Canada: Organisational accountability under the CPPA and Québec's Law 25
Both the Consumer Privacy Protection Act ('CPPA') and Québec's Act to modernize legislative provisions as regard the protection of personal information, 2021, Chapter 25 ('Law 25') aim to modernise privacy laws and introduce significant penalties and fines for non-compliance. Jasmine Samra and Antoine Guilmain, from Gowling WLG, focus on the accountability of organisations under both privacy regimes.
With the international modernisation of privacy law, Québec has lead the pursuit of a privacy reform in Canada with its Law 251, which received royal assent on 22 September 2021. It seems fitting that Québec is the first Canadian jurisdiction to update its privacy laws as it was also the first in North America to adopt private sector privacy law some 30 years ago. Law 25 introduces amendments to both the public and private sector privacy laws in Québec.
At the federal level, Parliament is making its second attempt to modernise Canada's current federal private sector privacy law with the introduction of Bill C-27 for the Digital Charter Implementation Act 2022 on 16 June 20222. Bill C-11 for the Digital Charter Implementation Act, 2020 ('DCIA') failed to pass and died on the Order Paper when Parliament dissolved to hold the 2021 federal election. Bill C-27 proposes to enact the CPPA, the Personal Information and Data Protection Tribunal Act, and the Artificial Intelligence and Data Act. The CPPA would replace Part 1 of the Personal Information Protection and Electronic Documents Act 2000 ('PIPEDA')3.
Law 25 formally recognises that every organisation is 'responsible for the protection of personal information [it holds]'4. This principle gives rise to a number of accountability obligations, including that, by default, the person exercising the highest authority within an organisation shall be responsible for implementing and ensuring compliance with Law 25, and exercise the role of privacy officer. This privacy officer role can be delegated in writing to any other person, including a third party. Further, organisations must ensure their privacy officer's title and contact information is published on their websites.
These requirements came into force on 22 September 2022. Privacy officers are responsible for carrying out different tasks, including establishing and implementing governance policies and practices regarding the protection of personal information5. In addition, a new requirement for privacy officers is that they shall also participate in privacy impact assessments ('PIA'), involving:
- any project to acquire, develop, or overhaul an information system or electronic service delivery system, involving the collection, use, communication, retention, or destruction of personal information;
- any disclosure of personal information without consent to a person or body wishing to use the information for study or research purposes or for the production of statistics; and
- any disclosure of personal information outside of the province of Québec6.
The CPPA does not include any references to PIAs. The CPPA only requires organisations to record their assessments prior to collecting or using an individual's personal information when relying on the legitimate interest exception to consent (similarly to 'Legitimate Interests Assessments', also known as 'LIAs', under European privacy law)7.
Unlike Law 25, the CPPA does not by default specify who is ultimately responsible for the role of privacy office. Similar to the PIPEDA, the CPPA requires that an organisation designate one or more individuals to oversee matters relating to its obligations under the CPPA. An organisation must provide the designated individual's business contact information to any person who requests it8.
The notation of control of personal information is codified in the CPPA. According to Section 7(1) of the CPPA, 'an organisation is accountable for the personal information that is under its control'9. The CPPA clarifies that personal information is under the control of the organisation that decides to collect it and determines the purpose of its collection, use, or disclosures, regardless of whether the information is collected, used, or disclosed by the organisation itself or by a service provider on behalf of the organisation10.
Privacy management programs
Law 25 sets requirements for organisations to establish and implement governance policies and practices relating to the protection of personal information11. These policies and practices must include the following:
- provide a framework for retention and destruction of information;
- define the roles and responsibility of an organisation's personnel through the lifecycle of the information; and
- provide a process for dealing with complaints regarding the protection of the information.
The CPPA codifies the Office of the Privacy Commissioner of Canada's ('OPC') guidance on privacy management programs12. Organisations are required to implement and maintain a privacy management program that includes polices, practices, and procedures an organisation has put in place to fulfill its obligation under the CPPA, including:
- the protection of personal information;
- how requests for information and complaints are received and dealt with;
- the training and information provided to the organisation's staff respecting its policies, practices, and procedures; and
- the development of materials to explain the organisation's policies and procedures13.
In developing a privacy management program, organisations need to take into account the volume and sensitivity of the personal information under their control when developing privacy management programs14. Similarly, Law 25 requires organisations to ensure policies and practices are proportionate to the nature and scope of their activities15. The CPPA expands on the OPC's broad investigative powers and shall require organisations to provide access to the OPC to polices, practices, and procedures upon request16. The main change to note is that the CPPA will allow the OPC to provide guidance on, or recommend corrective measures for an organisation about. its privacy management program.
Law 25 formally recognises confidentiality by default inspired by the requirement of Privacy by Default under the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). Privacy by Default is the concept that only data strictly necessary for each specific purpose is collected, used, or disclosed by default (without the intervention of the user)17. Law 25 requires organisations who collect personal information when offering technological products or services to the public to ensure that the product or service's settings provide the highest level of confidentiality by default, without any intervention by the person concerned18. There is no equivalent provision under the CPPA; however, it can be argued that the CPPA is based on the PIPEDA's ten fair information principles, and compliance with the CPPA should result in organisations implementing Privacy by Design.
Law 25 will come into force in Québec on a staggered basis with some provisions already in force as of 22 September 2022. The bulk of the provisions under Law 25 will come into force on 22 September 2023, and the right to data portability will come into force on 22 September 2024. Bill C-27 was raised for debate at second reading in the House of Commons on 4 November 2022 and will likely undergo changes prior to becoming law as it works its way through Parliament.
Businesses have to continue to stay on top of the modernisation of Canadian privacy laws because consequences for non-compliance will include sever penalties and fines. A good starting point for any Canadian business is the development and review of a privacy management program. As one of the ten fair information principals, accountability remains key under both Law 25 and the CPPA.
1. Act respecting the protection of personal information in the private sector, CQLR c P-39.1, s 17.
2. Bill C-27, An Act to enact the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Act and to make consequential and related amendments to other Acts, 1st Sess, 44th Parl, 2022 (first reading 16 June 2022).
3. Personal Information Protection and Electronic Documents Act, SC 2000, c 5, s 4.
4. Law 25, supra note 1, cl 95, s 3.1.
5. Ibid., cl 95, s 3.2.
6. Ibid., cl 95, ss 3.3, 17.
7. Bill C-27, supra note 2, Part I, s 18.
8. Law 25, supra note 1, cl 99, s 8(1).
9. Bill C-27, supra note 2, Part I, s 7(1).
10. Ibid., Part I, s 7(2).
11. Law 25, supra note 1, cl 95, s 3.2.
12. See at: https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/pipeda-compliance-help/pipeda-compliance-and-training-13. Bill C-27, supra note 2, Part I, s 9(1).
14. Ibid., Part I, s 9(2).
15. Law 25, supra note 1, cl 95, s 3.2.
16. Bill C-27, supra note 2, Part I, s 10.
17. See at: https://www.ipc.on.ca/wp-content/uploads/resources/7foundationalprinciples.pdf
18. Law 25, supra note 1, cl 100, s 9.1.