November 17th, 2020 was a big day for Canadian privacy. The federal government introduced Bill C-11 (the Digital Charter Implementation Act) which proposes major changes to private sector privacy in Canada. The Bill seeks to modernize the current regime by creating the Consumer Privacy Protection Act (CPPA) and the Personal Information and Data Protection Tribunal Act (PIDPTA). If passed, the CPPA would create several new obligations for businesses to comply with, give the federal privacy commissioner new enforcement powers, grant individuals new rights over their personal information, and impose some of the highest fines of any data protection law in the world.
New Obligation to Implement Privacy Management Programs
The CPPA requires every organization to establish and implement a privacy management program that includes its policies, practices, and procedures. When creating its program, the organization must consider the sensitivity and volume of personal information under its control. Further, the privacy management program must be provided to Office of the Privacy Commissioner of Canada (OPC) on demand. Businesses of all sizes will need to ensure they have the proper policies, practices, and procedures in place to be compliant taking into account the scale of their operations.
New Enforcement Powers & New Privacy Tribunal
Currently, the OPC has the power to investigate complaints, audit, and make non-binding recommendations in response to privacy violations. If enacted, the CPPA would give the OPC the power to make binding orders requiring companies:
To take steps to comply with the statute;
Stop doing something that violates the CPPA;
Comply with a compliance agreement; and
Make public any measures to correct its policies, practices or procedures. Most notably, the OPC would be given the power to recommend fines to the new Personal Information and Data Protection Tribunal (the Tribunal), established by the PIDPTA. This new privacy-focused tribunal would hear appeals from OPC orders and make decisions on whether to issue fines against businesses.
Big Penalties
The CPPA would allow the Tribunal to impose fines of up to 3% of an organization’s gross global revenue or $10,000,000, whichever is higher, in most cases. For more egregious offences, the Tribunal can issue fines of up to 5% of an organization’s gross global revenue or $25,000,000, whichever is higher. These fines can be handed out to any business the Act applies to, not just big business.
Enhanced and Meaningful Consent
The CPPA requires express consent unless implied consent is appropriate or an exception applies. It also codifies aspects of the OPC’s recent meaningful consent guidance, outlining what is necessary to obtain valid consent. The CPPA would require organizations provide, in plain language, the following information to individuals:
the purposes for the collection, use or disclosure of the personal information;
the way in which the personal information is to be collected, used or disclosed;
any reasonably foreseeable consequences of the collection, use or disclosure of the personal information;
the specific type of personal information that is to be collected, used or disclosed; and
the names of any third parties or types of third parties to which the organization may disclose the personal information. This information is typically covered in online privacy policies. According to Minister Navdeep Bains when he was on the Law Bytes podcast with Professor Michael Geist, requiring the use of plain language is meant to make complicated and lengthy privacy policies a thing of the past and provide users with clear consent for what information is being used and what is not. If passed, organization will likely need to rethink their approach to privacy policies and other public facing privacy documents.
New Circumstances For Processing Personal Information Without Consent
The CPPA includes new consent exceptions for legitimate business activity and outlines a non-exhaustive list of circumstances that would qualify under this exception. Also, exceptions have been made for socially beneficial purposes, in circumstances where personal information is deidentified, as well as for internal research and development purposes. This will relieve some of the burdens organizations currently face, while allowing for personal information to be used in new ways.
New Consumer Rights For Organizations To Comply With
Data Mobility/Portability: The CPPA would give individuals the right to transfer their personal information from one organization to another. It also references the concept of data mobility frameworks that would be approved by the regulations as a means of securely enabling the mobility of this data.
Right to disposal of personal information: The CPPA would give individuals the right to require organizations to delete their personal information and requires organizations to notify and confirm its service providers delete the information.
AI/Automated Decision-Making Programs: Individuals would be given the right to request an explanation any prediction, recommendation or decision made by an automated decision-making program and of how the personal information was used in those circumstances.
If the CPPA is enacted, organizations will need to ensure they have policies, processes and procedures in place to facilitate the exercise of these rights and comply with requests of this nature.
Private Right of Action
The CPPA provides individuals the right to sue organizations for violations if the OPC finds a contravention and it is not appealed, the Tribunal dismisses the appeal, or the Tribunal finds a violation of the CPPA. There is a 2-year limitation period from the date of the OPC finding or appeal decision.
Transfers of Personal Information to Service Providers
The CPPA clarifies consent requirements related to transfers to service providers, accountability of organizations involved in those transfers, and creates new obligations applicable to service providers.
Services providers are defined in the CPPA as “an organization, including a parent corporation, subsidiary, affiliate, contractor or subcontractor, that provides services for or on behalf of another organization to assist the organization in fulfilling its purpose”.
The CPPA explicitly states the transfer of personal information to a service provider does not require the knowledge or consent of the individual involved. Accountability rests with the organization that controls the information. Information is under the control of an organization if it decides to collect it and determines the purposes of collection, use or disclosure of the personal information. Controlling organizations must ensure service providers provide a similar level of protection of the personal information as the controlling organization.
Importantly, services providers would be obligated to notify the controlling organization of any data breach involving personal information.
Codes of Practice/Certification Programs
The CPPA would permit organizations to seek approval from the OPC of codes of practice and certification programs for various activities and industries. This could provide industry groups with a means to create standards specific to their sectors if not already addressed by law or guidance. If approved, the codes/certifications would provide some protection from complaints and orders to the participants.
What Should Your Organization Do Now?
The Bill is in its second reading and will likely undergo some changes before it is finalized. No timeline has been provided for its adoption, but the Minister has indicated there will be a transition period.
For now, organizations should monitor progress and remain aware of changes. Consultations seem likely, and organizations should consider whether they want to take part and suggest improvements. Finally, organizations should be prepared for change by reviewing or putting in place policies, procedures, and processes in anticipation of a new privacy regime.
If enacted, this legislation will be a massive shift in the privacy landscape, creating new obligations for organizations and expanding individual rights. Organizations should consider the gaps in their current privacy programs and what areas may need to be addressed moving forward.
How Momentum Can Help
Momentum works with businesses to ensure they have reliable privacy and security protections in place. We develop privacy policies and procedures to assist companies in mitigating risks. If you need assistance navigating the maze of requirements of this new regime, contact us below to book a consultation.