The Canadian government’s long-awaited overhaul of existing federal private-sector privacy legislation finally arrived on November 17, 2020, with the first reading of Bill C-11 An Act to enact the Consumer Privacy Protection Act and the Personal Information and Data Protection Tribunal Act and to make consequential and related amendments to other Acts, also known as the Digital Charter Implementation Act, 2020 (Bill C-11) Bill C-11 would enact the Consumer Privacy Protection Act (CPPA) and the Personal Information and Data Protection Tribunal Act (PIDPTA). Together, the CPPA and the PIDPTA have introduced bold new measures into Canada’s privacy law and have brought it into closer alignment with European data protection and privacy standards. This article provides some highlights of the proposed legislation.
NEW ENFORCEMENT POWERS AND FINANCIAL PUNISHMENTS FOR CONTRAVENTIONS TO THE ACT
The CPPA expands the federal Privacy Commissioner of Canada’s (the Commissioner) enforcement powers. Following investigation and inquiry into a contravention of the CPPA, the Commissioner can issue orders to ensure that organizations comply with the CPPA.[1] Contravening a compliance order is an offense subject to financial punishment, as set out below.[2]
The Commissioner can also recommend to the newly established Personal Information and Data Protection Tribunal (the Tribunal) that it should impose financial penalties if an organization has contravened the CPPA.[3] The Tribunal presides over hearings related to financial penalties recommended by the Commissioner and non-penalty-related appeals.[4] The Tribunal can impose a maximum financial penalty for contraventions of the CPPA of the higher of $10 million and 3 percent of the organization’s gross global revenue in its financial year before the one in which the penalty is imposed.[5]
As alluded to above, the CPPA introduces new offenses, with heavy financial punishments. Any party found guilty of an indictable offense and liable may pay a fine not exceeding the higher of $25 million and 5 percent of the organization’s gross global revenue in its financial year before the one in which the organization is sentenced, or $20 million and 4 percent for summary judgment, respectively.[6] These offenses include:
- if an organization fails to report to the Commissioner any breach of security safeguards involving personal information under its control where the breach may result in a reasonable risk of significant harm to an individual,[7]
- if a service provider fails to notify the organization that controls the personal data of a data breach involving personal information,[8]
- if an organization attempts to re-identify individuals using de-identified information,[9] and
- if an organization disposes of personal information after an individual has requested access to it and the individual has not exhausted the individual’s recourse under the CPPA.[10]
PRIVATE RIGHT OF ACTION
The CPPA establishes a new cause of action for individuals who are affected by an act or omission by an organization that constitutes a contravention of the CPPA against the organization for damages for loss or injury that the individual has suffered as a result of the contravention. To commence this action, the Office of the Privacy Commissioner and the Tribunal must have made findings that the organization has contravened the CPPA, and the finding was not appealed to the Tribunal or the Tribunal has denied the appeal.[11]
CODIFICATION OF THE 10 PRIVACY PRINCIPLES AND NEW REQUIREMENTS
The CPPA codifies the Ten Data Privacy Principles of the Personal Information Protection and Electronic Documents Act (PIPEDA) into law[12] and introduces new requirements on organizations, including:
- requiring every organization to establish, implement, and make available a privacy management program, which, among other requirements, must be attuned to the volume and sensitivity of the personal information being collected, used, and stored,[13] and
- restricting how an organization can make use of de-identified information to prescribed circumstances.[14]
The CPPA also explicitly prescribes how organizations acquire valid consent. In most cases, an organization must obtain express consent from an individual and disclose in plain language:
- the purposes for the collection, use, or disclosure of personal information determined by the organization,
- the way in which the personal information is to be collected, used, or disclosed,
- reasonable foreseeable consequences of the collection, use, or disclosure of personal information when obtaining consent from an individual,
- the specific type of personal information that is to be collected, used and disclosed, and
- the names or types of third parties to which the organization may disclose personal information when obtaining consent from an individual.[15]
Additionally, organizations that use personal information to inform their automated decision-making tools to make predictions about individuals (such as certain AI systems) are required to:
- deliver a general account of the organization’s use of any automated decision system to make predictions, recommendations, or decisions about individuals that could have significant impacts on them,[16] and
- retain the personal information related to the decisions for a sufficient period of time to permit the individual to make a request for access[17] (as described below in New Rights for Individuals).
SERVICE PROVIDERS
Under the CCPA, organizations are deemed to have control over personal information even when such organizations outsource or otherwise deploy a service provider that collects, uses, and discloses on the organization’s behalf.[18] Accordingly, organizations must ensure, by contract or otherwise, that the service provider provides substantially the same protection of the personal information as the organization is required to under the CPPA.[19] Service providers have an obligation to maintain adequate security safeguards to protect personal information and inform the organization that controls the personal information of any breach of its security safeguards in accordance with the requirements of the CCPA.[20]
CODES OF PRACTICE AND CERTIFICATION PROGRAMS
The CPPA also allows the Commissioner to approve and certify codes of practice and certification programs designed by nongovernmental entities. These codes and certifications must offer the same or substantially the same or greater protection of personal information under the CPPA. However, the organizations that comply with these codes of practice or certification programs must still meet their obligations under the CPPA.[21]
NEW RIGHTS FOR INDIVIDUALS
In addition to codifying the access rights discussed in the PIPEDA’s Ten Data Privacy Principles,[22] CPPA establishes three new rights for individuals regarding their personal information:
- Data mobility rights: Individuals can request an organization to directly transfer their personal information from one organization to another (subject to both organizations being part of a data portability framework).[23]
- Transparency and explanation rights: Individuals can request an organization that uses automated decision making based on the individual’s personal information to provide them with an explanation of the prediction, recommendation, or decision and of how the personal information that was used to make the prediction, recommendation, or decision was obtained.[24]
- Disposal rights: Individuals can request an organization dispose of their personal information.[25]
NEXT STEPS
While this is only the first reading of Bill C-11, the second reading will take place shortly, and debates and committee will follow. The proposed amendments to Canada’s federal private-sector framework as described in Bill C-11 are significant and meaningful and will likely require many organizations to tighten up their existing privacy and security practices.
[12] Accountability, identifying purposes, consent, limiting collection, limiting use disclosure and retention, accuracy, safeguards, openness, individual access, and challenging compliance.
[14] CPPA, s. 20, 21, 39(1), 74, and 75.
[22] The right to withdraw consent from a provider to collect, use, and disclose their personal information, and to access and correct their personal information.