Written by Ruth Promislow, Stephen Burns, Sébastien Gittens, Michael Whitt and HC Lee
The long-awaited comprehensive reform to Canada's private sector privacy legislation is now finally underway. On November 17, 2020, the Digital Charter Implementation Act, 2020 (DCIA) was introduced. The DCIA will enact the Consumer Privacy Protection Act (CPPA), the Personal Information and Data Protection Tribunal Act and make amendments to other related acts. The CPPA will effectively replace the current federal legislative scheme governing the collection, use and disclosure of personal information by private sector organizations under the Personal Information Protection and Electronic Documents Act (PIPEDA).
While built on the foundation of PIPEDA's ten fair information principles, the draft CPPA proposes a number of material changes, including the following:
Application: The CPPA will continue to apply in respect of personal information that:
- is collected, used or disclosed in the course of commercial activities by an organization, including such activities that occur inter-provincially or internationally; or
- is about an employee of, or an applicant for employment with, an organization involved in the operation of a federal work, undertaking or business.
There are provinces with private sector privacy or health legislation that have been deemed substantially similar to PIPEDA and, as a result, PIPEDA does not apply in respect of such privacy or health information activities within such provinces. Given the changes in CPPA, the question arises: will such substantial similarity orders continue to apply in respect of such provincial legislation?
As a result, should the existing substantial similarity orders not continue to apply, then organizations in British Columbia, Alberta and Quebec for personal information, and Ontario, New Brunswick, Newfoundland and Labrador, and Nova Scotia for health information, may need to comply with both the provincial and federal legislation in respect of those activities.
Appropriate Purpose: Consistent with PIPEDA's ten fair information principles, an organization may collect, use or disclose personal information only for purposes that a reasonable person would consider appropriate in the circumstances. In the draft, the CPPA also includes specific factors an organization must consider in determining whether such purposes are appropriate, including, for example, the sensitivity of the personal information, and whether the purposes represent legitimate business needs of the organization.
Accountability: Consistent with PIPEDA's ten fair information principles, an organization is accountable for personal information under its control. In the draft, the CCPA also includes specific guidance on when an organization "controls" personal information: namely, control arises when an organization decides to collect personal information and determines the purposes for its collection, use or disclosure, regardless of whether the information is collected, used or disclosed by the organization itself or by a service provider on behalf of the organization.
Obligation to Implement Privacy Management Program: Expanding on the obligation to have policies and practices to give effect to PIPEDA, organizations will now be required to implement a "privacy management program" that includes the organization's policies, practices and procedures put in place to fulfil its obligations under the CPPA.
Record Purpose for Collection: Consistent with PIPEDA's ten fair information principles, an organization must determine at or before the time of collection each of the purposes for which the personal information is to be collected, used or disclosed. Under the CPPA, it must also record those purposes.
Record New Purpose: Consistent with PIPEDA's ten fair information principles, an organization must not use or disclose personal information for a new purpose unless the organization obtains valid consent before any use or disclosure for that new purpose. Under the CPPA, it must also record those purposes.
Consent: Consistent with PIPEDA's ten fair information principles, the individual's consent (express, deemed or implied) must be obtained at or before the time of collection. In the draft, the CCPA also includes specific guidance on the requirements for consent to be valid. Specifically, an organization must provide the following information in plain language:
- the purposes for the collection, use or disclosure of the personal information;
- the way in which the personal information is collected, used and disclosed;
- the reasonably foreseeable consequences of the collection, use or disclosure of the personal information;
- the types of personal information that are to be collected, used or disclosed; and
- the names of any third parties or types of third parties to which the organization may disclose the personal information.
Exception for Business Activities: Consistent with PIPEDA's ten fair information principles, there are exceptions under the draft CPPA that permit collection, use or disclosure of personal information without the knowledge or consent of the individual. In the draft, the CCPA also includes an exemption for 'business activity', where a reasonable person would expect such a collection or use of personal information for that activity, which is defined to include:
- an activity that is necessary to provide or deliver a product or service that the individual has requested from the organization;
- an activity that is carried out in the exercise of due diligence to prevent or reduce the organization’s commercial risk;
- an activity that is necessary for the organization’s information, system or network security;
- an activity that is necessary for the safety of a product or service that the organization provides or delivers;
- an activity in the course of which obtaining the individual’s consent would be impracticable because the organization does not have a direct relationship with the individual; and
- any other prescribed activity.
Right to Disposal: Consistent with PIPEDA's ten fair information principles, personal information that is no longer required to fulfil the identified purposes should be destroyed, erased, or made anonymous. In the draft, the CCPA also provides that organizations must, subject to certain limitations, also dispose of personal information upon request by the individual. If, for example, it is not possible to dispose of the individual's personal information without at the same time disposing of another individual's information, the organization does not have to comply with the request.
Safeguards: Consistent with PIPEDA's ten fair information principles, an organization must protect personal information through physical, organizational and technological security safeguards that are proportionate to the sensitivity of the information. In the draft, the CCPA also provides that in addition to considering the sensitivity of the personal information, an organization must also take into account the quantity, distribution, format and method of storage of the information, in establishing its security safeguards.
Transfers to Service Providers: In the draft, the CCPA clarifies that an organization may transfer personal information to a service provider without the knowledge or consent of the individual.
Service Provider Obligations: Consistent with PIPEDA's ten fair information principles, if an organization transfers personal information to a service provider, the organization must ensure, by contract or otherwise, that the service provider provides substantially the same protection for the personal information as that which the organization is required to provide under the CPPA. In the draft, the CCPA also clarifies that: (i) service providers are directly responsible under the CPPA to protect personal information through physical, organization and technological safeguards; and (ii) if a service provider determines that a breach of security safeguards has occurred that involves personal information, it must notify the organization that controls the personal information as soon as feasible.
Prospective Business Transactions: Consistent with PIPEDA's business transactions exemption, the CPPA includes an exemption for certain business transactions. Unlike PIPEDA, the CPPA also provides that, absent valid consent, an organization can only provide de-identified information to a potential counterparty in connection with a prospective business transaction. This marks a material shift from the existing legislation that permits personal information to be disclosed to a prospective purchaser without knowledge or consent of the individuals.
Access by Privacy Commissioner: Expanding on the powers of the Privacy Commissioner under PIPEDA, under the draft CPPA, on request of the Privacy Commissioner, an organization must provide the Commissioner with access to the policies, practices and procedures that are in included in the organization's privacy management program. While the draft CPPA provides that the Privacy Commissioner may not use the information obtained by way of this access right as a basis to initiate a complaint or audit, it is difficult to see how the Privacy Commissioner can separate what he learns from this access from what he considers to be "reasonable grounds" for initiating a complaint or audit.
Commissioner's Powers: While the Privacy Commissioner has only limited enforcement powers under PIPEDA, under the draft CPPA, this will no longer be the case:
- When carrying out an investigation of a complaint, conducting an inquiry or carrying out an audit, the Privacy Commissioner may, among other things, make any interim order that the Commissioner considers appropriate.
- After investigating a complaint (either initiated by a complainant or the Privacy Commissioner), the Privacy Commissioner may conduct an inquiry and render a decision and order the organization to take specific steps, cease taking any particular action (such as collecting information), and recommend that the Tribunal impose a penalty in respect of certain contraventions (as detailed below).
- While there is a right of appeal to the Tribunal from the decision of the Privacy Commissioner, the Tribunal will only replace its finding of fact for that of the Privacy Commissioner based on a palpable and overriding error standard. In effect, this standard means that the Tribunal will defer to findings of fact by the Privacy Commissioner.
- A service provider may be the subject of a complaint, investigation and inquiry to the extent the service provider failed to comply with its obligations under the Act.
The Tribunal: The new Personal Information and Data Protection Tribunal will be established under the Personal Information and Data Protection Tribunal Act. The Tribunal will have jurisdiction in respect of all appeals relating to various findings, orders or decisions made under the CPPA and in respect of the imposition of certain penalties under that Act.
Penalties for Non-Compliance: While the penalty provisions are limited under PIPEDA, under the draft CPPA, the Privacy Commissioner may recommend to the Tribunal that a penalty for contravention of the various obligations in the CPPA be imposed on the organization. The maximum penalty is the higher of $10 million or 3% of gross global revenue.
- A penalty may be recommended for contravention of the provisions regarding valid consent, the obligation to dispose of personal information when it is no longer required, the requirement to dispose of personal information upon request, and the obligation to implement appropriate safeguards.
- Service providers may be subject to this penalty if the Privacy Commissioner finds that they failed to comply with the obligation to implement security safeguards.
Penalties for Knowing Contravention: While the penalty provisions are limited under PIPEDA, under the draft CPPA, every organization that knowingly contravenes one of the following obligations is guilty of an indictable offense and is liable to a fine not exceeding the higher of $25 million or 5% of gross global revenue:
- Report breach of security safeguards giving rise to a real risk of significant harm;
- Notify impacted individuals of such a breach;
- Maintain a breach record;
- Retain personal information that is the subject of a request;
- Do not use de-identified information alone or in combination with other information to identify an individual, except in order to conduct testing of the effectiveness of security safeguards that the organization has put in place to protect the information;
- Do not penalize whistleblower; or
- Comply with a compliance order issued by the Privacy Commissioner.
Automated decision system: New to the federal private sector privacy regime, the draft CPPA provides that if the organization has used an automated decision system to make a prediction, recommendation or decision about the individual, the organization must, on request by the individual, provide them with an explanation of the prediction, recommendation or decision and explain how the personal information (that was used to make the prediction, recommendation or decision) was obtained.
De-identified information: New to the federal private sector privacy regime, the draft CPPA addresses the collection, use and disclosure of "de-identified information" in certain circumstances.
- For example, an organization may use an individual's personal information without their knowledge or consent to de-identify the information; and
- An organization may use an individual's personal information without their knowledge or consent for the organization's internal research and development purposes, if the information is de-identified before it is used.
"De-identify" is defined as the process of ensuring that information does not identify an individual or could not be used in reasonably foreseeable circumstances, alone or in combination with other information, to identify an individual. The current drafting of the Act is unclear regarding the extent to which the Act will be relied on to regulate the use and disclosure of de-identified information.
Private right of action: Building upon the private right of action under PIPEDA, the CPPA also establishes a cause of action for loss or injury arising from an organization's contravention of its obligations under the legislation. The CPPA extends the limitation period to two years after the day on which the individual (who is affected by an act or omission by an organization that constitutes a contravention of the CPPA) becomes aware of:
- the relevant decision of the Privacy Commissioner (or in the event of an appeal, of the Tribunal's decision), with respect to such act or omission; or
- a conviction under the indictable offence section.
The private right of action may extend to service providers to the extent there is a finding that they failed to comply with their obligations under the CPPA.
If enacted as currently drafted, we anticipate that the CPPA will have a substantial impact on the extent of regulatory scrutiny of organizations with respect to their privacy practices. As a result, organizations will likely need to undertake a comprehensive review of how they conduct business and manage their privacy practices, policies and procedures across Canada.
The Privacy & Data Protection team at Bennett Jones is available to discuss how the changes may affect an organization's privacy obligations.