Oh, Canada! Government Proposes New Federal Privacy Law with Enhanced Individual Rights and Hefty Fines

Following years of discussion and consultation about modernizing Canada’s federal private-sector privacy law for the digital age, Canada’s Minister of Information Science and Economic Development recently released Bill C-11, the Digital Charter Implementation Act, 2020 (DCIA). If enacted, the DCIA would significantly alter Canada’s federal privacy law regime with respect to private sector entities’ collection and processing of personal information (PI), including by introducing individual deletion and data portability rights, increasing the enforcement powers of the Office of the Privacy Commissioner (OPC), and authorizing fines of up to C$25 million or 5% of an organization's gross global revenue for violations.

The DCIA is composed of two separate Acts:

1. The Consumer Privacy Protection Act (CPPA or the “Act”), which would establish a new private sector privacy law, updating and effectively replacing Canada’s current Personal Information Protection and Electronic Documents Act (PIPEDA); and

2. The Personal Information and Data Protection Tribunal Act (PIDPT), which would establish the Personal Information and Data Protection Tribunal (the “Tribunal”) to hear recommendations of and appeals from the OPC and establish a quicker path to enforcement following orders of the OPC.

The bill comes approximately 18 months after the Information Science and Economic Development Ministry released a ten-pronged digital charter to guide Canada’s data protection law reform with a focus on protecting Canadians’ PI while maximizing the economic benefits of an increasingly data-driven digital society. As foreshadowed by the digital charter, the CPPA departs from PIPEDA by, among other things:

• Requiring greater transparency via plain language notices regarding the policies and procedures that a covered entity (“organization”) has in place to comply with the Act;
• Imposing additional requirements for obtaining valid consent, and delineating additional exceptions to the consent requirement, in a stated attempt to give Canadians meaningful choices about the use of their PI;
• Enhancing individual rights, including the right to request disposal (i.e., deletion) of PI, and data portability rights;
• Granting the OPC increased powers, including the ability to perform audits, issue binding orders, and make recommendations to the newly formed Tribunal that can in turn impose monetary penalties; and
• Authorizing some of the largest monetary penalties seen in data protection laws to date—up to the higher of C$10 million or 3% of an organization’s gross global revenue for most violations, and up to C$25 million or 5% of an organization’s gross global revenue for more severe offenses, including certain knowing violations.

Below we outline key similarities and differences between PIPEDA and the CPPA in greater detail:

What Is (Essentially) the Same?

• Scope. The Act retains the same scope as PIPEDA. It applies to organizations with respect to the PI that they collect, use, or disclose in the course of commercial activities. In the context of an employment relationship, the Act only applies to the collection, use and disclosure of employees’ PI by an employer that is a federally regulated entity (e.g., organizations in the transportation, communications, broadcasting, and banking sectors). Like PIPEDA, the Act does not apply to business contact information collected, used, or disclosed solely for the purpose of communicating or facilitating communication with individuals in relation to their employment, business, or profession. Moreover, the Act does not apply to the activities of any provincially regulated organization in provinces that have legislation that is deemed to be “substantially similar” to the Act.
• Access and Correction Rights. Like PIPEDA, the Act requires an organization to grant individuals access to their PI and provide information about the use and disclosure of the PI upon an individual’s request, as well as to correct an individual’s inaccurate, not up-to-date, or incomplete PI.
• Cross-Border Transfers. Like PIPEDA, the CPPA does not distinguish between domestic and international transfers of PI or impose specific restrictions on cross-border transfers.
• Mandatory Breach Reporting. As under PIPEDA, the Act would require organizations to notify the OPC and affected individuals of security breaches that involve PI and create a real risk of significant harm to individuals. Organizations must keep and maintain a record of every breach involving PI and provide the OPC with the records upon request.

What’s Similar?

• Purpose Limitation Requirement. Like PIPEDA, the Act stipulates that an organization may collect, use, or disclose PI only for purposes that a reasonable person would consider appropriate in the circumstances, and must determine and record each purpose at or before the time of the collection. Unlike PIPEDA, the Act sets forth factors that an organization must consider in determining whether a purpose is appropriate, including:
  (i) the sensitivity of the PI; (ii) whether the purpose represents a legitimate business need of the organization; (iii) the effectiveness of the collection, use, or disclosure in meeting the organization’s legitimate business needs; (iv) the availability of less intrusive means to achieve those purposes at a comparable cost and with comparable benefits; and
  (v) whether the individual’s loss of privacy is proportionate to the benefits in light of the mitigating measures that the organization implements.
• Retention and Disposal. Whereas PIPEDA encourages organizations to develop guidelines and implement procedures with respect to the retention of PI, the Act goes one step further and prohibits an organization from retaining PI for a period longer than necessary to fulfill the purposes for which it was collected, used, or disclosed, or to comply with the requirements of the Act, a federal or provincial law, or the reasonable terms of a contract. As under PIPEDA, the organization must dispose of the information as soon as feasible after that period.
• Accountability/Obligation to Appoint a Data Protection Officer or an Equivalent. Similar to PIPEDA, the Act specifies that an organization is accountable for the PI that is under its control and must designate one or more individuals to be responsible for its obligations under this Act. However, the Act helpfully clarifies that PI is “under the control” of the organization that collects it and determines the purposes for its collection, use, or disclosure, regardless of whether that action is performed by the organization itself or by a service provider.
• Privacy Management Program. Similar to PIPEDA, the Act requires organizations to implement a privacy management program including their policies, practices, and procedures for fulfilling their obligations under the Act. Unlike PIPEDA, the Act explicitly requires an organization to account for the volume and sensitivity of the PI under its control in developing its program, and to provide the OPC with access to the policies, practices, and procedures upon request.

What’s New?

• Increased Notice Requirements. The Act imposes more specific notice and transparency requirements than PIPEDA, including that organizations must make the following information readily available in plain language:
  
  • A description of the type of PI under the organization’s control;
  • A general account of how the organization makes use of PI, including how the organization applies the consent exceptions (described in greater detail below);
  • A general account of the organization’s use of any automated decision system to make predictions, recommendations, or decisions about individuals that could have significant impacts on them;
  • Whether the organization carries out any international or interprovincial transfer or disclosure of PI that may have reasonably foreseeable privacy implications;
  • How an individual may make a request for disposal of or access to PI; and
  • The business contact information of the individual to whom complaints or requests for information may be made.
• Additional Requirements for Obtaining Valid Consent. Like PIPEDA, the Act generally requires an organization to obtain an individual’s consent for the collection, use, or disclosure of his or her PI. However, the CPPA more explicitly establishes express consent as the default requirement (unless an organization can establish that it is appropriate to rely on implied consent) and imposes additional requirements for obtaining valid consent, such as providing individuals with the following information at or before the time it seeks consent:
  
  • The purposes of the collection, use, or disclosure of the PI, as determined and recorded by the organization;
  • The way in which the PI is to be collected, used, or disclosed;
  • Any reasonably foreseeable consequences of the collection, use, or disclosure of the PI;
  • The specific type of PI to be collected, used, or disclosed; and
  • The names of any third parties or types of third parties to which the organization may disclose the PI.
• Exceptions to the Consent Requirement. In another departure from PIPEDA, the Act sets forth additional exceptions to the consent requirement, by which an organization may collect, use, and/or disclose an individual’s PI without his or her knowledge or consent in certain circumstances. For example:
  
  • Business Activities. An organization may collect or use an individual’s PI without his or her knowledge or consent if the collection or use is made for a business activity, provided that a reasonable person would expect such a collection or use for that activity and that the PI is not collected or used to influence the individual’s behavior or decisions. Business activities include providing or delivering a product or service that the individual requested, preventing or managing commercial risk, product safety, and activities in which it would be impracticable to obtain consent because the organization does not have a direct relationship with the individual;
  • Service Providers. An organization may transfer an individual’s PI to a service provider without his or her knowledge or consent; and
  • De-Identifying Information. An organization may use an individual’s PI without his or her knowledge or consent to de-identify the information.
• Individual Deletion Right. Under the CPPA, an organization must dispose of (i.e., permanently and irreversibly delete) an individual’s PI as soon as feasible upon receipt of the individual’s written request. It must then inform any service provider to which it transferred the PI of the individual’s request and obtain confirmation that the service provider deleted the PI.
• Individual Right to Algorithmic Transparency. The Act includes a new right requiring that if an organization uses an automated decision system to make a prediction, recommendation, or decision about an individual, it must, upon request, provide the individual with an explanation of the prediction, recommendation, or decision and how it obtained the PI at issue.
• Individual Right to Portability/Data Mobility. Subject to regulations of the Governor in Council, the Act would require an organization to, as soon as feasible upon an individual’s request, disclose the PI that it has collected from the individual to an organization designated by the individual (e.g., an individual could direct his bank to share his PI with another financial institution), provided that both organizations are subject to a data mobility framework under the regulations.
• De-Identification Standards. The Act creates new de-identification standards:
  (1) requiring an organization that de-identifies PI to ensure that the technical and administrative measures applied to the information are proportionate to the purpose for which it is de-identified and its sensitivity; and (2) prohibiting an organization from using de-identified PI, alone or in combination with other information, to identify an individual, except in order to conduct testing of the organization’s security safeguards.
• Service Provider Obligations. The Act explicitly states that its obligations generally do not apply to a service provider with respect to PI that is transferred to it. A service provider is required, however, to protect PI through physical, organizational, and technological security safeguards, and to notify the controlling organization, as soon as feasible, if it determines that any breach involving PI has occurred.
• Codes of Practice and Certification Programs. The Act introduces the option for organizations to establish internal codes of practice and certification programs. While an OPC-approved code of practice or compliance program does not relieve an organization of its obligations under the Act, the OPC cannot recommend that a penalty be imposed on an organization for a violation of the Act if is of the opinion that, at the time of the violation, the organization complied with its approved certification program.
• Enforcement. Like PIPEDA, the Act confers enforcement powers on the OPC, including the ability to investigate complaints and audit organizations suspected of violating the Act. In a significant departure from PIPEDA, the CPPA would give the OPC direct order-making powers. Moreover, if the OPC finds that an organization violated the Act’s provisions, it must decide whether to recommend that the Tribunal impose a penalty on the organization. In making this determination, the OPC must consider the nature and scope of the violation, whether the organization has voluntarily paid compensation to a person affected by the violation, the organization’s compliance history, and any other relevant factor.
• Higher Penalties. The maximum penalty for all violations of the Act in a single OPC recommendation is the higher of $10 million or 3% of the organization’s gross global revenue in its prior financial year. Criminal penalties are reserved for organizations that obstruct the OPC in an investigation, inquiry, or audit, violate an OPC compliance order, or knowingly contravene one or more enumerated provisions of the Act, including those regarding breach notification provisions, disposal of PI that is the subject of an access request, de-identification, and whistleblowing. Such organizations would be guilty of:
  
  • An indictable offense and liable to a fine not exceeding the higher of $25 million or 5% of the organization’s gross global revenue in the financial year preceding the one in which it is sentenced; or
  • An offense punishable on summary conviction and liable to a fine not exceeding the higher of $20 million or 4% of the organization’s gross global revenue in its financial year preceding the one in which it is sentenced.
• Private Right of Action. The Act creates a new private right of action by which an individual who is affected by an organization’s violation of the Act may bring a cause of action against the organization for damages for the loss or injury suffered if:
  
  • The OPC made a finding that the organization contravened the Act and the finding is not timely appealed or the Tribunal dismissed the appeal; or
  • The Tribunal has made a finding that the organization has contravened the Act.

What’s Next?

The bill does not specify an effective date and it is widely expected that the Canadian government will open a consultation so that interested stakeholders may weigh in on the draft bill. We will continue to monitor and report on significant developments as the bill progresses through Parliament.