On November 17, 2020, the Canadian government tabled substantial changes to Canadian privacy law in Bill C-11, the Digital Charter Implementation Act, 2020 (Act). The Act proposes to:
• enact the Consumer Privacy Protection Act (CPPA) to replace Part 1 of the Personal Information Protection and Electronic Documents Act (PIPEDA), which is the part of PIPEDA that addresses privacy in the private sector; and,
• enact the Personal Information and Data Protection Tribunal Act establishing the Personal Information and Data Protection Tribunal (Tribunal), which would hear recommendations of and appeals from decisions of the Privacy Commissioner of Canada (Commissioner).
The CPPA retains the principles-based approach of PIPEDA, but it integrates and adds to those principles directly in the act rather than set them out in a schedule like PIPEDA. Notably, the CPPA includes new regulatory tools to address compliance and much more severe remedies for non-compliance:
• New powers for the Commissioner, including audit and order making powers.
• The ability for the Commissioner to recommend, and for the Tribunal to impose, penalties up to the greater of $10 million or 3% of an organization's annual global revenues.
• Significantly expanded offences with fines up to the greater of $25 million or 5% of annual global revenues.
• A private right of action to permit recourse to the courts in certain circumstances.
A high-level summary of key features of the CPPA and the role of the Tribunal is set out below.
Like PIPEDA the CPPA is consent based, but both the requirements for obtaining consent and the exceptions to consent are expanded.
The CPPA provides that consent is only valid if obtained before or at the time of collection, or before any new use or disclosure, if organizations notify individuals, in plain language, of the type of personal information that the organization collects, uses, and discloses, and of the purposes, manner, and consequences of the collection, use, and disclosure. Organizations must also identify any third parties to whom personal information will be disclosed. Individuals may withdraw their consent subject to law and the "reasonable terms of a contract". Relatedly, in its transparency and openness requirements, the CPPA also requires organizations to make readily available in plain language information that explains their policies and practices put in place to fulfil their obligations under the CPPA.
The expanded exceptions to consent include:
• The collection or use of personal information for certain business activities, including an activity required to provide products or services to an individual or an activity where it would be impractical to obtain consent because there is no direct relationship between the organization and an individual, in each case provided the individual would expect the collection or use and it is not for the purposes of influencing the behaviors or decisions of the individual.
• Public interest purposes as set out in the CPPA.
• Transfers of personal information to service providers.
• De-identifying personal information.
Transfers of Personal Information and Service Providers
Where an organization transfers personal information to a service provider it must ensure substantially the same protection of the personal information (by contract or otherwise) that the organization is required to provide under the CPPA. Service providers must safeguard personal information and provide notice of any breach of security safeguards to the organization who controls the personal information. Otherwise, provided that a service provider only uses the transferred personal information for the purposes for which it was transferred, service providers are exempt from the obligations of the CPPA with respect to the transferred personal information.
An organization's readily available policies must include a description of interprovincial and international transfers of personal information and the privacy implications of those transfers.
Enhanced Individual Rights: Disposal of Personal Information and Mobility
Section 55 of the CPPA requires an organization to dispose of the personal information it has collected from an individual, as soon as feasible, on written request unless disposing of such information will result in disposal of personal information about another individual, or the disposal is prevented by law or the reasonable terms of a contract. The organization must also inform any service provider to which it has transferred the information and obtain confirmation from the service provider that the information has been disposed of.
The CPPA also allows an individual to request one organization to disclose their personal information to another designated organization where both organizations are subject to a data mobility framework provided under the regulations. It is worth noting, however, that the regulations were not released with the Act and the sections of the CPPA related to data portability may come into force separately from the rest of the CPPA.
New Rules for Automated Decision Systems
The CPPA also addresses the impacts on privacy rights and personal information protection in relation to AI and other automated decision-making. Organizations that use technology that assists or replaces the judgement of a human decision-maker, such as rules-based systems, machine learning, deep learning, and neural nets, must, on request by an individual, provide an explanation of any prediction, recommendation, or decision made about the individual, and of how the personal information that was used to make the prediction, recommendation, or decision was obtained. Organizations are also required to include in the description of their policies a general account of their use of any automated decision system that could have significant impacts on individuals.
These sections are likely to become increasingly relevant as more organizations adopt a wider array of automation and artificial intelligence technologies and use such technologies in their business processes.
The CPPA defines de-identifying personal information as modifying or creating information using technical processes to ensure that it cannot be used "in reasonably foreseeable circumstances" to identify an individual, either alone or in combination with other information. Where an organization de-identifies information, it must use technical and administrative measures proportionate to the purposes of de-identification and the sensitivity of the personal information being de-identified. The CPPA prohibits organizations from using de-identified information to identify an individual except to test the organization's safeguards to protect the information.
New Commissioner Powers, the Personal Information and Data Protection Tribunal, and New Sanctions for Non-Compliance
The Act represents a very significant departure from the current enforcement model in Canada and would present materially greater legal and reputational risks to organizations in relation to non-compliance with federal privacy law. Currently the Commissioner has no power to make orders or to recommend monetary penalties. The CPPA provides for both, and organizations subject to Canadian privacy law will face a range of potential sanctions, including significant monetary penalties and awards, and litigation proceedings.
The Personal Information and Data Protection Tribunal Act establishes the Personal Information and Data Protection Tribunal and grants the Tribunal jurisdiction over the penalties that may be imposed under the CPPA. The Tribunal must provide a decision, with written reasons, to all parties to a proceeding, and must make its decisions and the reasons for them publicly available.
The CPPA expands the powers of the Commissioner to conduct inquiries and impose penalties through recommendations to the Tribunal. The Commissioner is also granted order-making powers, which may be made directly by the Commissioner and then appealed to the Tribunal.
Where the Commissioner has conducted an inquiry under Section 88 or 89 of the CPPA and has determined that an organization has contravened certain sections of the CPPA, including those related to consent, limiting collection, use, and disclosure of personal information, the retention and disposal of personal information, and security safeguards, the Commissioner may make a recommendation to the Tribunal to impose a penalty. The Tribunal then may, by order, impose a penalty where it determines that the penalty is appropriate.
Where the Commissioner has conducted an inquiry and instead of recommending a penalty, finds it appropriate to impose an order, it may do so directly. The Commissioner's order powers are outlined in Section 92 of the CPPA and include orders to: (i) take measures to comply with the CPPA, (ii) stop doing something that is in contravention of the CPPA, (iii) comply with the terms of a compliance agreement entered into by the organization, or (iv) make public any measures taken or proposed to be taken to correct the policies, practices, or procedures that the organization has put in place to fulfil its obligations under the CPPA. These orders may be appealed to the Tribunal within 30 days.
Penalties and Fines
Where the Commissioner has recommended a penalty, the Tribunal may impose a penalty up to the greater of $10,000,000 and 3% of the organization's annual gross global revenue.
The CPPA also provides for fines for knowingly contravening its provisions relating to reporting of breaches of security safeguards, maintaining records of breaches of safeguards, retaining information subject to an access request, using de-identified information to identify an individual, and whistleblower protections, or for obstructing a Commissioner investigation, inquiry, or audit. In these cases, a fine not exceeding the greater of $25,000,000 and 5% of an organization's annual gross global revenue may be imposed on indictment, or the greater of $20,000,000 or 4% of annual gross global revenues on summary conviction.
Private Right of Action
The CPPA provides a private right of action against organizations for damages for loss or injury in certain limited circumstances. Specifically, where the Commissioner makes a finding that an organization has contravened the CPPA and the organization does not appeal to the Tribunal or the appeal is dismissed, or the Tribunal itself makes a finding that the organization has contravened the CPPA, an individual affected by the contravention has a cause of action. The cause of action may be heard in the Federal Court or the superior court of a province, raising the spectre of increased litigation and class action proceedings in relation to non-compliance with the CPPA.
There is no guarantee that Bill C-11 will pass in its current form, particularly given the current minority Parliament. Nor is there yet any indication of when the Act or certain of its provisions may come into force or what the length of any transition period would be (the date of the coming into force of the Act and certain provisions of the CPPA are to be set by an order of the Governor in Council). To date, the bill has only been introduced in the House and received the 1st Reading. The contents of the bill are likely to change considerably as it advances through 2nd and 3rd reading in Parliament and receives study at applicable Standing Committees. However, the Act is part of a trend towards privacy law reform in Canada, including as reflected in recent sweeping changes proposed in Quebec (click here to read more about those changes), and internationally with the EU's General Data Protection Regulation (GDPR) and the California Consumer Protection Act.
The Act is certain to attract very strong attention from domestic and foreign organizations that collect information about Canadians and are subject to Canadian privacy law, particularly in light of the impacts of the COVID pandemic and the additional compliance costs and risks of material liability that the CPPA represents. Organizations and trade associations should consider the impact of the Act and its evolution as it progresses through Parliament and be prepared to propose improvements and to address any unintended consequences of its reforms.