Public consultation on the Privacy Act – Submission – Smart Species Canada

Smart Species Canada, (in collaboration with T4GC and the OCG Collaborative) presents a Pilot initiative as context for submitting CPPA comments and to urge a review of CPPA for Children and Youth data control, Parental Consent and the innovation international standards can provide.

c/o: Mark Lizar mark@smartspecies.com

This proposal and CPPA comments are based on Standards Council Collaborative Use Case for Consented Digital Identity Surveillance with the use of ISO standardized Notice and Consent Receipts.

Item #1 below is the presented use case for protecting children and youth’s online meta-data and with it a call for recognizing school records as historical data trust held on behalf of the school and student. This is being Presented for the SCC Data Governance Collaborative workshop on Feb 25th, 2021. This use case is backed up by a research report, illustrating the lack of security, privacy and consent in eLearning systems, and an active audit monitoring this breach of children’s data.

This use case provides research and analysis conducted by Smart Species with Tech for Good Canada supported by the Open Consent Group, (comprised of a group of efforts aimed to standardize accessibility of privacy rights, to enable widescale digital literacy, and localize the economic benefits, independent of foreign service providers)

This background for this Pilot:

1. SCC – Notice & Consent Receipt Standards Use Case for Consented Surveillance
2. Children’s Surveillance Research Report: (Being published for the SCC Feb 25th Workshop)
3. Ontario Audit Outline: Gov, School Board & School: Privacy & Security eLearning Audit of vulnerable children’s Data Governance in e-Learning

[Note; This pilot proposal summary is provided here as context for these comments on the Candian Consumer Privacy Protection Act and the Personal Information and Data Protection Tribunal Act.]

Comment Highlights:

These comments.

• Call for the immediate invalidation of online terms and conditions (contracts of adhesion), that are ungoverned by privacy frameworks, and that people do not read. Non-Privacy respecting agreements to which privacy is not protected, rights are not provided, and people’s data is not secure. (As specified in Bill 64)
• Request the recognition of significant cyber-security risks presented by USA’s Foreign Intelligence Surveillance Act, (FISA) which invalidated terms and conditions, as with privacy shield, these legal frameworks for the ‘Consumer’ do not provide privacy people expect, or any reference to Canadian privacy rights or any risks to children’s data, as it is transferred to the USA without the protection of COPPA.
• Recommend notice and consent semantics be the human centric frame for compliance for Terms & Conditions to be provided. Used to ensure meaningful consent and demonstrates respect for Canadian (international requirements) that respect cultural expectations of privcacy.
• The implementation of now ISO/IEC standardized controls for Online Privacy Notice & Consent, and Notice and Consent Receipts. Notice & Consent Receipts decentralize data governance and provide mechanisms for co-regulation. Provide for an alternate online rights framework than. terms and conditions in Canada. (not the other way around)
• Support the international use of notice and consent standards to address parental consent transparency across borders in eLearning platforms and website browsers

Piloting: A Canadian (Intervention) Public Privacy Standard

The Pilot proposes, a national to international Data Governance Authority architecture to provide receipts to facilitate the use of privacy rights independently of the service provider. ad-technologies, with rights that enable self-advertising on one’s own terms and the control of one’s own data. Providing people the opportunity to engage in their own data altruism through autonomy:

Extending the UN General Comments for children’s right in Online environments into a Code of Conduct for eLearning service providers. This will,

• Utilize the international framework set out by the UN and support the open-source communities that work for the benefit of children:
  • General Comment 25: Draft Children’s privacy rights in online environments
  • General Comment 20: And the implementation of the rights of the child during adolescence
  • General Comment 19: on public budgeting for the realization of children’s rights
• Establish defaults for processing children’s surveillance data technically, legally, for schools and community, as opposed to commercial interests and social platforms.
• Create a policy architecture to apply international codes of conduct to support dynamic data flows with respect for national, regional and personal contexts.
• Build with international data governance standards, enforceable privacy law and Canada’s consent by design culture to compete in next generation data control and data portability markets.

The Opportunity

Canada’s world class culture of privacy and respect is reflected in a Charter of Rights and Freedom’s, a commitment to diversity amongst provinces and PIPEDA’s adoption from Canadian best practices in the CSA, a privacy rights framework based on consensus. Consensus that has evolved our country into a well-defined expectation expressed through a notice and consent specified privacy legal framework.

The consultation on consent led by the Office of the Privacy Commissioner in 2016-17 led to the implementation of Meaningful Consent as a legal standard in 2019. Moving Canada to arguably the strongest consent legal framework in the world. As such, it should be no surprise that this pilot implements a Canadian National to International action to adopt standards for data governance and the surveillance of children and youth.

In this regard, this pilot proposal summary provides a critical commentary to strengthen the CPPA and reflect Bill 64’s data governance approach, that is not only supported by international standards, but can unite Canada as a global force in the next generation internet markets.

As such, this pilot references the great Canadian Privacy Opportunity, and respectfully asks the editors to consider this umbrella use case for a pilot of a Parental Consent Gateway, to address the risks of digital identity management and its advanced invisible surveillance.

Parental Consent Gateway for Children’s Surveillance (First Draft Invitation for this Pilot Proposal)

To initiate this action, this Pilot first invites Tech for Good Canada to convene a Children’s Surveillance Council of Experts for a National (and Internataional) SCC driven roadmap implementing the UN General Comments, 19,20,25, Bill 64, and the Pan-Canadian Trust Framework (PCTF) notice and consent framework.

A key objective of this proposal is to present a scheme for certification under the (PCTF). Utilizing the overarching digital identity privacy governance framework to define online notice and consent with technical schema’s defined in International standards and policy rulesets on regulator approved codes of conduct and role-based practice.

Parental Notice & Consent Receipt Gateway

To implement a National Parental Consent Gateway with a scheme that will;

• Propose the extension of the Minor’s Trust Framework (MTF) to provide receipts for an international standard technical code of conduct, explicit to the UN General Comments: and implementable as a National-Inter-Jurisdictional CPPA Code of Conduct with the Pan Candian Trust Framework (PCTF). Note: Subject to international public review, consensus and approval by UN and National Data Protection Regulators.
• To address foreign extra-territorial governance and security interoperability to faciater privacy rights for a dynamic date ecosystem (DDE),
  • address current cyber security breach of children’s data with a National registrar of services processing children’s data.
• To implement, independent of the commercial sphere, and independent of the digital sphere, the principles of privacy and fair practice for people, community, society, children and the planet.
  • We are Not American Consumer ‘s - we are Canadian’s that need a Privacy Protection Act - from American Contracts and Terms (time for Canada to invalidate the IAB standard contract)

Parental Privacy Pilot: A Pan-Canadian Trust Framework Scheme

This scheme is presented to support a national Roadmap and to initiate a call for the immediate and standardized assessment of how eLearning is affecting the most vulnerable of children from unprotected data governance in our provinces and territories.

The research for this national use case includes researching the data governance architecture of eLearning software providers provided to students in Ontario/Canada during the pandemic.

This resulted in the Standard Council of Canada data governance use case, link, and SCC Roadmap workshop on this use case Feb 25th, 2021. All of which is presented from the result of social research, social policy, legal analysis and best practices utilized to develop and implement standards.

One important result is the inclusion of a consent notice receipt in the ISO/IEC 29184 Online Privacy Notice and Consent Standard (appendix d), as well as the vote of the ISO SC 27 group to fast track the Consent Receipt into an international notice and consent record structure to which notice and consent receipts, can be generated independently of service providers. Supported by a community of international standards efforts, and a rally to include people ion the next generation data governance internet infrastructure.

The notice and consent receipt standard and next version of this specification, are intended for release as public standards for use in open-source software development, providing legal to data semantics required to support international and national regulatory data governance at scale. Written to enhance notice and consent frameworks like that represented in the PCTF, with a framework that maintain privacy that people expect.

Privacy as Expected, is a state of privacy expectations that are maintained with a notice and consent receipts. The parental consent gateway managed parents’ expectations independently of the service provider.

These new set of international work efforts (footnote: supported by a newly launched ANCR WG at the Kantara Initiative, for the advanced [active] notice and consent receipt WG, ToiP - Inputs and Semantics, W3C DPV ) and a host of digital governance project implementations.

Summary of Research Children and Youth Surveillance Research

Research conducted in Sept 2020 focused on the data governance, security, privacy and legal compliance requirements of eLearning.

This report illustrated that lack of consistent standardized notice and consent requirements demonstrate that eLearning services are exposing children/youth, schools and the education systems to a lot of liability and un-notified risk. Preventing meaningful consent for parents from being provided. Providing exemptions that further dis-intermediates civil engagement and responsibility for our own choices.

To this end, the most significant comment is the recommendation of the international data governance standards ISO 29184. In particular, recommend using standardized categories for specifying the legal justification for processing children’s data. This is important to address the inter-domain security and privacy issues raised in this research. These standards reduce the need for a tribunal and centralized privacy governance, which can cripple the competitiveness (and market value) of the Candian digital identity ecosystem. Tailored data governance un-necessarily provides manyh for each issue raised. These standards enable data governance interoperability between provinces and their use of protected school education records.

Research Points worth highlighting:

Currently, student’s data in Toronto is being harvested illegally under an IAB Canada Standard Contract, that violates PIPEDA, CPPA and

• The dominant eLearning platforms in use in Canada, display fake privacy claims on their website. (see linked report and progress of ongoing audit) First, eLearning systems report protection under the Privacy Shield (now defunct), and not relevant for Canadian privacy adequacy or adequacy with the US>.
• Claims of eLearning systems don’t reference the IAB contract framework but instead refer to a decision obtained for the 94/95 EU Directive of adequacy, again – this is also a false claim.
• There is no policy indication or specification of compliance with PIPEDA, or the recommended standard for the Ontario school boards and the Ontario Government.
• After an Audit in 2018, critical security and privacy concerns were raised in Ontario. Ref-
  • The different privacy rules for each province, compounded by different rules per school board, increase the cyber security risks.
  • These risks are exploited and utilized as a method to breach data by large Learning device platforms.
• Children’s data is tracked by Google analytics and with cookies, which track students meta data without parental consent.
  • On a platform that has bought services and without consent aggregated its user’s data, in contradiction with law, so as to create a monopoly and for their profit.
• In legal analysis, the IAB standard contract, and the Google ad-tech empire is based on terms and conditions, which are permitted in the United States, and due to US foreign policy do not extend protections to children under COPPA (Childrens Online Privacy Protection Act). Presenting a sever cyber-security gap in eLearning services. Relying solely on what is commonly referred to a ‘contract of adhesion’, which faciliates a lack of extra-territorial data governance, providing un-fair market advantage to US services to surveil and profit off of personal meta-data harvested by tracking people on internet information services.

This call to action highlights the need for advocacy and inclusion beyond the American consumer perspective, and a Consumer Privacy Act, limited by ecommerce politics and concerns, already addressed in Canadian policy. With research presented to the SCC Standards Governance Collaborative, summarily represented here in point form.

• Stop the illegal use of identity management, surveillance by contract (reference to IAB Canada) [Note: complaint to all the Privacy Commissioners in progress.] and Replace with Privacy orientated Agreements, as defined in Bill 64)
• Immediate requirement for the policy for eLearning services to provide for strong legal entity (not service) transparency, and ensure terms and conditions are subject to Canada’s strongest privacy laws. (not subject to un-specified legal exceptions for consumer services)
• The support for the development and adoption of technical standards and safeguards that ensure that the benefits of data processing are provided by consensus and through consent for the immediate/primary benefit of a child’s progression through youth as a student.
• The expansion of the Canadian Provincial (and Territorial) school education records to include e-learning meta data, and a digital identity governance framework that governs the use of identifiers. Thew consideration of all personal education data be included in the sacred data trust that is at the core of the Canadian education system.
• Protect Children’s Meta-data - A national call for a moratorium on American Service Providers - Terms and Conditions in eLearning, and a freeze on the further expansion of any eLearning services that use terms and conditions to track students.
  • Referencing: CNIL – 50 million Euro Fine to Google,
  • The expectation of Privacy by Supreme Court in Canada
  • The illegal aggregation of Canadian’s data by Google Gmail and Youtube
  • The Meaningful Consent Law
• A call for the CPPA to not limit privacy in Canada to consumers and destroy Canada’s global leadership in the privacy industry. Worth much more than a global American Contract Framework,
  • For Example, Change the Name of the Act to: (Children’s Privacy Protection Act) or Canada’s Privacy Protection Act,
• A call for the CPPA to utilize International standards to demonstrate stronger than adequate framework for parental consent, make clear that for any legal justification of processing children’s and youth’s data, without exception to any ‘unknown’ business process or un-consented social benefit (39c). To declare children’s educational surveillance a data trust, entrusted to schools and the school boards of Canada, that implement these standards for Canada’s update to PIPEDA.
  • Note: ISO/IEC 29184 recognizes the EU GDPR categories of legal justification for the processing of personal data as:
    • Quote Categories
  • In the case of a National Parental Consent Gateway,
    • All the provinces would need to adhere to the operational code of conduct for the processing of children’s personal data, implement strong processor transparency.
    • And provide parents with receipts when children’s personal data is processed.
    • A moratorium on the representation of privacy risks for the notices, until they meet the requirements for meaningful consent that all parents should have in Canada today.
      • The use of --PCTF notice and consent module to entrench Canadian law throughout the implementation. with ISO/IEC adoption of notice and consent receipt standards.
      • Promoting the result as an international standard for consented children surveillance in eLearning.

Appendix A: CPPA (Bill C11) Not Adequate with International Standards & Bill 64

• The proposed CPPA does not appear to explicitly provide for the protection of personal data outside of consumer context, and significantly appears to weaken the security of personal data by providing unspecified exemptions for public benefit and business.
  • The Consumer Privacy Protection Act portrays Canadian privacy within the scope of electronic commerce, rather that electronic commerce within the scope of privacy.
  • The Child is not protected, unless the Canadian Child is a consumer, and under a contract, that is not subject to laws like the Foreign Intelligence Surveillance Act, in which US protections are negated. Today this is enabling service providers to aggregate personal data without consent with the use of attribute surveillance across legal domains, with advanced digital identity technology.
  • Clearly, in violation of the second principle of the charter 2. Safety and Security, https://www.ic.gc.ca/eic/site/062.nsf/eng/h_00108.html, the CPPA appears to decrease the safety and security of processing by providing for non-standard use of personal data without consent or transparency.
• The CPPA does not specify legal justifications for processing personal data without consent and decreases the adequacy of consent for the transfer of personal data across the internet.
• The CPPA provides exemptions for the tracking of children’s and youth’s educational data without parental knowledge or consent and significantly weakens the Canadian international advantage.
• The CPPA does not appear to recognize or facilitate the parent’s ability to provide consent for the processing of personal data.
• The CPPA should recognize eLearning data as children’s as a part of the student’s educational record and protected for re-use by schools as a data trust that benefits the school, local community or provinces exclusively.
  • Negating the economic value and benefit of personal data control and integrity from the use of data governance standards by local and regional student community.
• Perhaps the single most significant flaw to the CPPA.
  • The CPPA recognizes a contract in place of privacy, where privacy is subject to a foreign contract framework. When the CPPA should require contracts and terms and conditions to be subject to Canadian Privacy. (s11)
  • Section 11, of CCPA, should make explicit the data governance risks in a notice, to include the lack of protection or adequacy under contract of service providers in the USA as the Foreign Intelligence Surveillance Act, negates this protection. This has been upheld by the European Commission who as negated the Privacy Shield as it is not adequate for privacy protection of children’s data and meta-data.
    • European Data Protection Board, “Statement on the Court of Justice of the European Union Judgment in Case C-311/18 - Data Protection Commissioner v Facebook Ireland and Maximillian Schrems,” July 17, 2020, https://edpb.europa.eu/news/news/2020/statement-court-justice-european-union-judgment-case-c-31118-data-protection_en
• The CPPA does not present a clear set of legal justifications for the processing of personal data. Nor does it specify regulated exemptions which can be determined to have adequacy with the GDPR (EU General Data Protection Regulation), and therefore not only does not provide protection for children’s data online nationally or internationally, but instead, provides ambiguous and inadequate exemptions for the collection and use of children’s metadata without parental consent. In a seeming contradiction of Canada’s own guiding principles.
• The CPPA should seek to provide for a respect for human needs, which are not governed by digital identity surveillance, and directly address the non-compliant use of -existing digital identity systems. Seek to provide an alternative infrastructure instead of providing Canadians with options to altruistically, contribute data to schools, communities, the government or business for social good. And does so ie without consensus on behalf of people. This, in and of itself, is a tremendous violation of international privacy principles and the OECD Guidelines for Transborder flow’s
• Adopt the strongest provincial privacy regulation as national regulation to gain most economic value, defend Canadian cyber-physical security. Bill 64 as the Canadian standard for Privacy as it enables legally the operational data governance of an it system with Next Generation Internet – Dynamic Data Controls. Based on International standards and harmonized semantics.
• Consider using Notice and Consent Receipts for decentralized data governance as an alternative to a centralized and politicized tribunal.

Recommendations in line with Bill 64

Bill 64, at the outset of the draft bill states:

“Furthermore, the consent of the person having parental authority must be obtained to collect, use and release personal information concerning a minor under 14 years of age.”

The CCPA – provides consumers not children with privacy protections.

We recommend:

Adoption of Bill 64 Consent Requirements and the promotion of the strongest provincial privacy regulation as national regulation to gain most economic value, defend Canadian cyber-physical security. In particular with respect to the protection of children’s data. As reviewed here.

First and foremost, Bill 64 enables operational data governance and places Canada in a competitive market position for the Next Generation Internet – Dynamic Data Controls. Based on International standards and harmonized semantics.

In reference,

“64.1. The personal information concerning a minor under 14 years of age may not be collected from him without the consent of the person having parental authority, unless collecting the information is clearly for the minor’s benefit.”

“65.0.1. In addition to the information that must be provided in accordance with section 65, anyone who collects personal information from the person concerned using technology that includes functions allowing the person concerned to be identified, located or profiled must first inform the person.

(1) of the use of such technology; and

(2) of the means available, if any, to deactivate the functions that allow a person to be identified, located or profiled.

In Review of Legal Semantics and Standardize Data Governance Vocabulary: (an engineering note from the ANCR-WG at the Kantara Initiative) PIPEDA and BILL C-64 provide strong data governance, where-as the CPPA, makes justifications for processing unclear, with ambiguous exemptions not specified, or deferred to a centralized legal process for review by a tribunal.

When reviewing, please provide assurances of the adequacy for the ‘Protection of Children and Youth’ by specifying assurances that:

• Legitimate interests are specified in regard to the expected Transparency over the beneficial owners of meta data being processed, and in specific reference to US based service Terms & Conditions, and the Canadian IAB Contract framework.
• Please clarify any un-specified, non-standardized legal exemptions for processing personal data, to ensure adequacy (or a lack thereof) at a national and international level with standards. [engineering note: This is critical for engineering operational privacy and extending privacy digitally with legal semantics]
• Seek to assurance the privacy engineering community in Canada, that the CPPA doesn’t create a reliance on a Tribunal, impeding the urgent need for implementing security and privacy governance standards and the PCTF framework, unduly politicizing the harmonized semantics required for digital notice, explicit consent and best practices to manage the un-governed and advanced digital identity management surveillance technologies. For example, to enable people to share their own information for altruistic (parental consent) purpose and use their rights independently with Canadian digital identity systems.