government institutions and law enforcement should be mandatory when carrying out an investigation related to the enforcement of any law or gathering intelligence for the purpose of enforcing such law. Further, the organization *cannot* provide any details to individuals of this disclosure.

For illustration purposes, there may be a website selling controlled substances and counterfeit medicines, such as prescription opioids online. Law enforcement often learn about these websites by initiating investigations to confirm the sale of these substances through online platforms. If online platforms (organizations) either (a) notify individuals as it relates to a disclosure request made by law enforcement, or (b) choose *not* to support an investigation/provide disclosure due to fears associated with proposed enormous fines (associated with any breach of the proposed CPPA), then the investigation into the wrongful conduct will not progress, and the wrongful conduct that must come to an end in Canada, will continue.

Contravention of law — initiative of organization

An organization mayon its own initiative disclose an individual’s personal information without their knowledge or consent to a government institution or a part of a government institution ifthe organization has reasonable grounds to believe that the information relates to a contravention of federal or provincial law or law of a foreign jurisdiction that has been, is being or is about to be committed.

Policy Rationale: There is little additional guidance or criteria for what constitutes “reasonable grounds” to disclose personal information further to their belief that the information relates to the contravention of federal or provincial laws. It is important to provide additional clarity with respect to this type of disclosure

Information and access

63 (1) On request by an individual, an organization must inform them of whether it has any personal information about them, how it uses the information and whether it has disclosed the information. It must also give the individual access to the information.

Names or types of third parties

(2) If the organization has disclosed the information, the organization must also provide to the individual the names of the third parties or types of third parties to which the disclosure was made, including in cases where the disclosure was made without the consent of the individual.

Suggested Improvement: Section 63 and its subsections provide too much power to the individual in the sense that organizations must provide details pertaining to parties and individuals to which disclosure was made. This negatively impacts any ongoing investigation.

Additionally, there is little guidance or clarity regarding the exceptions to consent and prohibition on sharing information with government institutions and how organizations (or government institution, for that matter) will address the issue/exchange of details with the individual (or Commissioner).

Exceptions to Requirements for Consent Prevention, detection or suppression of fraud

27 (1) An organization may disclose an individual’s personal information to another organization without the individual’s knowledge or consent if the disclosure is reasonable for the purposes of detecting or suppressing fraud or of preventing fraud that is likely to be committed and it is reasonable to expect that the disclosure with the individual’s knowledge or consent would compromise the ability to prevent, detect or suppress the fraud.

Suggested Improvement: This exception does not obligate an organization to disclose an individual’s personal information to another organization and does not further specify instances where it would be necessary to obligate a company or organization to do so (i.e. in the context of an active or preliminary investigation). Additionally, fraud is not defined.

DCIA’s Proposed Fines in the event of a Breach

In addition to further clarifying the language included in the proposed legislation, it is important to clearly outline the significant penalties available for contravention of the law. Organizations may be hesitant to disclose information without obtaining consent, when permitted, without further clarity because of the significant penalties proposed. Provisions surrounding non-compliance and disclosure have to be clear (especially in terms of investigations) failing which organizations, that are already not obligated to share data under most circumstances, will be worried about enormous potential fines if they comply with ongoing investigations.

It would not be fair to impose harsh penalties in the event an individual (who was the subject of an investigation) suggests that an organization breached the proposed laws by disclosing information to law enforcement as part of an investigation.