Canada’s privacy legislation is about to go through major changes. Earlier today, the Minister of Innovation, Science and Industry, Navdeep Bains, introduced a bill for the replacement of Canada’s federal privacy legislation for the private sector (the Personal Information Protection and Electronic Documents Act or “PIPEDA”) with the new Consumer Privacy Protection Act (“CPPA”) and the Personal Information and Data Protection Tribunal Act (“PIDPT”). The new regime draws inspiration from PIPEDA, including the Model Code principles, guidance from the Office of the Privacy Commissioner of Canada (the “Commissioner”), and the European Union’s General Data Protection Regulation (“GDPR”).
Key changes introduced by the CPPA and PIDPT include:
- A New Tribunal that can Impose Significant Penalties and Fines – Organizations that violate the CPPA can face administrative monetary penalties of up to the greater $10,000,000 and 3% of the organization’s gross global revenue, and organizations that knowingly commit certain offences under the CPPA can face fines up to the greater of $25,000,000 and 5% of the organization’s gross global revenue. However, penalties will not be issued by the Commissioner. The Commissioner will instead recommend penalties to the Personal Information and Data Protection Tribunal (the “Tribunal”), which has the right to impose penalties. Other orders of the Commissioner can be appealed to the Tribunal.
- Private Right of Action –The CPPA contains a private right of action for individuals. Before an individual can make a claim, the organization must have been convicted of an offence under the CPPA or there must be a final determination by the Commissioner or the Tribunal that the organization contravened the CPPA. The individual can claim damages for loss or injury that the individual has suffered as a result of the offence or contravention. It appears that an organization could be subject to the maximum administrative monetary penalty and still face claims under the private right of action.
- Enhanced Consent – In order to obtain valid consent, an organization must provide certain information to the individual at or before the time of collection (or before the use or disclosure when seeking consent regarding personal information already in the organization’s custody). The information that organizations must provide includes the purpose(s) of the collection, use and disclosure, the “reasonably foreseeable consequences of the collection, use or disclosure”, the types of personal information involved, and the “names of any third parties or types of third parties to which the organization may disclose the personal information”. Implied consent will be acceptable in certain circumstances, taking into account the individual’s reasonable expectations and the sensitivity of the personal information.
- New Grounds of Processing without Consent – Like the GDPR, the CPPA permits organizations to lawfully collect, use and disclose personal information without consent for other valid reasons, including as necessary to provide a product or service requested by an individual, as part of due diligence to prevent or manage commercial risk, for security and safety purposes, and where obtaining consent would be impracticable due to the lack of a direct relationship. However, organizations must only do so where a reasonable person would expect it and may not do so for the purpose of influencing the individual’s behavior or decisions.
- Enhanced Rights of Individuals – Individuals will have the right to data portability (the right to obtain their personal information in a useable format from an organization), the right of erasure (the limited right to have their personal information deleted by an organization) and other new privacy rights, all subject to some prescribed limitations. In the case of data portability, the right will be subject to the applicability of a data mobility framework under the yet-to-be-published regulations.
- Transparency Regarding Trans Border Transfers – The CPPA permits organizations to store and access personal information outside of Canada, but it does require that organizations make information available about “whether or not the organization carries out any international or interprovincial transfer or disclosure of personal information that may have reasonably foreseeable privacy implications”.
- AI/Automated Decision Systems – The CPPA introduces the concept of “automated decision systems”, which is “technology that assists or replaces the judgment of human decision-makers using techniques such as rules-based systems, regression analysis, predictive analytics, machine learning, deep learning and neural nets.” As part of the openness and transparency requirements, organizations need to provide a “general account” of their “use of any automated decision system to make predictions, recommendations or decisions about individuals that could have significant impacts on them”. Individuals also have a right to “an explanation of the prediction, recommendation or decision and of how the personal information that was used to make the prediction, recommendation or decision was obtained.”
- De-Identification of Personal Information – The CCPA provides an express right to use personal information without an individual’s knowledge or consent to de-identify the information. While specific requirements are not stipulated, the CCPA states that the organization “must ensure that any technical and administrative measures applied to the information are proportionate to the purpose for which the information is de-identified and the sensitivity of the personal information”. Further, the proposed law includes a prohibition on using de-identified information, alone or in combination with other information, to identify an individual.
At this stage, the bill to enact the CPPA, PIDPT and the other related legislative amendments is at first reading. It will likely go to second reading and then to a committee for further study and amendment.
Sources of Inspiration
This new regime must be viewed through a long lens of legislative history, including the federal government’s introduction of a Digital Charter seeking to promote the digital economy while addressing its privacy and AI-related challenges, the GDPR-focused parliamentary committee report, Towards Privacy by Design, and the consultation, Strengthening Privacy for the Digital Age, which explains some of what animates the CPPA and PIDPT. Key briefs and oral testimony of witnesses are available here. The background also includes position papers and recommendations from the Commissioner, such as the November 12, 2020 position paper, A Regulatory Framework for AI (explicitly aimed at providing “Recommendations for PIPEDA Reform”), and the Consultations on Transfers for Processing and Guidelines for Obtaining Meaningful Consent.
What also remains to be seen is how the new federal legislation will interact with provincial legislation. While Quebec is the furthest along in reforming its legislation, Ontario recently closed its consultation on producing its own law, Alberta recently proposed amendments to its Health Information Act, and British Columbia recently dissolved a special committee considering changes to the Personal Information Protection Act for an election. Harmonizing these various draft bills will be a complex but important undertaking in the time to come.
What Organizations Should Do Now
- Stay Aware of Changes – In the coming weeks and months, members of our Cyber/Data Group will be publishing posts exploring the proposed law in depth. We will cover the topics above, as well as other topics that are relevant to organizations operating in Canada or otherwise processing the personal information of Canadian residents. We will also provide updates as the draft legislation moves through various stages.
- Prepare for the Changes – While the Minister suggested there will be a transition period, it is unclear how long the transition period will be. There is a substantial list of new obligations, including with respect to privacy notices, policies and procedures, record retention, and accommodating individual rights.
- Prepare for Consultations – Organizations should be considering the impact the legislation will have on them and, if appropriate, the value of advocating for improvements and clarifications.