Canada’s federal Minister of Innovation, Science and Industry introduced Bill C-11, An Act to enact the Consumer Privacy Protection Act and the Personal Information and Data Protection Tribunal Act and to make consequential and related amendments to other Act for consideration in the House of Commons in November 2020. Bill C-11’s goal is to significantly reform federal private sector privacy legislation that came into force 20 years ago – modernization is long overdue.

Bill C-11 will receive Royal Assent only after it has passed various stages in the House of Commons: first, second and third reading. Bill C-11 is currently being debated in second reading. Federal Privacy Commissioner Daniel Therrien shared his submission on Bill C-11 on May 11, 2021, stating the bill is “frequently misaligned and less protective than the laws of other jurisdictions”. This article will provide a brief summary of some of the interesting features of the bill that depart from PIPEDA, and will also take a look at the Commissioner’s submission.

If Bill C-11 becomes law in its present form, it will make significant changes to Canada’s data privacy law through the creation of the following statutes:

1. the Consumer Privacy Protection Act (CPPA) (the Personal Information Protection and Electronic Documents Act (PIPEDA) will be repealed in part); and
2. the Personal Information and Data Protection Tribunal Act (PIPDT).

The CPPA reiterates principles pertaining to data privacy that exist in PIPEDA, while creating new data privacy obligations and a mechanism for their enforcement. Under the CPPA, the Commissioner would have the power to investigate contraventions of the CPPA and make orders. The PIPDT would create a new data protection tribunal and establish how it will operate. The tribunal’s purpose would be to hear appeals of the Privacy Commissioner’s decisions and apply the administrative monetary penalty regime created under the CPPA.

Penalties

Penalties for some administrative offences under the CPPA could be up to the greater of (a) 3% of an organization’s global revenues in its previous fiscal year, or (b) $10 million. Penalties for the most serious offences could be up to the greater of (a) 5% of an organization’s global revenues in its previous fiscal year, or (b) $25 million.

Of concern with respect to whether the CPPA will have enough teeth is the fact that only a narrow list of violations could lead to the imposition of administrative penalties. The list does not include for example obligations related to the form or validity of consent or the numerous exceptions to consent.

However, a threat of class action lawsuits could certainly be an incentive for organizations to take compliance seriously. The CPPA would introduce a private right of action for damages to an individual affected by an organization’s act or omission that contravened the CPPA. An individual would have this cause of action only if it is determined that the organization contravened the CPPA or if the organization is fined for a contravention of specified sections of the CPPA. A two-year limitation period would apply.

Consent

Under the GDPR, there are six legal grounds for processing and consent is one of them. It was thought that the proposed law to update PIPEDA would move in this direction based on comments from the Commissioner in the past that a consent model isn’t working well. But in fact, the CPPA would not move away from a consent model, it would simply add notable exceptions to consent. In a modern digital world, I question whether this is the right approach. It keeps the onus on individuals to understand how their data is being used rather than on organizations to do the right thing with personal information. Consent seems burdening rather than empowering when data flows are highly complex. Hence the numerous exceptions to consent in the CPPA, with much room for interpretation, that only water down the law, as outlined in the Commissioner’s submission.

Privacy Management Program

Although implied in PIPEDA (in particular in light of the guidance document Getting Accountability Right with a Privacy Management Program), the CPPA goes further to explicitly require organizations to implement a “privacy management program” and consider the volume and sensitivity of the personal information when developing it (s. 9(2)). Further the Commissioner can require an organization to produce their policies, procedures AND practices. Accountability is built into the GDPR as well under Article 5, but the CPPA goes further – regulators in Europe do not appear to be requesting evidence of accountability.

Codes of Practice and Certification Programs

The Bill paves the path to giving entities the ability to seek the Commissioner’s approval of codes of practice or certification programs that organizations can choose to voluntarily comply with.

While compliance with a code of practice or certification program will not relieve an organization of its obligations under the CPPA, it does offer some benefits for organizations. For example, the Commissioner cannot recommend that a penalty be imposed on an organization for a contravention of the CPPA, if the Commissioner is of the opinion that, at the time of the contravention, the organization was in compliance with the requirements of an approved certification program. However the Commissioner’s submission highlights his concerns about the ‘self-regulation’ theme that favors commercial interests over privacy.

Note that under the GDPR, there is not a good enough incentive for entities such as associations to come forward with codes of conduct as the entity would also have to enforce and monitor compliance with the code. Also the bar is set too high because the code must be accredited by each member state. It will be interesting to see if codes and certifications become a popular compliance route in Canada, but even if so, it will take some time to get there.

De-Identification

The CPPA would require the use of “technical and administrative measures” (undefined) for the de-identification of personal information proportionate to: (i) the de-identification’s purpose, and (ii) the personal information’s sensitivity. De-identified information may be used for internal research and development purposes, and may be disclosed to government institutions and other entities for “socially beneficial purposes”. The definition of “de-identify” in the CPPA should put such data outside the application of the law altogether (as it leans towards anonymization), so Bill C-11 is very confusing in this regard and businesses would have a difficult time complying. See David Young Law’s excellent article on this issue.

Automated Decision Making

An automated decision system (ADS) is technology that assists or replaces the judgment of human decision-makers using techniques such as rules-based systems, regression analysis, predictive analytics, machine learning, deep learning and neural nets. If ADS is in use, privacy policies must include a summary of the organization’s use of such a system to make predictions, recommendations or decisions about individuals that could have significant impacts on them. The CPPA would also requires an organization to explain to an individual why a specific prediction, recommendation, or decision was made by an algorithm based on the individual’s personal information.

Data Portability

Bill C-11 introduces a right of mobility to personal information. This would allow an individual to request that personal information about them collected by one organization be transmitted by that organization to another organization of the individual’s choosing, provided that both organizations are subject to a data mobility framework that will be provided for in the regulations. Other individual rights include the right to access and amend personal information, the right to know (automated decision making), as well as rights to request de-identification or disposal of personal information.

Outsourcing/Service Providers

The CPPA would provide welcome clarity with respect to outsourcing relationships as it expressly permits organizations to transfer personal information to a third party service provider without knowledge and consent. This certainly helps given the back-and-forth confusion created by the Commissioner in 2019 on whether consent is needed for transferring data for processing.

Under the CPPA, an organization’s privacy policy has to include details as to whether or not the organization carries on any international or inter-provincial transfer or disclosure of personal information, but only to the extent such transfer or disclosure may have reasonably foreseeable privacy implications. Again, another opportunity for wiggle room for businesses without much clarity until we see how this will be interpreted. There would also be a new requirement for service providers to notify their customers as soon as feasible after
“determining that a breach of security safeguards has occurred” (s. 61).

Federal Privacy Commissioner’s Submission on Bill C-11

The Commissioner’s submission sets out some 60 recommendations and can be found here:

Overall, here is a very brief review of the Commissioner’s key messages:

• Bill C-11 gives organizations too much flexibility in outlining purposes and allows the use of implied consent where the organization concludes this is appropriate. It omits the requirement under PIPEDA (as included when PIPEDA was amended in 2015) that individuals understand the consequences of what they are consenting to in order for consent to be considered meaningful;
• The principles of ‘Privacy by Design’ should be required and organizations should be required to undertake privacy impact assessment for new higher risk activities (as we see under the GDPR’s data protection impact assessment requirements);
• The exceptions to consent in Bill C-11 are too broad and thus do not promote responsible innovation – business activities that do not require consent are contained in s. 18. The Commissioner recommends that “an activity in the course of which obtaining the individual’s consent would be impracticable” be repealed completely;
• Bill C-11 prioritizes commercial interests over the privacy rights of individuals by not adopting a rights-based framework; and
• Order-making powers and the ability to recommend very high monetary penalties are extremely limited. The administrative appeal to the courts would deny quick and effective remedies.

Bottom Line on Where we Are and What Organizations Should be Doing

Many of the concerns expressed by the Federal Privacy Commissioner highlight that there is much work to be done to strengthen Bill C-11 and achieve the right balance between innovation/business interests and consumer privacy. I do not believe the Bill will receive a complete overhaul, but certain definitions and sections will likely be re-drafted. Given international pressure, there is still a push to move forward as quickly as possible with a replacement for PIPEDA and there is still a chance that we will see a version of the CPPA come into force by end of 2022.

Even if amended, Bill C-11 gives a strong indication of what businesses should be focusing on right now. For any business that does not have a privacy management program and highly detailed privacy policy in place, those requirements are not going anywhere. Organizations should take a good hard look at their existing privacy framework and privacy best practice principles recognized internationally to get ready and reduce the compliance workload down the line, when we do have a finalized replacement for PIPEDA.

For assistance with your privacy management program, contact PRIVATECH.