By Michael Shapiro//
On November 17, 2020, Canada’s Minister of Innovation, Science and Industry introduced a proposed Digital Charter Implementation Act, 20201 through which the Canadian government intends to establish a new privacy law for the private sector, the Consumer Privacy Protection Act (CPPA).
Canada’s current federal privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA) came into force in 2004. Organizations covered by PIPEDA must obtain an individual’s consent when they collect, use, or disclose that individual’s personal information. Individuals have the right to access their personal information held by an organization, as well as the right to challenge its accuracy. Under the PIPEDA, personal information can only be used for the purposes for which it was collected. If an organization is going to use it for another purpose, it must obtain consent again. Organizations are also required to protect personal information with appropriate safeguards.
The CPPA builds upon this framework by introducing new individual rights and business obligations, as well as regulatory tools to address compliance and expanded penalties for non-compliance. The CPPA’s companion legislation, the Personal Information and Data Protection Tribunal Act, establishes a new Tribunal with jurisdiction over the penalties imposed under the CPPA.
Some of the key provisions of the proposed legislation include the following:
New Consent Requirements: Like PIPEDA, the CPPA offers a consent-based framework, meaning that organizations must obtain a “valid” consent for the collection, use, or disclosure of personal information unless their activity falls within one of the enumerated exceptions. For the consent to be “valid” under the CPPA, an organization would need to first disclose to the individual (i) the purposes for the collection, use, and disclosure of the personal information; (ii) the way in which the personal information is to be collected, used, or disclosed; (iii) any reasonable foreseeable consequences of the collection, use, or disclosure; (iv) the specific types of personal information that is to be collected, used, or disclosed; and (v) the names or types of third parties to which the organization may disclose personal information.
Rights to Data Mobility and Disposal: Under the CPPA, individuals would gain the right to direct the transfer of their personal information from one organization to another. The legislation would also allow individuals to request that organizations delete their personal information, subject to limited exceptions.
Automated Decision Systems: The CPPA defines “automated decision system” as any technology that assists or replaces the judgement of human decisionmakers using techniques such as rules-based systems, regression analysis, predictive analytics, machine learning, deep learning, and neural nets. Organizations would have to disclose how they use automated decision-making systems to make significant predictions, recommendations, or decisions about individuals. Individuals, in turn, will have the right to request that businesses explain how a prediction, recommendation, or decision concerning them was made by the system.
De-identified Information: The CPPA provides than an organization may de-identify personal information without individual’s knowledge or consent but can only use or disclose de-identified information without consent in limited circumstances, such as internal research and development, in connection with prospective business transactions, or certain socially beneficial purposes. An organization that de-identifies personal information will be required to apply technical and administrative measures proportionate to the purpose for which the information is de-identified and the sensitivity of the information and would generally be prohibited from using such information to identify an individual.
Recognition of Codes of Practice and Certification Systems: The CPPA will allow organizations to ask the Privacy Commissioner to approve codes of practice and certification systems that set out rules for how the law applies in certain activities, sectors, or business models.
Broad Powers of Privacy Commissioner: The Privacy Commissioner would have broad powers, including the ability to order an organization to comply with the regulatory requirements under the CPPA and to stop collecting data or using personal information. The Privacy Commissioner would also be able to recommend imposition of fines by the Personal Information and Data Protection Tribunal.
Administrative and Criminal Penalties: The legislation provides for administrative monetary penalties of up to 3% of global revenue or Can$10 million for non-compliant organizations. For certain serious violations, such as knowingly contravening the order of the Privacy Commissioner, obstructing an investigation, inquiry, or an audit, or knowingly violating provisions regarding data breach reporting, preserving breach records, retaining of information subject of contested access requests, prohibition on use of de-identified information or retaliation against employees, an organization may be found criminally liable and penalized up to 5% of its global revenue or Can$25 million.
Private Right of Action: The CPPA provides for a private right of action but only in cases where the Privacy Commissioner or the Tribunal have already found that the organization has violated the Act, or the organization has been convicted of a criminal offense for certain CPPA violations. Furthermore, the Act provides a two-year statute of limitation for brining private actions.
The proposed law still leaves a number of unanswered questions, however. For example, with the exception of personal information collected, used, or disclosed interprovincially or internationally, the CPPA would not apply to the extent that local provinces have “substantially similar” legislation in place. While several provinces already have legislation “substantially similar” to PIPEDA, it is unclear how their status would be affected under the CPPA.
Furthermore, like PIPEDA, the CPPA is silent on the Act’s extraterritorial application. Even though Canadian courts have extended the application of PIPEDA to foreign organization that have a “real and substantial link” to Canada,2 it remains to be seen how these decisions will apply in the context of the CPPA.
Currently there is no timeline for when the Digital Charter Implementation Act might become the law or come into force.
By Michael Shapiro, Esq., CIPP/US/E, CIPM, Senior Counsel and Director of Privacy at Clarip, Inc.