Modernizing Canada’s Privacy Laws: What Employers Need to Know About Bill C-11
Date: November 25, 2020
On November 17, 2020, the federal government introduced Bill C-11, Digital Charter Implementation Act, 2020.
If passed, the Bill will repeal Part 1 of the Personal Information and Electronic Documents Act (PIPEDA) and replace it with the new Consumer Privacy Protection Act (CPPA). It will also enact the Personal Information and Data Protection Tribunal Act which creates a new administrative tribunal to hear appeals of decisions made by the Privacy Commissioner (Commissioner) under the CPPA. The Electronic Documents Act would remain as a separate act.
In this FTR Now, we highlight some of the major changes governing the regulation of personal data in each of the proposed new Acts. It should be noted these may or may not be reflected in the final version of the Bill, and we will continue to monitor the Bill as it continues through the legislative process.
Consumer Privacy Protection Act
Right to Delete
Individuals may request the deletion of their personal data subject to certain exceptions including where the information cannot be severed from another person’s personal data or where legal retention obligations exist. Organizations must ensure their service providers also delete such data.
In certain instances, individuals will be able to request that their personal data be disclosed to other organizations. The details of the data mobility scheme will be set out in regulation and are not currently known.
Much of the existing consent framework found in PIPEDA as supplemented by the previous findings of the Commissioner remain in place including the circumstances in which express and implicit consent may apply. The most significant updates include:
- Rules governing when an organization may use de-identified (anonymous) personal data without consent including for internal research.
- A detailed “business activities” exemption which encodes when personal data can be collected or used without knowledge or consent including to protect computer network security and to permit delivery of the service or product. The exemption also provides that consent is unnecessary where a reasonable person would expect the collection or use. However, it appears that marketing purposes are carved out of the exemption.
- An explicit exemption permitting transfers of personal data to an organization’s service providers without consent. However, the Bill provides that organizations remain responsible for compliance under the CPPA for personal data held on their behalf by service providers including where directly collected by the service provider.
- Rules enhancing the information to be provided to individuals as a condition for informed consent.
Like PIPEDA, the CPPA contains a provision permitting the use and disclosure of personal information for business transactions such as purchases and mergers without consent but it adds a requirement to de-identify the information which would need to be implemented when undertaking such transactions.
Computerized Data Extraction
The Bill explicitly provides that many of the consent exemptions, including the “business activities” exemption cannot be relied upon to collect or use an individual’s electronic addresses via a computer program or to collectpersonal data stored on a computer by any means of telecommunication.
Privacy Management Program
Organizations subject to CPPA must implement a privacy management program including policies and practices to address protection of personal data, responding to access requests and staff training. Organizations are explicitly required to prepare general descriptions of any “automated decision systems” used to make predictions, recommendations or decisions about them which may have significant impact.
Enforcement and Remedies
The Bill enhances the powers of the federal Office of the Privacy Commissioner (OPC). Among the most significant changes, the Bill provides authority to:
- order organizations to change practices and publicize such changes,
- approve an organization’s Codes of Practice or Certification Program to meet compliance obligations, and
- recommend penalties to the new Data Protection Tribunal.
The Tribunal would be empowered to impose significant penalties to a maximum of $10,000,000 or 3% of gross global revenue. They apply to a variety of breaches of the Act including failures to limit collection or obtain consent, as well as failures to dispose of personal data or maintain it in a secure manner in compliance with the Act.
In addition to the fines, the CPPA contains offence provisions with fines of up to $25,000,000 or 5% of gross global revenue for offences such as failing to report breaches to the Commissioner or maintaining records of same, destroying records which are the subject of an access appeal, using anonymous information to identify an individual except in permitted circumstances, engaging in reprisals or obstructing an inquiry by the OPC.
Finally, the proposed legislation would create a private right of action in the Federal or Superior courts for individuals who are impacted by an organization’s contravention of the CPPA. Individuals would be able to sue for a privacy violation following a finding by the OPC or the Data Protection Tribunal that an organization had contravened the Act.
Personal Information and Data Protection Tribunal Act
This Act would create the Data Protection Tribunal to hear appeals of certain decisions made by the Commissioner under the CPPA. The Tribunal would have the power to hear all appeals brought in response to orders made and penalties recommended under the CPPA.
Given the new requirements set out by this legislation and growing efforts to address data security internationally, employers should expect that Bill C-11, or legislation in some similar form, will likely become law. Although Bill C-11 has only recently been introduced and the government has not yet provided any insights as to when we may see such legislation become law, in light of the large financial implications of non-compliance, organizations should be taking proactive steps now by assessing their data security policies and personal data management procedures and addressing any existing or potential gaps.
We will continue to monitor the progress of Bill C-11. Should you have any questions or require further information about the Bill, please contact any member of our Information, Data Security & Privacy Group.
Editor’s Note: Bill C-11 has been reintroduced as Bill C-27, Digital Charter Implementation Act, 2022. For more information about Bill C-27, please see our FTR Now of June 21, 2022.
The article in this client update provides general information and should not be relied on as legal advice or opinion. This publication is copyrighted by Hicks Morley Hamilton Stewart Storie LLP and may not be photocopied or reproduced in any form, in whole or in part, without the express permission of Hicks Morley Hamilton Stewart Storie LLP. ©