On November 17, the Honourable Navdeep Bains, Minister of Innovation, Science and Industry, introduced Bill C-11, the Digital Charter Implementation Act, 2020. If passed, this highly anticipated bill would overhaul the federal government’s approach to regulating privacy in the private sector by repealing the parts of the Personal Information Protection and Electronic Documents Act (PIPEDA) that regulate the processing of personal information and enacting a new Consumer Privacy Protection Act (CPPA or Act). The bill would also enact the Personal Information and Data Protection Tribunal Act (PIDPTA), which establishes an administrative tribunal to hear appeals of certain decisions made by the Privacy Commissioner of Canada under the CPPA and impose penalties for contravention of certain of its provisions.
As expected, the CPPA redrafts PIPEDA’s much criticized Schedule of privacy principles into substantive provisions in the body of the Act. Many of PIPEDA’s obligations have been carried over into the CPPA. However, the CPPA also creates several new and enhanced obligations for private-sector organizations including:
-
An obligation to implement a privacy management program that includes policies, practices and procedures designed to ensure compliance with the CPPA and to provide the Commissioner with access to those policies, practices and procedures upon request
-
Requirements to provide plain-language explanations about the processing of personal information, both in connection with obtaining valid consent and to meet transparency requirements under the CPPA
-
Data portability rights to give individuals greater control over the transfer of their personal information from one organization to another
-
The obligation to allow individuals to request that the organization dispose of their personal information, subject to limited exceptions
-
New transparency requirements that apply to automated decision-making systems like algorithms and artificial intelligence, requiring businesses to explain how such systems are utilized
-
Rules governing how and when de-identified information derived from personal information may be created, used and shared
-
An obligation for organizations to de-identify personal information prior to sharing it with parties in the context of a proposed business transaction, for example, in the due diligence phase
Below we provide a high-level overview of some key aspects of Bill C-11, including proposed changes to the consent and enforcement regimes.
SCOPE
Like PIPEDA, the CPPA would apply to organizations that collect, use or disclose personal information in the course of commercial activities, as well as in respect of personal information about an employee collected, used or disclosed by an organization in connection with the operation of a federal work, undertaking or business. The CPPA provides a new definition of “commercial activity” that would mean “any particular transaction, act or conduct or any regular course of conduct that is of a commercial character, taking into account an organization’s objectives for carrying out the transaction, act or conduct, the context in which it takes place, the persons involved and its outcome.” This new definition removes the specific reference made in PIPEDA to “the selling, bartering or leasing of donor, membership or other fundraising lists.”
The CPPA would also maintain the ability for the Governor in Council to exempt organizations from the application of the Act where “substantially similar” provincial privacy legislation applies in respect of collection, use or disclosure of personal information occurring within that province. The CPPA specifies that where such an exemption exists, it only applies to personal information processing that occurs within the relevant province, and the CPPA will continue to apply to personal information that is collected, used or disclosed interprovincially or internationally.
The CPPA also helpfully clarifies that the obligations under the Act apply to organizations with personal information under their control, and only certain provisions of the DCIA, including specific requirements relating to breach reporting, apply directly to service providers.
REFORMED CONSENT REGIME
The new legislation provides a reformed consent regime. While the Act generally requires “valid consent” for any collection, use or disclosure of personal information, and provides a list of conditions that must be met in order for consent to be considered valid, it expands on the exemptions that allow personal information to be collected, used and disclosed without consent.
For example, the CPPA would exempt organizations from having to obtain “valid consent” to collect and use personal information for specified “business activities” where:
-
A reasonable person would expect such a collection or use for that activity, and
-
The personal information is not collected or used for the purpose of influencing the individual’s behaviour or decisions
Specified “business activities” include:
-
An activity that is necessary to provide or deliver a product or service that the individual has requested from the organization
-
An activity that is carried out in the exercise of due diligence to prevent or reduce the organization’s commercial risk
-
An activity that is necessary for the organization’s information, system or network security
-
An activity that is necessary for the safety of a product or service that the organization provides or delivers
-
An activity in the course of which obtaining the individual’s consent would be impracticable because the organization does not have a direct relationship with the individual
-
Any other prescribed activity
The CPPA also clarifies that organizations are not required to obtain consent to de-identify personal information or transfer personal information to a service provider.
THIRD-PARTY CODES OF PRACTICE AND CERTIFICATION PROGRAMS
If passed, Bill C-11 would create a framework for third-party codes of practice and certification programs. An entity, which could include any type of organization such as a not-for-profit organization or government institution, may apply to the Privacy Commissioner of Canada for approval of a code of practice that provides for substantially the same or greater protection of personal information as some or all of the protections provided for by the CPPA.
An entity may also apply to the Commissioner for approval of a certification program that includes specified requirements, including a code of practice, a mechanism to certify compliance with the code of practice, a mechanism for the entity to audit compliance with the code of practice, disciplinary measures for non-compliance, including revocation of a certification, and any other requirements that may be provided for by regulation.
The CPPA gives the Commissioner the power to request that an entity operate an approved certification program and work with entities that operate approved certification programs, including in respect of the Commissioner’s enforcement activities. While compliance with a code of practice or certification program will not relieve an organization of its obligations under the CPPA, it does offer some benefits. For example, the Commissioner cannot recommend that a penalty be imposed on an organization for a contravention of the CPPA, if the Commissioner is of the opinion that, at the time of the contravention, the organization was in compliance with the requirements of an approved certification program.
STRONGER ENFORCEMENT REGIME
The CPPA would give the Privacy Commissioner of Canada additional enforcement powers, beyond what is currently provided under PIPEDA.
For example, the CPPA would give the Commissioner the power to make orders requiring organizations to conform with and stop contravening the CPPA, comply with a compliance agreement or make public measures taken to correct privacy practices. Currently, the Commissioner does not have the power to make orders after findings of non-compliance. In addition, if after completing an inquiry the Commissioner finds that an organization has contravened one or more specified provisions of the CPPA, the Commissioner would be able to recommend that a newly created Personal Information and Data Protection Tribunal impose a monetary penalty of up to C$10-million or three per cent of the organization’s total global revenues for the prior financial year. This Tribunal would be composed of three to six members appointed by the Governor in Council on the recommendation of the Minister of Innovation, Science and Industry.
The CPPA also provides for even greater fines for various offences under the CPPA — up to the higher of C$25-million or five per cent of the organization’s gross global revenues for the prior financial year.
Additionally, a private right of action would be available for an individual who suffered damages or injury caused by a contravention of the Act for which the organization has been the subject of an adverse finding by the Commissioner or Tribunal, or where the organization has been convicted of an offence. This means that an organization may be subject to a Tribunal penalty and face claims under the private right of action.
Bill C-11 is expected to be debated in the House of Commons, and further amendments may be proposed. If passed, the CPPA may come into force quickly, on a date fixed by order of the Governor in Council. However, the bill contemplates that certain provisions, specifically those relating to data mobility, and codes of practice and certification programs, may come into force on a different date.