Canada: Bill to reform PIPEDA "introduces interesting flexibility in certain areas"
Bill C-11 for the Digital Charter Implementation Act, 2020 ('the Bill') was introduced, on 17 November 2020, in the House of Commons, which would seek to reform Canada's privacy legislation under the Personal Information Protection and Electronic Documents Act 2000 ('PIPEDA').
In particular, the bill would enact the Consumer Privacy Protection Act ('CPPA'), which would protect the personal information of individuals while regulating organisations' collection, use, or disclosure of personal information in the course of commercial activities. In addition, the Bill would enact the Personal Information and Data Protection Tribunal Act for the establishment of an administrative tribunal to hear appeals of certain decisions made by the Office of the Privacy Commissioner of Canada ('OPC') under the CPPA, and facilitate the imposition of penalties.
Individual rights and enforcement
Among the various reforms the CPPA would introduce, one key area deals with enforcement and rights of individuals. The Bill introduces a new Personal Information and Data Protection Tribunal ('the Tribunal') which would act as a new enforcer of the CPPA. Eloïse Gratton, Partner at Borden Ladner Gervais LLP told OneTrust DataGuidance, "The Tribunal would have powers to impose, upon recommendation by the OPC, administrative monetary penalties of CAD 10,000,000 or, if greater, the amount corresponding to 3% of the organization's global gross revenues in its previous fiscal year. There are also reinforced fines in the case of penal proceedings of a maximum of CAD 25,000,000, or, if greater, the amount corresponding to 5% of the organization's global gross revenues in its previous fiscal year. There is also a new private right of action for individuals. Moreover, the Bill introduces interesting flexibility in certain areas. For example, it introduces a new consent exception for the collection or use of personal information for various types of legitimate business activities. The intent behind this new consent exception appears to be to enhance the meaningfulness of the notion of consent by reducing the number of situations in which it must be sought, thereby mitigating the risk of 'consent fatigue'. This is great news in my view, both for businesses and consumers."
The introduction of a private right of action is an important novelty compared to PIPEDA, as it gives individuals the right to directly bring actions against organisations in specific cases. Christopher Ferguson, Associate at Fasken Martineau DuMoulin LLP commented, "The CPPA provides a private right of action against organizations for damages for loss or injury in certain limited circumstances. Specifically, where the OPC makes a finding that an organization has contravened the CPPA and the organization does not appeal to the Tribunal or the appeal is dismissed, or the Tribunal itself makes a finding that the organization has contravened the CPPA, an individual affected by the contravention has a cause of action. The cause of action may be heard in the Federal Court or the superior court of a province, raising the spectre of increased litigation and class action proceedings in relation to non-compliance with the CPPA."
Moreover, the CPPA would establish new rights for individuals inspired by European legislation such as the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), including the right to be informed of automated decision-making, the right to disposal and the right to data mobility.
The right to be informed of automated decision-making systems, is among the new rights that will be included in the CPPA. On this, Gratton noted that, "[This new right will enable individuals] to receive an explanation about the use of an automated decision system to make a prediction, recommendation, or decision about them and of how personal information was used to that effect. Contrary to Québec Bill 64 ('Bill 64') and the GDPR however, the CPPA will not grant individuals with the right to object to such use or to have the decision reviewed by an employee of the organization."
The CPPA will also provide individuals with a right to disposal which allows individuals to have their personal information deleted upon request. Gratton outlines that, "This right applies to any personal information collected from the individual (i.e., not from third parties). It is worth noting that this right to disposal does not appear to encompass a right to de-indexation or right to be forgotten, contrary to Bill 64 and the GDPR." Additionally, Ferguson further notes here, "Section 55 of the CPPA requires an organization to dispose of the personal information it has collected from an individual, as soon as feasible, on written request unless disposing of such information will result in disposal of personal information about another individual, or the disposal is prevented by law or the reasonable terms of a contract. The organization must also inform any service provider to which it has transferred the information and obtain confirmation from the service provider that the information has been disposed of."
In addition, the right to mobility enables individuals to request their information from an entity to be moved to another entity. Gratton highlights that such disclosure can be done, "if both organizations are subject to a 'data mobility framework' provided under the regulations. The data mobility frameworks to be created through regulation will include safeguards, parameters for the technical means for ensuring interoperability, and specify the organizations subject to the framework, which will likely belong to specific industry sectors such as open banking or telecommunications. Here again, the CPPA will be more limited in scope than Bill 64 and the GDPR, as it refrains from opening the door to general portability requests aimed at organizations that may not be involved in any interoperability scheme or subject to specific competition requirements." Furthermore, Vanessa Henri, Associate at Fasken Martineau DuMoulin LLP, noted that "This could help propel Canada's FinTech industry and open banking discussions as individuals are granted more rights. This could also trigger more standards on data access, which would facilitate the use of data for good. Overall, the legislation seeks to help MedTech and health instructions by providing easier means of accessing and using information for ethical purposes. The CPPA seeks to balance many imperatives, and it remains to be seen how it will be received and amended. The danger in trying to please everyone is that it may lead to everyone rejecting the CPPA as their interests are not fully met."
Inspiration from other privacy frameworks
As highlighted above, the CPPA bears a lot of similarities with consumer privacy and data protection legislation, such as the GDPR and the California Consumer Privacy Act of 2018 ('CCPA'). In particular, Gratton noted that "The federal government's proposal to modernize PIPEDA under the new bill includes the enactment of the Personal Information Data Protection Tribunal Act, establishing the Tribunal, which would have the ability to impose significant penalties: the most serious violations of the CPPA could result, upon prosecution, in fines, which have been described as the strongest among G7 privacy laws, including the GDPR and the CCPA. At the same time, while clearly inspired by similar initiatives in other countries, the Canadian proposal is unique in its approach in that, in many instances, it affords businesses with greater flexibility and clarity relative to the present privacy regime's requirements. Most notably, it borrows directly from past guidance and decisions issued by the OPC and provides individuals with new rights that are more narrowly framed than those currently found under the GDPR."
The approach of Canada with respect to privacy legislation includes laws such as PIPEDA in the federal level, as well as provincial laws, such as that of Quebec which is seeking to reform its own data protection legislation. Indeed, Gratton highlighted "It bears noting that Bill 64, a recent proposal that seeks to amendment Québec's provincial privacy regime, including the Act respecting the protection of personal information in the private sector – is considerably more onerous than the CPPA. The concern is that this may raise a number of challenges from an interoperability standpoint for businesses operating at a national level."
Privacy Management Systems
Another requirement that is expected to have an impact on daily operations of organisations is the implementation of a privacy management program, which is also similar to what Québec's Bill 64 introduced. Henri explained, "Neither proposal includes much threshold other than being proposal, which means all companies should start aiming for a compliance system that is documented. In Québec, this would need to be published. Organizations that want to navigate different jurisdictions should consider using a standard such as ISO/IEC 27701:2019 as a means of operationalizing, demonstrating, improving and measuring compliance. This is not a new requirement, but explicit inclusion means that organizations should start being proactive – especially given the new consequences."
The CPPA also expands and develops the concept of consent in Canada's privacy regulation, with both requirements for obtaining consent and the exceptions to consent expanded. In this regard, Ferguson highlighted, "The CPPA provides that consent is only valid if obtained before or at the time of collection, or before any new use or disclosure, if organizations notify individuals, in plain language, of the type of personal information that the organization collects, uses, and discloses, and of the purposes, manner, and consequences of the collection, use, and disclosure. Organizations must also identify any third parties to who personal information will be disclosed. Individuals may withdraw their consent subject to law and the 'reasonable terms of a contract.' Relatedly, in its transparency and openness requirements, the CPPA also requires organizations to make readily available in plain language information that explains their policies and practices put in place to fulfil their obligations under the CPPA."
Moreover, Ferguson noted that, "The expanded exceptions to consent include:
- The collection or use of personal information for certain business activities, including an activity required to provide products or services to an individual or an activity where it would be impractical to obtain consent because there is no direct relationship between the organization and an individual, in each case provided the individual would expect the collection or use and it is not for the purposes of influencing the behaviors or decisions of the individual.
- Public interest purposes as set out in the CPPA.
- Transfers of personal information to service providers.
- De-identifying personal information. The CPPA defines de-identifying personal information as modifying or creating information using technical processes to ensure that it cannot be used 'in reasonably foreseeable circumstances' to identify an individual, either alone or in combination with other information. Where an organization de-identifies information, it must use technical and administrative measures proportionate to the purposes of de-identification and the sensitivity of the personal information being de-identified. The CPPA prohibits organizations from using de-identified information to identify an individual except to test the organizations safeguards to protect the information."
The CPPA must now go through both Houses of Parliament for consideration and it remains to be seen what may be amended during the legislative process.
Crucially, Ferguson commented, "The CPPA is certain to attract very strong attention from domestic and foreign organizations that collect information about Canadians and are subject to Canadian privacy law, particularly in light of the impacts of the COVID pandemic and the additional compliance costs and risks of material liability that the CPPA represents. Organizations and trade associations should consider the impact of the CPPA and its evolution as it progresses through Parliament and be prepared to propose improvements and to address any unintended consequences of its reforms."
Comments provided by:
Eloïse Gratton Partner
Borden Ladner Gervais LLP, Toronto
Christopher Ferguson Associate
Fasken Martineau DuMoulin LLP, Toronto
Vanessa Henri Associate
Fasken Martineau DuMoulin LLP, Quebec