The federal Minister of Innovation, Science and Industry just introduced this week, as Bill C-11 “An Act to enact the Consumer Privacy Protection Act and the Personal Information and Data Protection Tribunal Act and to make consequential and related amendments to other Acts” (the “Act”). Prior to the introduction of the Act, there were concerns that the new Act would effectively be a “’Made in Canada’ GDPR”. However, while the Act (which as a legislative bill still has to proceed through an extensive legislative process and will likely be subject to change) has taken the lead from the EU General Data Protection Regulation in introducing financially enormous penalties, as well as the right of data portability and the right to be forgotten, the Act is, in pith and substance, PIPEDA redux.
There is much to comment on in the Act, including the penalty mechanisms and the private right of action. However, this bulletin rather aims to provide a high-level compliance guide to the Act, from the perspective of privacy officers of organizations that are already PIPEDA compliant, and are just seeking specific guidance as to what are the net new compliance requirements.
1. New Additions
The Act both introduces new GDPR concepts of the right of data portability and the right to be forgotten, but also largely copies certain pre-existing rights in PIPEDA, in many cases from their previous awkward position in the “Principles Set Out in the National Standard of Canada Entitled Model Code for the Protection of Personal Information, CAN/CSA-Q830-96” which was scheduled to PIPEDA. In short, the proposed Act introduces a few new individual rights of significance based on GDPR with which organization will need to become familiar, but most of the individual rights are simply PIPEDA redux – i.e. restatements, clarification and expansions on existing PIPEDA provisions. This will assist organizations seeking to comply with the new proposed Act, if and when it comes into force.
To assist, we have reviewed below some of the net new additions to PIPEDA as would be made by the Act if enacted, as divided into (a) additions taken from the GDPR, and (b) other net new addition to the existing PIPEDA framework.
a. GDPR Rights of Data Portability and to be Forgotten
i. Right of Data Portability (GDPR: Article 20 (Data Portability)
How is this New: Under PIPEDA, individuals upon request are required to be given access to that information. The individual may themselves “port” their personal information to another organization if they so wish. The new Act, however contemplates a more direct “Disclosure under data mobility framework”, such that upon the request of an individual, an organization must as soon as feasible disclose the personal information that it has collected from the individual, to an organization designated by the individual, if both organizations are subject to a “data mobility framework” provided under the regulations.
Commentary: This is a new right and therefore will require organizations to implement a new compliance mechanism. The challenge of course is that what a data mobility framework looks like would still need to be prescribed by regulations, which are to (a) enumerate how such networks must provide for (i) safeguards that must be put in place by organizations to enable the secure disclosure of personal information and the collection of that information, and (ii) parameters for the technical means for ensuring interoperability in respect of the disclosure and collection of that information; (b) specify organizations that are subject to a data mobility framework; and (c) provide for exceptions to the right of data portability, including exceptions related to the protection of proprietary or confidential commercial information.
ii. Right to Withdraw/remove/erase basic personal data from a platform. (GDPR: Article 17 (Right to erasure (‘Right to be forgotten’))
How is this New: Individuals already have the right under PIPEDA to withdraw their consent for the collection, use and disclosure of their personal information, subject to legal or contractual restrictions and reasonable notice. Inspired by “the right to be forgotten” under the EU GDPR, the proposed Act now provides for “Disposal at individual’s request”, such that upon receiving a written request from an individual to dispose of personal information that it has collected from the individual, the organization must, as soon as feasible, dispose of the information, unless (a) disposing of the information would result in the disposal of personal information about another individual and the information is not severable; or (b) there are other requirements of this Act, of federal or provincial law or – notably - of the reasonable terms of a contract, that prevent it from doing so.
Commentary: Again, this is a new right and therefore will require organizations to implement a new compliance mechanism. As many commentators have noted in connection with the GDPR, the practical complexities of effecting the right to be forgotten are significant. However, Canadian organizations will be able to take the lead from organizations in the EU Member States which have already had to comply with this requirement.
We also note that the new Act contemplates that organizations may adopt a code of practice (a “code of conduct” under the GDPR), and may do so as part of a certification program (referenced as “data protection certification mechanisms and of data protection seals and marks” under the GDPR) which is approved by the Commissioner. While a detailed review of those concepts is beyond the scope of this bulletin, it is noteworthy that where an organization that is subject to a complaint is a certified member of an approved certification program, they may have safe harbour from the Commissioner carrying out an investigation, and do have safe harbour from the Commissioner recommending a penalty to the Personal Information and Data Protection Tribunal (the “Data Tribunal”).
b. Other New Compliance Requirements
While necessarily not exhaustive, we have highlighted below some of the new compliance requirements which should be of most interest to privacy officers.
i. Valid Consent
How is this New: PIPEDA already imposes a reasonably robust set of requirements on organizations in order to ensure that their consents are clear and informed:
- Organizations shall make a reasonable effort to ensure that the individual is advised of the purposes for which the information will be used.
- To make the consent meaningful, the purposes must be stated in such a manner that the individual can reasonably understand how the information will be used or disclosed.
- The consent of an individual is only valid if it is reasonable to expect that an individual to whom the organization’s activities are directed would understand the nature, purpose and consequences of the collection, use or disclosure of the personal information to which they are consenting.
However, the Act does add some discrete additional preconditions in order for a consent to be valid:
- the information has to be provided in “plain language”: however, while this taken from GDPR language, it arguably doesn’t add any obligation which is not already in PIPEDA as per above;
- the specific type of personal information that is to be collected, used or disclosed; and
- the names of any third parties or types of third parties to which the organization may disclose the personal information.
Commentary: Privacy officers should revisit and amend as required their current consents in order to address these new requirements.
ii. Recording of Purposes
How is this New: In addition to identifying each of the purposes for which the information is to be collected, used or disclosed, organizations are now required to also “record” those purposes.
Commentary: Best practice would require that an organization’s internal and external privacy policies enumerate the purposes in any case, and update same from time to time, so this should not require the expenditure of material additional compliance effort.
iii. Appropriate Purposes
How is this New: PIPEDA already limits an organization from collecting, using and disclosing personal information to only those purposes which a reasonable person would consider appropriate in the circumstances. However, the Act now expressly requires that an organization take the following factors into account in determining whether the purposes are appropriate: (a) the sensitivity of the personal information; (b) whether the purposes represent legitimate business needs of the organization; (c) the effectiveness of the collection, use or disclosure in meeting the organization’s legitimate business needs; (d) whether there are less intrusive means of achieving those purposes at a comparable cost and with comparable benefits; and (e) whether the individual’s loss of privacy is proportionate to the benefits in light of any measures, technical or otherwise, implemented by the organization to mitigate the impacts of the loss of privacy on the individual.
Commentary: Privacy officers should revisit the purposes for which they are collecting, using and disclosing personal information, and document their analysis so their organization can evidence that it went through this exercise to confirm that the purposes were appropriate.
iv. Business Activities Exception
How is this New: There is now a significant “business activities” exception from the requirement to obtain consent before collection of use of personal information: that is, (a) if the collection or use is made for a “business activity”, (b) a reasonable person would expect such a collection or use for that activity, and (c) the personal information is not collected or used for the purpose of influencing the individual’s behaviour or decisions.
“Business activities” are defined as (a) an activity that is necessary to provide or deliver a product or service that the individual has requested from the organization; (b) an activity that is carried out in the exercise of due diligence to prevent or reduce the organization’s commercial risk; (c) an activity that is necessary for the organization’s information, system or network security; (d) an activity that is necessary for the safety of a product or service that the organization provides or delivers; (e) an activity in the course of which obtaining the individual’s consent would be impracticable because the organization does not have a direct relationship with the individual; and (f) any other prescribed activity.
Commentary: This a significant new consent exemption, and one which privacy officers will have to closely examine in order to determine how it may affect the consent framework adopted by their organization.
v. New Content for Privacy Policies
How is this New: PIPEDA already requires that organization make readily available information to individuals information about its policies and practices relating to the management of personal information. However, the new Act requires that not only this information be made available “in plain language”, but also that the information now include the following specific additional information: (a) a general account of the organization’s use of any automated decision system to make predictions, recommendations or decisions about individuals that could have significant impacts on them; (b) whether or not the organization carries out any international or interprovincial transfer or disclosure of personal information that may have reasonably foreseeable privacy implications; and (c) how an individual may make a request for disposal or access.
Commentary: Privacy officers will need to review their existing, publicly facing privacy compliance collateral and amend as required in order to meet this new requirement. In addition, the ambiguous requirement to identify whether any of the organization’s international or interprovincial transfers of personal information “may have reasonably foreseeable privacy implications” will require additional scrutiny.
vi. De-identification of personal information
How is this New: The Act proposes a new set of obligations that relate to de-identification specifically. It allows an organization to use an individual’s personal information without their consent to de-identify the information, and to use such de-identified information without their consent for the organization’s internal research and development purposes, if the information is de-identified before it is used. Further, with respect to the de-identification process, the Act (a requires that the organization that is de-identifying the personal information ensure that any technical and administrative measures applied to the information are proportionate to the purpose for which the information is de-identified and the sensitivity of the personal information, and (b) prohibits the use of de-identified information alone or in combination with other information to identify an individual (except to conduct testing of the effectiveness of the organization’s security safeguards for that information).
Commentary: Organizations that use de-identified information now need to test their de-identifying processes against the standard set out in the Act.
vii. Business Transactions
How is this New: PIPEDA sets out certain preconditions for the use and disclosure of personal information for conducting due diligence for prospective business transactions, and closing such transactions. The Act adds new preconditions to both activities:
- For due diligence, the information must be de-identified before it is used or disclosed and remain so until the transaction is completed; and, in addition to the existing PIPEDA requirement that the applicable organization must have entered into an agreement that requires the organization that receives the information, the organizations must now have complied with that agreement.
- For the completion of the business transaction, in addition to the organizations being required to have entered into an agreement that requires each of them to use and disclose the information under its control solely for the applicable purposes, to protect that information by security safeguards, and to give effect to any withdrawal of consent, the organizations must have complied with the agreement.
Commentary: This is a significant and problematic requirement. Among other issues, that means that should the recipient organization breach the agreement years after the transaction, that transaction was never valid, consent is now required, and the non-breaching party is now offside of the Act through no fault of their own. That will significantly affect provisions regarding post-closing liabilities.
Stay tuned for Part 2 of this bulletin, which will highlights the provisions of the Act which, if breached, could lead to the imposition of significant fines, and uses those as a guide as to which ”hot button” issues features of an organization’s privacy compliance program will likely be the focus of enforcement, and as such should therefore be revisited by privacy officers.