Canada’s GDPR Moment: Why the Consumer Privacy Protection Act is Canada’s Biggest Privacy Overhaul in Decades

Canada’s GDPR Moment: Why the Consumer Privacy Protection Act is Canada’s Biggest Privacy Overhaul in Decades
Posted on November 18, 2020 | Michael Geist | Written on November 18, 2020
Comments
Letter type:
Published

Canada’s privacy sector privacy law was born in the late 1990s at a time when e-commerce was largely a curiosity and companies such as Facebook did not exist. For years, the privacy community has argued that Canada’s law was no longer fit for purpose and that a major overhaul was needed. The pace of reform has been frustrating slow, but today Innovation, Science and Industry Minister Navdeep Bains introduced the Consumer Privacy Protection Act (technically Bill C-11, the Digital Charter Implementation Act), which represents a dramatic change in how Canada will enforce privacy law. The bill repeals the privacy provisions of the current Personal Information Protection and Electronic Documents Act (PIPEDA) and will require considerable study to fully understand the implications of the new rules.

This post covers six of the biggest issues in the bill: the new privacy law structure, stronger enforcement, new privacy rights on data portability, de-identification, and algorithmic transparency, standards of consent, bringing back PIPEDA privacy requirements, and codes of practice. These represent significant reforms that attempt to modernize Canadian law, though some issues addressed elsewhere such as the right to be forgotten are left for another day. Given the changes – particularly on new enforcement and rights – there will undoubtedly be considerable lobbying on the bill with efforts to water down some of the provisions. Moreover, some of the new rules require accompanying regulations, which, if the battle over anti-spam laws are a model, could take years to finalize after lengthy consultations and (more) lobbying.

1.    New Privacy Law Structure

The CPPA dispenses with the longstanding PIPEDA model to create a fresh start for privacy law. While many of the principles are the same, the PIPEDA approach of relying on the Canadian Standards Association’s Model Code for the Protection of Personal Information as Schedule 1 to the law combined with rules for enforcement in the act itself is gone. Instead, the CPPA features the same principles – and adds several more – directly within the law itself. This will require careful comparison, but it provides the opportunity to include greater detail within the law, rather than relying on the interpretations of the Privacy Commissioner of Canada. As noted below, the new structure also includes a new privacy tribunal, the Personal Information and Data Protection Tribunal. The Tribunal will play a key enforcement role by reviewing Commissioner decisions and issuing penalties for non-compliance.

It is worth noting that the new law brings a new purpose that emphasizes cross-border data transfers. The new purpose references “an era in which data is constantly flowing across borders and geographical boundaries and significant economic activity relies on the analysis, circulation and exchange of personal information.” Several of the new provisions reflect this new purpose.

2.     New Enforcement Regime

It may be odd to start with how the law is enforced, but the CPPA’s biggest changes seek to address the fundamental flaw in the current law, namely the weak enforcement model. The bill proposes several key changes to address enforcement. First, the Privacy Commissioner of Canada will have order making power that will enable the office to order compliance with the law and to recommend significant penalties for failure to do so. The lack of order making power – the commissioner has long been limited to non-binding findings – has been a critical legal shortcoming.

Second, the order making power comes with the ability to recommend penalties that in some cases are the highest in the G7. The potential penalties for contravening the law is “is the higher of $10,000,000 and 3% of the organization’s gross global revenue in its financial year before the one in which the penalty is imposed.” Moreover, there are even tougher penalties in cases of violations for failing to comply with some of the security breach disclosure rules, data retention requirements, identifying someone using de-identified data (except in limited circumstances), or sanctioning a whistleblower. In those circumstances, the penalties can reach $25,000,000 or 5% of the organization’s gross global revenue.

Third, these penalties will be levied by a new Personal Information and Data Protection Tribunal. The Tribunal, which will feature between three and six members, will hear appeals of Privacy Commissioner of Canada orders. The hearings will be public and the decisions will also be made public. The Tribunal may impose penalties, including overruling the Privacy Commissioner’s order on penalties (in other words, it can increase or decrease penalties).

Fourth, the law also includes whisteblower provisions that protect employees that disclose alleged privacy non-compliance to the Privacy Commissioner of Canada. The Privacy Commissioner must keep the identity of the whistleblower secret and the employer is prohibited from sanctioning or penalizing the employee for having disclosed the concern.

Fifth, the law features a private right of action that will allow individuals to seek damages for loss or injury suffered due to a privacy violation. The private right of action is triggered once the Privacy Commissioner has made a finding of contravention of the law (in other words, individuals must first file a complaint with the commissioner) and the finding is either not appealed to the Tribunal or the Tribunal upholds the ruling. The action must be brought within two years of the rulings.

3.    New Privacy Rights: Data Portability, De-Identification, and Algorithmic Transparency

The bill includes a new privacy right on data portability, which involves the potential for individuals to ask organizations to transfer their personal information to another organization. This is a significant issue in several sectors, notably open banking. The rule states:

Subject to the regulations, on the request of an individual, an organization must as soon as feasible disclose the personal information that it has collected from the individual to an organization designated by the individual, if both organizations are subject to a data mobility  framework provided under the regulations.

While the regulations will be crucial, this is a good start on an important new right.

The bill also includes a new access right with respect to algorithms. The algorithmic transparency provision states:

If the organization has used an automated decision system to make a prediction, recommendation or decision about the individual, the organization must, on request by the individual, provide them with an explanation of the prediction, recommendation or decision and of how the personal information that was used to make the prediction, recommendation or decision was obtained.

The bill features important rules with respect to de-identification of personal information with very strong penalties on organizations that violate the new standards. De-identification has emerged as a major issue in the world of big data, with many organizations relying on de-identified data for a wide range of purposes. As the public battle over Sidewalk Labs in Toronto demonstrated, some object to any use of their data, even if de-identified. The law seeks to strike a balance:

An organization that de-identifies personal information must ensure that any technical and administrative measures applied to the information are proportionate to  the purpose for which the information is de-identified and the sensitivity of the personal information.

This is very vague and will require regulations to fully understand how it will apply (and even then will likely result in complaints). The government has, however, created significant penalties for those that seek to try to identify an individual using de-identified data:

An organization must not use de-identified information alone or in combination with other information to identify an individual, except in order to conduct testing of the effectiveness of security safeguards that the organization has put in place to protect the information.

Violations of this provision may trigger the maximum penalties described above.

4.    Standards of Consent

Consent sits at the heart of modern privacy law and the consent provisions in the CPPA are amongst the most important and likely most controversial. On the one hand, the law establishes clear requirements for consent with standards on what must be included in order to valid, the need for express consent (unless the organization can demonstrate that implied consent is appropriate in the circumstances), and a prohibition on making consent a requirement for a product or service beyond what is strictly necessary. Deceptive practices to obtain consent with false or misleading information renders the consent invalid and individuals can withdraw their consent at any time.

On the other hand, there are many exceptions to the general consent requirement. Some that either touch on consent for collection and/or disclosure and which often replicate PIPEDA include:

  • a range of business activities including delivery of a product or service, due diligence, or system or network security
  • transferring the information to another service provider (presumably to complete a service the individual has contracted for, but the bill is vague)
  • de-identifying the personal information
  • research and development if the data is de-identified
  • proposed or completed business transactions
  • produced in the course of the individual’s employment
  • prevent of fraud
  • witness statements
  • disclosures to the organization’s lawyers
  • journalistic, artistic or literary purposes
  • investigations
  • law enforcement

There is also an exception for consent if it is in the individual’s interest. This could arise in an emergency and the individual cannot provide consent in a timely manner or in cases of potential financial abuse. There are further exceptions for statistical or scholarly study or research as well as instances of historical or archival importance.

The law adds a “socially beneficial purposes” exception. It allows for disclosure without knowledge or consent if the information is de-identified, is for a socially beneficial purpose, and the disclosure is made to a government institution, health care institution, post-secondary institution, library, or any other organization mandated to carry out socially beneficial purposes. Socially beneficial purposes are defined as purposes “related to health, the provision or improvement of public amenities or infrastructure, the protection of the environment or any other prescribed purpose.”

5.    Bringing Back Privacy Rights and Obligations

To be clear, the CPPA brings back many of the privacy rules found in PIPEDA. These include the principles on:

  • accountability
  • appropriate purposes
  • limiting collection, use and disclosure
  • retention and disposal of personal information
  • accuracy of personal information
  • security safeguards (which now includes details on security breach disclosure)
  • openness and transparency (which now includes algorithmic transparency)

There are also access rights that enable individuals to seek information directly from organizations and, of course, the ability for individuals to file complaints with the Privacy Commissioner of Canada where they believe their rights have been violated.

6.    Codes of Practice

One of the more controversial aspects of the law is likely to be creation of new codes of practice that will allow private organizations to establish a code for complying with the law that will be approved by the Privacy Commissioner of Canada. If approved, the code will effectively establish the legal obligations for the organization. The bill states:



An entity may, in the manner provided by the regulations, apply to the Commissioner for approval of a code of practice that provides for substantially the same or greater protection of personal information as some or all of the protection provided under this Act.

In addition, the organization may establish a certification program which includes a code of practice, implementing guidelines, independent verification, and disciplinary measures for non-compliance. These can be approved by the Commissioner and will give organizations some flexibility in crafting how they propose to comply with the law.

There is obviously much more in the bill that will require careful study and (as noted several times), many of the details will require regulations. More posts and analysis to follow in the weeks ahead.

 
 

About The Author

Michael Geist's picture

Dr. Michael Geist is a law professor at the University of Ottawa where he holds the Canada Research Chair in Internet and E-commerce Law. He has obtained a Bachelor of Laws (LL.B.) degree from Osgoode Hall Law School... More