Canada: An "Adequate" Makeover? Canadian Privacy Law Gets A 21st Century Upgrade

On November 17, 2020, the federal government introduced Bill C-11, the Digital Charter Implementation Act, 2020 (DCIA), which, if passed, will significantly reshape the Canadian privacy landscape. The DCIA will establish a new federal private sector privacy law, the Consumer Privacy Protection Act (CPPA), as well as a new administrative tribunal. The Personal Information and Data Protection Tribunal would hear appeals from, and impose penalties recommended by, the Officer of the Privacy Commissioner of Canada (OPC).

In keeping with the implementation and ongoing impact of the European Union's General Data Protection Regulation in 2018 and key legislative developments in the US (e.g., the California Consumer Privacy Act), the CPPA will overhaul Canada's existing Personal Information and Electronic Documents Act (PIPEDA) by giving Canadians more control and greater transparency as to how organizations handle their personal information.

While the CPPA reflects the 10 privacy principles previously attached as a Schedule to PIPEDA (e.g., consent as a cornerstone of Canada's privacy framework), there are substantial changes, particularly when it comes to the OPC's enforcement mechanisms. Organizations handling personal information must consider how the CPPA could impact their operations and take steps to implement the necessary data protection procedures to meet their obligations under the new law. Key changes include:

• Valid Consent. Meaningful consent is not a new concept in federal privacy law (and is reflected in detailed guidance issued by the OPC). However, the CPPA will soon require that organizations are not only up front and transparent about their practices, but that consumers have the plain-language information they need to make informed choices about the use of their personal information. Certain information must also be provided to individuals at or before the time consent is sought, including the type of personal information to be collected, used or disclosed; the purposes for such collection, use and disclosure; and the names of third parties to which the organization may disclose personal information.
• Service Providers. Unlike PIPEDA, the CPPA clarifies that organizations may transfer personal information to a service provider without an individual's knowledge or consent, and confirms that it is the responsibility of the transferring organization to ensure similar protections of such information (though a service provider may be subject to the CPPA if they use the transferred information for a new purpose without consent). If a service provider determines a security breach has occurred, they are required to notify the controlling organization of any such breach. The bottom line is that liability for a data breach under the new law will rest largely with the controlling organization unless it implements appropriate protections and shifts responsibility by way of contractual agreements. This new development in Canadian privacy law highlights the importance of strong vendor management programs for those organizations handling personal information when CPPA comes into effect.
• Exceptions to consent for business activities. In addition to a number of consent exceptions similar to those outlined previously under PIPEDA, the CPPA provides that an individual's knowledge and consent are not required for the collection or use of their personal information for certain "business activities", including an activity necessary to provide a service, prevent or reduce risk, or manage network security. However, the exception may only be relied on if a reasonable person would expect the collection or use for that activity, and the personal information is not collected or used for the purpose of influencing the individual's behaviour or decisions.
• Privacy Management Programs. Under the CPPA, organizations must have a privacy management program that includes the policies, practices, and procedures the organization has put in place to ensure its compliance with the CPPA, including how the organization protects personal information, handles requests for information and complaints, and trains staff. The OPC's investigative powers have also increased as the Office will now have authority to request access to an organization's privacy program at any time.
• Enforcement and penalties. The CPPA gives the OPC the ability to make orders requiring an organization to comply with the requirements of the CPPA and recommend penalties to the Tribunal. The penalties are some of the most severe anywhere in the world, including a maximum penalty of the higher of $10 million or 3% of the organization's global revenue for failure to comply with most requirements under the Act (e.g., limiting collection, retention and disposal periods, data deletion, security safeguards, breach notification, etc.). In the most serious of cases, including failure to comply with an OPC order or knowingly contravening CPPA's breach notification or record retention requirements, the OPC can fine an organization up to $25 million or 5% of global revenue for certain offences, whichever is higher.
• Prospective business transaction exemption. PIPEDA allows an organization to use and disclose personal information without consent in order to undertake due diligence and complete a prospective business transaction, as long as the parties agree to certain conditions. The CPPA introduces a new requirement that the organization sharing the personal information de-identify the data before it is used or disclosed, and ensure it remains de-identified until the transaction is completed. This new requirement will have a significant impact on both parties to a transaction, with additional time and expense required to de-identify all personal information and evaluate the data, as well as raising questions as to whether relevant information will be available to the evaluating party.
• De-identified information. While PIPEDA mandates that personal information no longer required by an organization should be destroyed, erased, or made anonymous, it was not apparent what an organization could do with such anonymized or de-identified information. The CPPA clarifies that an organization can de-identify information without an individual's knowledge or consent, although organizations may only use and disclose such de-identified information for certain purposes (e.g., research, quality improvement).
• Data mobility. The CPPA introduces a right to data portability: an individual may request that an organization transfer their personal information to another organization (e.g., from one service provider to another). However, the details and scope of this right are left to a "data portability framework", which will be set out under CPPA's regulations and limitations will surely apply.
• Right to data deletion. The CPPA allows an individual to request that an organization delete their personal information, except where it can't be severed from another person's personal information, or there are legal or reasonable contractual retention requirements. Organizations are also obligated to ensure that its service providers have also deleted the information.
• Automated decisions. The CPPA contains a new obligation with respect to automated decision systems, such as algorithms and artificial intelligence, which make significant predictions, recommendations or decisions about individuals. Individuals may request an explanation as to how an organization used an automated decision-making to make a prediction, recommendation or decision, and how their personal information was obtained. However, there is no obligation on the organization to then allow the individual to opt-out of using such a program. If the individual is uncomfortable in how artificial intelligence or machine learning may have access to their personal information, their alternative would be to find a new service provider.
• Private right of action. The CPPA gives an individual a private right of action in the Federal Court or provincial superior court against an organization for damages suffered by the individual. This private right can be pursued if the OPC has issued a finding of non-compliance that has not been appealed, or for which an appeal has been dismissed by the Tribunal.

Canada's federal privacy regime faces its biggest overhaul in the last 20 years if the DCIA is passed. Organizations that collect, use, and disclose personal information for commercial purposes would be wise to begin preparing the necessary internal policies and procedures to ensure they are compliant when federal privacy law gets its 21^st century upgrade. The financial and reputational risks of being unprepared (e.g., the possibility of millions of dollars in fines and years of litigation) certainly outweigh the costs of comprehensive data privacy planning.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.