With the expected enactment of Bill C-11 in late 2021, Canada’s privacy regime, which had become increasingly ineffectual and obsolete, will be obsolete no more. Bill C-11 introduces the Consumer Protection Privacy Act (CPPA) and Personal Information and Data Protection Tribunal Act (PIDPTA), which will replace Part 1 of the Personal Information Protection and Electronic Documents Act (PIPEDA). While PIPEDA gives regulators no powers to impose fines or orders, CPPA authorizes the Privacy Commissioner to conduct inquiries, make orders and recommend penalties.
What’s at stake under Canada’s new Consumer Protection Privacy Act?
The proposed new penalties will be among the highest in the G7 — up to 5% of gross global revenues or $25 million, whichever is greater, for fundamental breaches such as non-compliance with data retention requirements, reversing anonymized data, breaching disclosure rules, or sanctioning whistleblowers. Lesser transgressions attract penalties of up to 3% of gross global revenues or $10 million, whichever is greater.
Non-compliance, then, will expose organizations who collect personal information to meaningful regulatory sanctions — quite apart from courts’ evolving recognition of class actions based on common law privacy rights. Following enactment, however, there will be a phase-in period, estimated at 12 months, allowing regulations to be developed and giving organizations time to prepare.
But there’s no point waiting: organizations should re-evaluate their privacy programs now, and think about ensuring compliance going forward. Policies and procedures aside, management should consider CPPA’s impact on IT systems, training, consumer notices, and privacy language in their agreements. The investment of time and resources, while significant, pales in comparison to the consequences.
The application of the CPPA
The Act fits into Canada’s patchwork privacy landscape by generally applying to organizations that collect personal information in the course of commercial activities. Where provinces have their own privacy legislation, both federal and provincial law may catch information that travels interprovincially or internationally.
Privacy management programs under the Consumer Protection Privacy Act
The CPPA requires organizations to create privacy management programs that match the sensitivity and volume of personal information they control. The Privacy Commissioner may review these programs to ensure compliance with the Act. The CPPA also encourages organizations to submit their programs for certification by the Privacy Office – a strong basis for a due diligence defence should an organization find itself accused of transgressing the Act.
What’s changing? Highlights from Bill C-11
To assist you in moving forward, here are the new legislation’s highlights, bearing in mind that it is now in second reading and amendments are likely.
1. Collection and use restrictions
a) Appropriate business purposes
PIPEDA permits the collection of personal information when a reasonable person would consider it appropriate “in the circumstances”. CPPA has replaced this ambiguous standard, listing a number of factors to determine whether collection is appropriate. They are:
(i) the sensitivity of the personal information;
(ii) whether collecting it represents legitimate business needs;
(iii) the effectiveness of the collection, use, or disclosure in meeting the organization’s legitimate business needs;
(iv) whether less intrusive means are available at comparable costs and benefits; and
(v) whether the loss of privacy is proportionate to the benefits in light of any mitigating measures taken to lessen the impact of the loss of privacy.
CPPA’s expanded definition of “control” clarifies responsibility for safeguarding personal data. An organization is in control if it decides to collect information and determines the purposes for its collection, use or disclosure — even if it uses a service provider to do the collecting or processing. Apart from being responsible for maintaining security safeguards and reporting breaches, service providers are not otherwise subject to the same obligations. But if they use data for purposes that deviate from the original purpose, service providers become “controllers” subject to the full range of obligations.
2. Meaningful consent: Plain language and transparent disclosure
The foundational principle of privacy legislation is that personal information may not be collected without consent. Although PIPEDA defines minimum standards for “valid consent”, CPPA goes further, requiring collectors to use plain language and clearly explain the purpose, method of collection, foreseeable risks of disclosing personal information, and notice of any third parties who will have access to the information. Organizations must also record the purposes for which they collect, use or disclose personal information at or before the time they collect it.
3. When consent isn’t required by the Consumer Protection Privacy Act
The CPPA, like PIPEDA, does not require explicit consent for all usages of personal information. But the CPPA provides greater detail and broader exceptions to the obligation. These include:
a. Certain “business activities”: Where an individual would expect an organization to collect, use or disclose personal information, and it does not use that information to influence a person’s behaviour, consent is not required for the following activities:
- providing products or services requested by individuals;
- carrying out due diligence to prevent or reduce an organization’s commercial risk;
- for an organization’s information, system, or network security;
- ensuring the safety of products or services the organization provides; and
- that make obtaining an individual’s consent impracticable because no direct relationship exists with the individual.
b. Transferring Personal Information to Service Providers: The CPPA clarifies that an organization may transfer personal information to service providers without their knowledge or consent.
c. De-identification: While PIPEDA gives organizations the right to de-identify personal information without obtaining consent, CPPA imposes stricter standards and higher penalties for non-compliance. De-identification measures must be proportionate to their purpose and the sensitivity of the information. But in addition to the public interest exceptions to obtaining consent that already exist in PIPEDA, CPPA allows organizations to use de-identified personal information for socially beneficial purposes related to health, provision or improvement of public amenities or infrastructure, protection of the environment, and other prescribed purposes. Here, it’s important to remember that reverse de-identification of personal information attracts the highest fines under the CPPA.
4. Enhanced consumer rights
Right to erasure: Individuals will have a new right to demand erasure of their personal information from an organization’s records, and erasure must follow “as soon as reasonable” after receipt of the request. Organizations can delay the disposal, however, if they cannot sever the subject’s personal information from that of other individuals, or if legislation or contracts prohibit earlier disposal. Organizations must also impose the same obligations of erasure on their service providers handling personal information.
Data portability: The CPPA provides new rights for data portability between organizations, provided both organizations are subject to the same regulatory data mobility framework, paving the way for consumer mobility and greater competition in certain industries such as financial services.
Right of action: Subject to a finding by the Commissioner or Tribunal, individuals will have a private right of action against organizations using their personal information in violation of the Act.
5. Reporting obligations
PIPEDA requires organizations to report security breaches involving personal information, but does not impose the same duties on service providers. The CPPA clarifies that service providers have a duty to report to the organization any breach of its security safeguards involving personal information. Failure, by the organization or service provider, to report breaches can attract fines of up to $10 million or 3% of gross global revenues, whichever is higher. Knowingly contravening these requirements may attract fines equal to the greater of $25 million or 5% of gross global revenues. Organizations should ensure they have clear and prompt reporting procedures in their privacy management programs and contractually require the same of their service providers.
6. New Privacy Tribunal
The new Privacy Tribunal, created under PIDPTA, provides the forum for appeal of the Privacy Commissioner’s decisions. PIDPTA also has exclusive jurisdiction to determine whether a penalty recommended by the Privacy Commissioner should be imposed. The Tribunal provides needed transparency and counterbalance to the Commissioner’s existing and new powers.
There are significant and meaningful changes coming to Canadian privacy law. Despite the inevitable amendments to the legislation as it moves through Parliament, organizations can get a headstart on compliance by examining their current privacy and security practices and start implementing changes as soon as possible.
This article was originally published by The Lawyer’s Daily (www.thelawyersdaily.ca), part of LexisNexis Canada Inc.