On November 17, 2020, the Federal Government introduced Bill C-11, which includes the Consumer Privacy Protection Act (CPPA), and the Personal Information and Data Protection Tribunal Act (PIDPTA). If adopted, these would introduce substantial changes to the Canadian privacy landscape, repealing the personal information related provisions of the current Federal private sector privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA), and replacing it with a new privacy and data legal framework. The government framed its purpose and underlying goal in introducing the new legislation as to strike a balance between protecting consumer's personal information, and allowing industry and innovation.
To accomplish this balance, there are a number of additional protections for consumers, such as enhanced consent requirements, limitations on the use of de-identified information, and algorithm transparency. However, the CPPA would also introduce multiple exceptions to the need for consent, which may provide industry actors room for flexibility. To further balance protection and industry, CPPA provisions would clarify the service providers' responsibilities and introduce further procedural fairness by establishing a Personal Information and Data Protection Tribunal (Tribunal) to which affected actors may appeal the Office of the Privacy Commissioner of Canada (OPC) decisions. While the OPC is provided broader enforcement and order making powers, such decisions may be appealed, and the Tribunal would ultimately be empowered to issue fines. Additionally, the CPPA introduces an ability for organizations to submit their codes of practice to the OPC for approval.
To ensure actors follow the requirements of the CPPA, the Bill proposes substantial penalties that, for certain offences, can reach up to 5% of an organization's global revenue, or $25 million, whichever is more.
The CPPA will retain core elements of the PIPEDA , in particular, in stating that its purpose is to balance the privacy rights of individuals with the needs of organizations to collect, use, and disclose personal information, in a manner that a "reasonable person would consider appropriate in the circumstances". The Act describes us as living in "an era in which data is constantly flowing across borders and geographical boundaries and significant economic activity relies on the analysis, circulation and exchange of personal information". The stated purpose of the Act will be a core interpretive provision, which we would expect the OPC , and ultimately the Tribunal, to consider in interpreting the CPPA requirements.
Strengthening consent, but not without exceptions
If adopted as written, under the CPPA, an organization must obtain the valid consent of the individual prior to collecting, using, or disclosing personal information. The CPPA will codify that the default requirement is express consent, unless the organization is able to establish that implied consent is appropriate in the circumstances. For implied consent to be appropriate, one must consider the reasonable expectations of the individual, and the sensitivity of the personal information to be processed.
For express consent to be valid, the CPPA would adopt requirements very similar to those under the OPC 's current Meaningful Consent Guidelines, requiring plain language disclosure of:
- The organization's recorded purposes for the collection, use, or disclosure;
- The way in which the information will be collected used, or disclosed;
- The reasonably foreseeable consequences of this;
- The specific types of personal information to be collected, used, and disclosed; and
- The names or types of third parties to whom the information may be disclosed.
The CPPA recasts the situations in which an organization may collect, use, or disclose personal information without consent, where its activities fall under one of the exceptions in sections 18 to 52.
Of notable interest are the exceptions in the proposed section 18 business interests, section 19 service providers and section 39 socially beneficial purposes.
Under the business interest exception, an organization can gather or use personal information without the individual's knowledge or consent if a reasonable person would expect such a collection or use and the information relates to one of the following activities:
- an activity necessary to provide or deliver a product or service that the individual has requested from the organization;
- an activity that is carried out in the exercise of due diligence to prevent or reduce the organization's commercial risk;
- an activity that is necessary for the organization's information, system or network security;
- an activity that is necessary for the safety of a product or service that the organization provides or delivers;
- an activity in the course of which obtaining the individual's consent would be impracticable because the organization does not have a direct relationship with the individual; and
- any other prescribed activity.
Critically, these exceptions do not apply where the personal information is collected or used to influence an individual's behaviour or decisions. Thus, use of personal information for advertising and profiling purposes remains subject to the consent requirement. Separately, many of the exceptions are qualified by "necessity". Organizations relying on these would need to carefully consider what information is truly "necessary" for their recorded purposes, as opposed to that information which is merely "reasonable" or "helpful".
The CPPA clarifies the role of service providers, specifically stating that an organization may transfer personal information to a service provider without the knowledge or consent of the individual. Further, service providers are specifically required to comply with the security provisions of the CPPA, but are not responsible for compliance with the provisions pertaining to consent, provided they are strictly acting as a service provider. Should the service provider process the information for any purpose other than that for which it was provided the information, it would be subject to the full requirements of the CPPA. Organizations would be required to ensure that personal information is provided substantially the same level of protection in the hands of their service providers.
An open question regarding service providers is whether processing personal information to generate de-identified information (which is now explicitly subject to the CPPA) will be considered information "use" by the service provider. If so, would that bring it outside the scope of the service provider exemption and therefore require consent for the original transfer? This may have dramatic and unintended consequences for use of service providers who routinely include the right to de-identify and use information for development purposes within their contracts.
The other noteworthy exception is that an organization may disclose information without the individual's consent or knowledge if the information is de-identified and the disclosure is made to a government, health care, library, education, or other institute for a socially beneficial purpose.
However, as with most rules, there is an exception to the consent exceptions. Under section 52, an organization cannot collect people's electronic address through a computer program without knowledge or consent. This continues the existing limitation on the use of "address harvesting software" to collect email addresses without the knowledge of their owners.
As with the PIPEDA , another aspect of consent is the ability to revoke it. This Bill expands the rights of the individual with respect to their own personal information. An individual can request her personal information that an organization controls and can also ask for the organization to delete that information (the PIPEDA contained a right of withdrawal, but not deletion, which can be difficult for organizations to implement in practice). The CPPA proposes a right of data mobility allowing individuals to direct one organization to transfer their personal information to another. Additionally, subject to certain limitations, the individual can withdraw her consent.
Limited uses for de-identified information
Interestingly, and concerningly, the CPPA would limit how organizations may use de-identified information without explicit consent. First, the CPPA resolves a common debate in privacy laws as to whether the "use" of personal information to generate de-identified information is itself a "use" that requires consent of the individual, by providing organizations with the right to de-identify personal information without consent. However, the CPPA then appears to make "de-identified" data subject to the requirements of the Act, which is implicit in the fact that the CPPA appears to assume that, absent an exception, the use and disclosure of de-identified data requires consent. This is implicit in the fact that the CPPA proposes certain "exceptions" that would allow for use and disclosure of de-identified data without consent of the individual. These include an exception to consent for the use of de-identified data for internal research purposes or for a prospective or completed business transaction (notably, the PIPEDA allows for use of identifiable data in this context, so the exception for proposed business transactions under the CPPA is more narrow).
Second, there is also an exception to consent for disclosure of de-identified data, but it is very narrowly confined and essentially only permits disclosure to certain public bodies for socially beneficial purposes. Again, this raises the question of whether consent is required for other uses of de-identified information, rather than such information simply not constituting personal information. This appears to conflict with the very definitional structure of the CPPA if the information is truly de-identified such that it does not "identify an individual" and could not "in reasonably foreseeable circumstances, alone or in combination with other information, (be used) to identify an individual" what privacy rights are truly being protected? The CPPA does not address whether the law accepts that personal information can be "anonymized" and therefore taken out of the scope of the law, and does not address the uses or disclosure of "aggregated" data. The CPPA would also implement a proportionality measure that further limits any de-identified information use. Any technical or administrative measures applied to de-identify the data must be proportionate to the data's sensitivity and the organization's purpose in collecting the data.
Finally, the CPPA would prohibit an organization from using de-identified information to attempt to identify an individual. Oddly, as drafted, this provision does not contemplate certain cases where the re-identification may be necessary or done with consent, and does not clarify how to obtain consent, without first identifying the individual. For example, re-identification may be necessary for the research. Further, if consent is truly required to process de-identified data for purposes other than those stated in the CPPA as exempt from such a requirement, how could an individual withdraw consent, without associating the individual making the request with the de-identified data? Those who breach this prohibition risk being subject to the maximum penalty of 5% of global revenue, or $25 million, which ever is more.
Bill C-11 introduces new measures to shine light on algorithms that collect and use information to make certain predictions, recommendations, or decisions. Under the proposed section 62, organizations must explain to consumers, in plain language, their policies and practices when it comes to fulfilling their obligations under the Act, including with respect to "automated decision systems".
In order to comply with the Bill, organizations must provide:
- a description of the type of personal information under the organization's control;
- a general account of how the organization uses personal information, including how it applies the consent exceptions outlined in the Act;
- a general account of the organization's use of any automated decision systems to make predictions, recommendations, or decisions about individuals, that could have significant impacts on them;
- information on whether or not the organization discloses the data internationally or inter-provincially or disclosures that may have reasonably foreseeable privacy implications;
- a description of how individuals may request the organization to access or dispose of their personal information; and
- the business contact information of the individual to whom complaints or requests for information may be made.
On request of an individual, organizations would need to provide an explanation of their use of any automated decision system to use personal information to make a prediction, recommendation or decision, and an explanation of the prediction, recommendation or decision.
The Commissioner can approve an organization's Code of Practice
The government has stated that one of its aims is to help organizations understand their obligations under the proposed legislation. Therefore, organizations can develop a "Code of Practice" and ask the Commissioner to approve it. The Code of Practice needs to provide the same or a greater level of protection than Bill C-11. The Commissioner may provide approval if the Code meets criteria set out in regulations, which have yet to be published. However, compliance with such a Code does not relieve the organization from complying with the Act more broadly.
The CPPA would ramp up the enforcement mechanisms available to the Commissioner under the PIPEDA .
Commissioner order making power similarly enforceable as a Federal Court order
The Commissioner may now make orders to ensure compliance with the act or to prohibit a contravening practice. This can include ordering an organization to publicise measures it has taken to correct a practice that was contrary to the proposed legislation. If the organization does not appeal the order, or if the Tribunal dismisses the appeal, the Commissioner's order has the same enforcement as an order made by the Federal Court. This is much more power than the Commissioner currently has in the PIPEDA.
If the Commissioner makes a finding that an organization contravened the legislation, then an affected individual has a cause of action against the organization for damages.
New tribunal with power to issue orders and penalties
Bill C-11 creates the Personal Information and Data Protection Tribunal. There will be six members on the Tribunal, at least one of which must have experience in information and privacy law. Under the proposed legislation, the Tribunal would have the power to hear appeals from the Commissioner's orders. Upon hearing the appeal, the Tribunal can dismiss it, substitute the Commissioner's orders for its own, and/or issue penalties (which the Commissioner may submit recommendations in respect of). The right of appeal contemplated in Bill C-11 will likely be a welcome enhancement of the procedural fairness offered by the current process for enforcing the PIPEDA, though it does come with the potential for much higher penalties, and binding compliance orders.
Increased penalties for noncompliance
If, after an inquiry, the Commissioner finds that an organization contravened certain sections of the Act, then they can recommend imposing a penalty on the organization by the Tribunal. The Tribunal may impose a penalty if:
- the Commissioner recommends it or the Tribunal substitutes its own decision on appeal;
- the organization and Commissioner are able to make representations; and
- the Tribunal sees the penalty as appropriate based on the Commissioner or its own findings.
If the Commissioner finds an administrative breach, penalties can be up to 3% of an organization's global revenue, or $10 million, whichever is more. For more serious, specified breaches, the penalty can be up to 5% of global revenue, or $25 million.
Next Steps and Further Considerations
This Bill has just been introduced and is only at its First Reading. There will likely be much more debate and potentially some alterations as the Bill makes its way through Committee, Third Reading in the House of Commons and considerations in the Senate. However, it is clear that dramatic changes are coming to the privacy landscape in Canada.
Notably, Quebec has recently proposed a substantial overhaul of its privacy legislation in the form of its Bill 64. Currently, the requirements under Quebec Bill 64 are not equivalent to the Federal Bill C-11, which may pose compliance challenges for national organizations should both Bills be adopted in the form proposed. Similar to the PIPEDA , the CPPA contemplates orders in council exempting organizations subject to "substantially similar" provincial privacy legislation from the application of the CPPA in respect of their activities within that province. Currently, the privacy legislation in Alberta and British Columbia has been declared "substantially similar" to the PIPEDA; however, it remains unclear if they will be likewise deemed "substantially similar" to the CPPA, particularly given the extent to which the CPPA differs from the PIPEDA.
If Bill C-11 passes, then it will come into force on a day set by the Governor in Council.