The Canadian Government’s long awaited overhaul of existing federal private sector privacy legislation finally arrived on November 17, 2020 with the first reading of Bill C-11 An Act to enact the Consumer Privacy Protection Act and the Personal Information and Data Protection Tribunal Act and to make consequential and related amendments to other Acts, also known as the Digital Charter Implementation Act, 2020 (the “Bill C-11”). Bill C-11 would enact the Consumer Privacy Protection Act (the “CPPA”) and the Personal Information and Data Protection Tribunal Act (the “PIDPTA”). Together, the CPPA and the PIDPTA introduce bold new measures into Canada’s privacy law and brings it into closer alignment with European data protection and privacy standards. The below provides some highlights of the proposed legislation.
New Enforcement Powers and Financial Punishments for Contraventions to the Act
The CPPA expands the federal Privacy Commissioner of Canada’s (the “Commissioner”) enforcement powers. Following investigation and inquiry into a contravention of the CPPA, the Commissioner can issue orders to organizations to ensure that organizations comply with the CPPA. Contravening a compliance order is an offense subject to financial punishment as set out below.
The Commissioner can also recommend to the newly established Personal Information and Data Protection Tribunal (the “Tribunal”) that it should impose financial penalties if an organization has contravened the CPPA. The Tribunal presides over hearings related to financial penalties recommended by the Commissioner and non-penalty related appeals. The Tribunal can impose a maximum financial penalty for contraventions of the CPPA of the higher of $10,000,000 and 3% of the organization’s gross global revenue in its financial year before the one which in the penalty is imposed.
As alluded to above, the CPPA introduces new offenses with heavy financial punishments. Any party found guilty of an indictable offense and liable can pay a fine not exceeding the higher of $25,000,000 and 5% organization’s gross global revenue in its financial year before the one in which the organization is sentenced, or $20,000,000 and 4% for summary judgment, respectively. These offenses include:
- if an organization fails to report to the Commissioner any breach of security safeguards involving personal information under its control where the breach may result in a reasonable risk of significant harm to an individual,
- if a service provider fails to notify the organization that controls the personal data of a data breach involving personal information,
- if an organization attempts to re-identify individuals using de-identified information, and
- if an organization disposes of personal information after an individual has requested access to it and the individual has not exhausted the individual’s recourse under the CPPA.
Private Right of Action
The CPPA establishes a new cause of action for individuals who are affected by an act or omission by an organization that constitutes a contravention of the CPPA against the organization for damages for loss or injury that the individual has suffered as a result of the contravention. To commence this action, the Office of the Privacy Commissioner and the Tribunal must have made findings that the organization has contravened the CPPA, and the finding was not appealed to the Tribunal or the Tribunal has denied the appeal.
Codification of the 10 Privacy Principles and New Requirements
The CPPA codifies the Ten Data Privacy Principles of the Personal Information Protection and Electronic Documents Act (“PIPEDA”) into law and introduces new requirements on organizations, including:
- requiring every organization to establish, implement and make available a privacy management program, which among other requirements, must be attuned to the volume and sensitivity of the personal information being collected, used and stored, and
- restricting how an organization can use de-identified information to prescribed circumstances.
The CPPA also explicitly prescribes how organizations acquire valid consent. In most cases, an organization must obtain express consent from an individual and disclose in plain language:
- the purposes for the collection, use or disclosure of personal information determined by the organization,
- the way in which the personal information is to be collected, used or disclosed,
- reasonable foreseeable consequences of the collection, use or disclosure of personal information when obtaining consent from an individual,
- the specific type of personal information that is to be collected, used and disclosed, and
- the names or types of third parties to which the organization may disclose personal information when obtaining consent from an individual.
Additionally, organizations that use personal information to inform their automated decisions making tools to make predictions about individuals (such as certain AI systems) are required to:
- deliver a general account of the organization’s use of any automated decision system to make predictions, recommendations or decisions about individuals that could have significant impacts on them, and
- retain the personal information related to the decisions for sufficient period of time to permit the individual to make a request for access. (as described below)
Under the CCPA, organizations are deemed to have control over personal information even when such organizations outsource or otherwise deploys a service provider that collects, uses, and disclose on the organization’s behalf. Accordingly, organizations must ensure, by contract or otherwise, that the service provider provides substantially the same protection of the personal information as the organization is required to under the CPPA. Service providers have an obligation to maintain adequate security safeguards to protect personal information and inform the organization that controls the personal information of any breach of its security safeguards in accordance with the requirements of the CCPA.
Codes of Practice and Certification Programs
The CPPA also allows the Commissioner to approve and certify codes of practice and certification programs designed by non-governmental entities. These codes and certifications must offer the same or substantially the same or greater protection of personal information under the CPPA. However, the organizations that comply with these codes of practice or certification programs must still meet their obligations under the CPPA.
New Rights for Individuals
In addition to codifying the access rights discussed in the PIPEDA’s Ten Data Privacy Principles, CPPA establishes three new rights for individuals regarding their personal information:
- data mobility rights: individuals can request an organization to directly transfer their personal information from one organization to another (subject to both organizations being part of data portability framework),
- transparency and explanation rights: individuals can request an organization that uses automated decision making using the individual’s personal information to provide them with an explanation of the prediction, recommendation or decision and of how the personal information that was used to make the prediction, recommendation or decision was obtained, and
- disposal rights: individuals can request an organization to dispose of their personal information.
While this is only the first reading of Bill C-11, the second reading will happen shortly and debates and committee will follow. The proposed amendments to Canada’s federal private sector framework as described in Bill C-11 are significant and meaningful and will likely require many organizations to tighten up their existing privacy and security practices. We at Torkin Manes will be following these developments closely and are always able to provide any necessary compliance assistance.