Proposed Canadian Privacy Bill Introduces Fines and New Requirements for Private Organizations

After a hiatus of almost two years, the Canadian Government has finally recommenced its long-awaited overhaul of existing federal private sector privacy legislation. On June 16, 2022, Bill C-27, An Act to enact the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Act and to make consequential and related amendments to other Acts known as the Digital Charter Implementation Act, 2022 (“Bill C-27”) received its first reading in Parliament. The Artificial Intelligence and Data Act is not covered in this article and will be summarized separately.

Similar to its predecessor privacy reform bill, Bill C-11,[1] Bill C-27 introduces bold new measures into Canada’s privacy law that will significantly impact Canadian businesses: Canadian businesses will be required to invest in the protection of personal information or face heavy administrative monetary penalties for non-compliance. Furthermore, these measures bring Canadian privacy law it into closer alignment with the European Union’s (the “EU”) General Data Protection Regulation (the “GDPR”), and Québec’s privacy reforms introduced by the recently enacted Bill 64. Closer alignment with the GDPR and Bill 64 will assist Canada in maintaining its adequacy status under the GDPR and being considered a substantially similar jurisdiction under Bill 64, respectively. This allows for Canadian businesses to transfer personal information from the EU and Québec to Canada and provinces outside of Québec without additional data protection safeguards. The following are highlights from Bill C-27. Those who are familiar with Bill C-11 will note that Bill C-27 reintroduces many of the same concepts that were first introduced by Bill C-11.

New Enforcement Powers and Financial Punishments for Contraventions to the Act

The Consumer Privacy Protection Act (“CPPA”), which will repeal Part 1 of Canada’s existing federal private sector privacy act, the Personal Information Protection and Electronic Documents Act, now expands the enforcement powers of the federal Privacy Commissioner of Canada (the “Commissioner”). Following investigation and inquiry into a contravention of the CPPA, the Commissioner can issue orders to organizations to ensure that organizations comply with the CPPA.Contravening a compliance order is an offense subject to financial punishment as set out below.

The Commissioner can also recommend to the newly established Personal Information and Data Protection Tribunal (the “Tribunal”) that it should impose financial penalties if an organization has contravened the CPPA. The Tribunal presides over hearings related to financial penalties recommended by the Commissioner and non-penalty-related appeals. The Tribunal can impose administrative monetary penalties for contraventions of the CPPA up to the greater of $10,000,000 or 3% of the organization’s gross global revenue in its financial year before the one in which the penalty is imposed.

Moreover, the CPPA introduces new offenses with even higher financial punishments. These offenses include:

• if an organization fails to report to the Commissioner any breach of security safeguards involving personal information under its control where the breach may result in a reasonable risk of significant harm to an individual
• if an organization attempts to re-identify individuals using de-identified information not in accordance with the prescribed exceptions, and
• if an organization disposes of personal information after an individual has requested access to it and the individual has not exhausted the individual’s recourse under the CPPA.

Any organization that is found guilty of any of the offenses listed above can face a fine up to the greater of $25,000,000 or 5% of the organization’s gross global revenue in its financial year before the one in which the organization is sentenced for indictable offenses, or $20,000,000 or 4% for summary convictions, respectively.

Private Right of Action

The CPPA establishes a new private right of action for individuals who are affected by an act or omission by an organization that constitutes a contravention of the CPPA. The private right of action allows these individuals to sue the organization for damages for loss or injury that the individual has suffered as a result of the organization’s contravention of the CPPA. To commence this action, the Office of the Privacy Commissioner and the Tribunal must have made findings that the organization has contravened the CPPA, and the finding must not have been appealed to the Tribunal or the Tribunal must have denied the appeal.

Codification of the 10 Privacy Principles and New Requirements

The CPPA codifies the Ten Fair Information Principles of the Personal Information Protection and Electronic Documents Act (“PIPEDA”) into law and introduces new requirements on organizations.

Privacy Programs

Every organization must implement and maintain a privacy management program, which, among other requirements, must be attuned to the volume and sensitivity of the personal information being collected, used, and stored. These programs are reviewable by the Commissioner on request, who may provide guidance and recommend corrective measures to the organization.

Anonymous and De-identified Information

Bill C-27 contains a revised definition of de-identified information and has added a definition of “anonymise” to distinguish between the two forms of information. “Anonymise” means to irreversibly and permanently modify personal information, in accordance with generally accepted best practices, to ensure that no individual can be identified indirectly or directly from the information by any means. By contrast, “de-identify” means to modify personal information so that an individual cannot be directly identified from it, though a risk of the individual being identified remains. Anonymous information is not personal information; indeed, to anonymise personal information amounts to its disposal. De-identified information is always personal information except with respect to certain provisions.

Consent

Drawing on the Commissioner’s previously published “Guidelines for obtaining meaningful consent,” the CPPA explicitly prescribes how organizations acquire valid consent. In most cases, an organization must obtain express consent from an individual and disclose the following information:

• the purposes for the collection, use, or disclosure of personal information determined by the organization,
• the way in which the personal information is to be collected, used, or disclosed,
• reasonable foreseeable consequences of the collection, use, or disclosure of personal information when obtaining consent from an individual,
• the specific type of personal information that is to be collected, used, and disclosed, and
• the names or types of third parties to which the organization may disclose personal information when obtaining consent from an individual.

This information must be written in plain language that an individual to whom the organization’s activities are directed would reasonably be expected to understand.

Bill C-27 states that the personal information of minors would be considered to be sensitive personal information. Consequently, according to the previous guidance of the Commissioner, organizations would require express consent to collect, use, and disclose personal information of minors.

Additionally, Bill C-27 allows for organizations to collect and use personal information without knowledge and consent of individuals if the collection and use are made for a business activity in which the organization has a legitimate interest that outweighs the potential adverse effect on the individual resulting from that collection or use. This new exception is subject to a reasonableness test. Organizations wishing to avail themselves of this new exception must perform assessments of how the business activity would adversely impact the individual, document those assessments, and disclose descriptions of these business activities to individuals publicly.

Automated Decision Systems

The Bill also specifically references an organization’s privacy obligations around automated decision systems—any technology that assists or replaces the judgment of human decision- makers through the use of a rules-based system, regression analysis, predictive analytics, machine learning, deep learning, a neural network, or other techniques. Organizations that use personal information to inform their automated decision systems to make predictions about individuals are required to:

• deliver a general account of the organization’s use of any automated decision system to make predictions, recommendations, or decisions about individuals that could have significant impacts on them,and
• retain the personal information related to the decisions for sufficient period of time to permit the individual to make a request for access(as described below).

Security Safeguards and Breaches of Security Safeguards

Bill C-27 has expanded the scope of security safeguards to include reasonable measures to authenticate the identity of the individual to whom the personal information relates. Furthermore, the Bill confirms that organizations must protect personal information through physical, organizational, and technological security safeguards. The level of protection provided by those safeguards must be proportionate to the sensitivity of the information. In addition to the sensitivity of the information, the organization must, in establishing its security safeguards, take into account the quantity, distribution, format, and method of storage of the information. The security safeguards must protect personal information against, among other things, loss, theft and unauthorized access, disclosure, copying, use, and modification, and must include reasonable measures to authenticate the identity of the individual to whom the personal information relates.

Service Providers

Under the CCPA, organizations have control over personal information even when a service provider collects, uses, and discloses the personal information on the organization’s behalf. The new Bill C-27 requires organizations to ensure, by contract or otherwise, that the service provider provides an “equivalent” level of protection, rather than “substantially similar” protection, the baseline protection used under Bill C-11.The change from “equivalent” to “substantially similar” seems to suggest that Bill C-27 is endeavoring to impose a stronger or less flexible standard on organizations that use service providers.

“Service provider” is now broadly defined under the Bill as an organization, including a parent corporation, subsidiary, affiliate, contractor, or subcontractor, that provides services for or on behalf of another organization to assist the organization in fulfilling its purposes.

In addition, service providers now have an obligation to maintain adequate security safeguards to protect personal information and inform the organization that controls the personal information of any breach of the service provider’s security safeguards as soon as feasible. If a service provider violates the latter, the Tribunal may impose an administrative monetary penalty as described above.

Codes of Practice and Certification Programs

The CPPA allows the Commissioner to approve and certify codes of practice and certification programs designed by non-governmental entities. These codes and certifications must offer the same or substantially the same or greater protection of personal information as under the CPPA. However, the organizations that comply with these codes of practice or certification programs must still meet their obligations under the CPPA.

New Rights for Individuals

In addition to codifying the information rights for individuals discussed in the PIPEDA’s Fair Information Principles, CPPA establishes three new rights for individuals regarding their personal information:

• Data mobility rights: Individuals can request an organization directly transfer their personal information from one organization to another (subject to both organizations being part of a data portability framework).
• Transparency and explanation rights: Individuals can request an explanation from organizations that use automated decision systems using the individual’s personal information to make a prediction, recommendation, or decision about the individual that could have a significant impact on the individual.
• Disposal rights: Individuals can request an organization dispose of their personal information in specific circumstances. Under the proposed Act, “dispose” means the organization will be responsible for permanently and irreversibly deleting the personal information or to anonymize it, as defined under the Act.

However, these rights do not extend to de-identified information derived from an individual’s personal information.

Next Steps

While this is only the first reading of Bill C-27, we anticipate the second reading will happen shortly, and debates and committee will follow, which may result in additional changes to the draft Bill.