|Canada’s newly released privacy bill shares commonalities with U.S. bills but features a stronger enforcement regime that could result in fines of up to 5% of annual worldwide revenue for the worst violations.|
The government in Ottawa has introduced in Parliament the “Digital Charter Implementation Act, 2020” (Bill C-11) that would dramatically reform the nation’s privacy laws and significantly expand the power of the Office of Privacy Commissioner (OPC). The bill consists of two main parts, the Consumer Privacy Protection Act (CPPA) and the Personal Information and Data Protection Tribunal Act, and would partially repeal Canada’s federal privacy law: Personal Information Protection and Electronic Documents Act. Notably, the bill would allow the OPC to levy fines up to 5% of worldwide revenue or $25 million CAD (roughly $20 million USD), whichever is higher. Canadians would also get a private right of action under certain conditions.
Broadly, this bill shares many characteristics with a number of bills introduced in the United States Congress by Democratic Members. Consent would be needed in most cases where a Canadian’s personal information is collected, processed, used, shared, or disclosed although there are some notable exceptions. Canada’s federal privacy regulator would be able to seek and obtain stiff fines for non-compliance.
In the bill, its purpose is explained:
The purpose of this Act is to establish — in an era in which data is constantly flowing across borders and geographical boundaries and significant economic activity relies on the analysis, circulation and exchange of personal information — rules to govern the protection of personal information in a manner that recognizes the right of privacy of individuals with respect to their personal information and the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances.
The Department of Industry (aka Innovation, Science and Economic Development Canada) released this summary of the bill:
The Government of Canada has tabled the Digital Charter Implementation Act, 2020 to strengthen privacy protections for Canadians as they engage in commercial activities. The Act will create the Consumer Privacy Protection Act (CPPA), which will modernize Canada’s existing private sector privacy law, and will also create the new Personal information and Data Protection Tribunal Act, which will create the Personal Information and Data Tribunal, an entity that can impose administrative monetary penalties for privacy violations. Finally, the Act will repeal Part 2 of the existing Personal Information Protection and Electronic Documents Act (PIPEDA) and turn it into stand-alone legislation, the Electronic Documents Act. With each of these steps, the government is building a Canada where citizens have confidence that their data is safe and privacy is respected, while unlocking innovation that promotes a strong economy.
The Department added:
- Changes enabled by CPPA will enhance individuals’ control over their personal information, such as by requesting its deletion, creating new data mobility rights that promote consumer choice and innovation, and by creating new transparency requirements over uses of personal information in areas such as artificial intelligence systems.
- CPPA will also promote responsible innovation by reducing regulatory burden. A new exception to consent will address standard business practices; a new regime to clarify how organizations are to handle de-identified personal information, and another new exception to consent to allow organizations to disclose personal information for socially beneficial purposes, such as public health research, for example.
- The new legislative changes will strengthen privacy enforcement and oversight in a manner similar to certain provinces and some of Canada’s foreign trading partners. It does so by: granting the Office of the Privacy Commissioner of Canada (OPC) order-making powers, which can compel organizations to comply with the law; force them to stop certain improper activities or uses of personal information; and order organizations to preserve information relevant to an OPC investigation. The new law will also enable administrative monetary penalties for serious contraventions of the law, subject to a maximum penalty of 3% of global revenues.
- The introduction of the Personal Information and Data Tribunal Act will establish a new Data Tribunal, which will be responsible for determining whether to assign administrative monetary penalties that are recommended by the OPC following its investigations, determining the amount of any penalties and will also hear appeals of OPC orders and decisions. The Tribunal will provide for access to justice and contribute to the further development of privacy expertise by providing expeditious reviews of the OPC’s orders.
- The Electronic Documents Act will take the electronic documents provisions of PIPEDA and enact them in standalone legislation. This change will simplify federal privacy laws and will better align the federal electronic documents regime to support service delivery initiatives by the Treasury Board Secretariat.
In a summary, the Department explained:
Under the CPPA, the Privacy Commissioner would have broad order-making powers, including the ability to force an organization to comply with its requirements under the CPPA and the ability to order a company to stop collecting data or using personal information. In addition, the Privacy Commissioner would also be able to recommend that the Personal Information and Data Protection Tribunal impose a fine. The legislation would provide for administrative monetary penalties of up to 3% of global revenue or $10 million [CAD] for non-compliant organizations. It also contains an expanded range of offences for certain serious contraventions of the law, subject to a maximum fine of 5% of global revenue or $25 million [CAD].
The CPPA broadly defines what constitutes “personal information” and what is therefore covered and protected by the bill. It would be “information about an identifiable individual,” a much wider scope than almost all the legislation in the United States, for example. Consequently, even information derived through processing that was not directly or indirectly collected from a person would seem to be covered by the bill. And, speaking of processing, the CPPA limits how personal information may collected and used, specifically “only for purposes that a reasonable person would consider appropriate in the circumstances.”
Moreover, entity can only collect personal information needed for purposes disclosed before collection or at the time of collection and only with the consent of the person. However, the CPPA would allow for “implied consent” if “the organization establishes that it is appropriate…taking into account the reasonable expectations of the individual and the sensitivity of the personal information that is to be collected, used or disclosed.” And, if the entity decides to collect and use personal information for any new purpose, it must obtain the consent of people in Canada before doing so. What’s more, organizations cannot condition the provision of products or services on people providing consent for collection of personal information beyond what is necessary. And, of course, consent gained under false, deceptive, or misleading pretenses is not valid and people may withdraw consent at any time.
In terms of the types of disclosures an organization must make in terms of purposes, the CPPA would require more than most proposed U.S. federal privacy laws. For example, an entity must tell people the specific personal information to be collected, processed, used, or disclosed, the reasonable consequences of any of the aforementioned, and the names of third parties or types of third partied with whom personal information would be shared.
The CPPA is very much like U.S. privacy bills in that there are numerous exceptions as to when consent is not needed for collecting, processing, and using personal information. Principally, this would be when a reasonable person would expect or understand this could happen or so long as the collection and processing activities are not to influence a person’s decisions or behavior. Activities that would fall in the former category are things such as collection, use, and processing needed to deliver a product or service, protecting the organization’s systems and information security, or the due diligence necessary to protect the organization from commercial risk. Moreover, if collection, use, and processing are in the public interest and consent cannot be readily obtained, then the organization may proceed. The same is true if there is an emergency situation that imperils the life or health of a person so long as disclosure to the person is made in writing expeditiously afterwards. However, neither consent nor knowledge are required for transfers of personal information to service providers, in employment settings, to prevent fraud, and for a number of other enumerated purposes.
There are wide exceptions to the consent requirement relating to collection and use of personal information in the event of investigations of breaches of agreements or contravention of federal or provincial law. Likewise, consent may not be needed if an organization is disclosing personal information to government institutions. Similarly, the collection and use of public information is authorized subject to regulations.
However, the CPPA makes clear that certain exceptions to the consent and knowledge requirements are simply not operative when the personal information in question is an “electronic address” or is stored on a computer system. In these cases, consent or knowledge would be needed before such collection of personal information is legal.
Organizations must dispose of personal information when it is no longer needed for the purpose it was originally collected except for personal information collected and used for decision making. In this latter case, information must be retained in case the person about whom the decision was made wants access. Organizations must dispose of personal information about a person upon his or her request unless doing so would result in the disposal of other people’s information or there is a Canadian law barring such disposal. If the organization refuses the request to dispose, it must inform the person in writing. If the organization grants the request, it must direct service providers to do the same and confirm destruction.
Organizations would have a duty to ensure personal information is accurate, and the applicability of this duty would turn on whether the information is being used to make decisions, is being shared with third parties, and if the information is being used on an ongoing basis.
The CPPA would impose security requirements for organizations collecting, using, and holding personal information. These data would need protection “through physical, organizational and technological security safeguards” appropriate to the sensitivity of the information. Specifically, these security safeguards “must protect personal information against, among other things, loss, theft and unauthorized access, disclosure, copying, use and modification.” Breaches must be reported as soon as feasible to the OPC and to affected people if there is a reasonable belief of “real risk of significant harm to an individual.” Significant harm is defined as “bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property.” Real risk of significant harm is determined on the basis of
- the sensitivity of the personal information involved in the breach;
- the probability that the personal information has been, is being or will be misused; and
- any other prescribed factor.
Organizations will also have a duty to explain their policies and practices under this act in plain language, including:
- a description of the type of personal information under the organization’s control;
- a general account of how the organization makes use of personal information, including how the organization applies the exceptions to the requirement to obtain consent under this Act;
- a general account of the organization’s use of any automated decision system to make predictions, recommendations or decisions about individuals that could have significant impacts on them;
- whether or not the organization carries out any international or interprovincial transfer or disclosure of personal information that may have reasonably foreseeable privacy implications;
- how an individual may make a request for disposal under section 55 or access under section 63; and
- the business contact information of the individual to whom complaints or requests for information may be made.
Canadian nationals and residents would be able to access their personal information. Notably, “[o]n request by an individual, an organization must inform them of whether it has any personal information about them, how it uses the information and whether it has disclosed the information.” Access must also be granted to the requesting person. If the organization has disclosed a person’s information, when she makes a request to access, she must be told the names or types of third parties to whom her information was disclosed. Moreover, organizations using automated decision-making processes would have further responsibilities: “[i]f the organization has used an automated decision system to make a prediction, recommendation or decision about the individual, the organization must, on request by the individual, provide them with an explanation of the prediction, recommendation or decision and of how the personal information that was used to make the prediction, recommendation or decision was obtained.” Additionally, if a person has been granted access to his personal information and it “is not accurate, up-to-date or complete,” then the organization must amend it and send the corrected information to third parties that has access to the information.
There are provisions required data portability (deemed data mobility by the CPPA). All organizations subject to the data mobility framework must transfer personal information upon request. People must be able to lodge complaints with organizations over compliance with the CPPA regarding their personal information. Organizations may not re-identify de-identified personal information.
Organizations would be able to draft and submit codes of conduct to the OPC for approval so long as they “provide for substantially the same or greater protection of personal information as some or all of the protection provided under this Act.” Likewise, an entity may apply to the OPC “for approval of a certification program that includes
(a) a code of practice that provides for substantially the same or greater protection of personal information as some or all of the protection provided under this Act;
(b) guidelines for interpreting and implementing the code of practice;
(c) a mechanism by which an entity that operates the program may certify that an organization is in compliance with the code of practice;
(d) a mechanism for the independent verification of an organization’s compliance with the code of practice;
(e) disciplinary measures for non-compliance with the code of practice by an organization, including the revocation of an organization’s certification; and
(f) anything else that is provided in the regulations.
However, complying with approved codes of conduct or a certification program does not mean an entity is complying with the CPPA.
The OPC would be granted a range of new powers to enforce the CPPA either through compliance orders (which resemble administrative actions taken by the United States Federal Trade Commission) that can be appealed to a new Personal Information and Data Protection Tribunal (Tribunal) and ultimately enforced in federal court if necessary. People in Canada would also get the right to sue in the event the OPC or the new Tribunal find an entity has contravened the CPPA.
© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.