Chronique du CTI - BILL C-11: New and Improved Canadian Privacy Law

On November 17, 2020, the Innovation, Science, and Industry Minister Navdeep Bains introduced Bill C-11, An Act to Enact the Consumer Privacy Protection Act and the Personal Information and Data Protection Tribunal Act and to make consequential and related amendments to other Acts (CPPA). If enacted, the bill will enhance the protection of data that is collected by private institutions throughout Canada. The legislation is still at the stages of its first reading and will likely be amended substantially before its enactment. Nonetheless discussion of the bill in its current form is relevant to understand where the wind of change is blowing in relation to privacy legislation in Canada. In its current form, the bill includes many changes to Canada’s existing framework and repeals large sections of the current federal privacy law The Personal Information Protection and Electronic Documents Act (PIPEDA). Bill C-11 also implements the ten principles contained in the Canadian digital charter which is not a legal document and for this reason, it has no legal force. Therefore, the proposed law is an important step towards giving Canadians greater control over their personal data. 

The New Privacy Law and PIPEDA

The CPPA repeals Part 1 of PIPEDA but does not entirely dismiss its content or principles. The CPPA embeds the principles, once found in the annexes of PIPEDA, directly into the legislation. This change is substantial as these dispositions will, if enacted, have the force of law.  

Part 2 of Bill C-11 enacts the Personal Information and Data Protection Tribunal Act, which establishes an administrative tribunal to hear the appeals of certain decisions made by the Privacy Commissioner and to issue penalties for non-compliance.

It is worth noting that among the privacy rules found in PIPEDA, the following are also found in the CPPA: accountability, appropriate purposes, limiting collection, use and disclosure, retention and disposal of personal information, accuracy of personal information, security safeguards and openness and transparency.

The CPPA also has a new purpose; it is worth taking the time to quote this purpose directly:

“The purpose of this Act is to establish — in an era in which data is constantly flowing across borders and geographical boundaries and significant economic activity relies on the analysis, circulation and exchange of personal information — rules to govern the protection of personal information in a manner that recognizes the right of privacy of individuals with respect to their personal information and the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances”.<SUP>1</SUP>

At a time when the theft of personal data is on the rise and web giants are cultivating vast quantities of data on Canadian users, the question of data privacy has never been more relevant. The CPPA acknowledges the trope that states when services online are free often the consumer is the product and their data is the true prize. If we assume the purpose as outlined above will continue to be a guiding principle, we can expect the CPPA will change matters considerably in reference to the use of this data. We can expect to see change on this front even if the final version of the bill is greatly modified.

The Enforcement of the CPPA

Unfortunately, PIPEDA is notorious for its ineffective enforcement model. In reference to the CPPA, the Office of the Privacy Commissioner of Canada (the “Privacy Commissioner”) will no longer be limited to non-binding penalties. Rather, the bill is designed to increase the power of the Privacy Commissioner. This will enable the Privacy Commissioner to issue orders requiring organizations to comply with the requirements of the CPPA, and to force an organization to stop collecting data or using personal information.

Regarding the penalties, businesses that dare to defy the law, if enacted, could face fines up to $25 million or up to 5% of their annual revenue. In the case of less serious offences, the penalties are substantial, being the higher of $10,000,000 or 3% of the organization’s gross global revenue in its financial year preceding the year the penalty is imposed.<SUP>2</SUP>

As mentioned above, Part 2 of Bill C-11 enacts the Personal Information and Data Protection Tribunal Act. The new Tribunal, composed of three to six members, will hear the appeals of the Privacy Commissioner’s decisions during public hearings. The Tribunal will have the power to impose penalties, but also to increase or decrease penalties ordered by the Privacy Commissioner; these decisions will be made public. This will be helpful in allowing scholars and professionals to understand how factors will be weighed in a ruling and therefore be helpful in guiding businesses towards acceptable practices.<SUP>3</SUP>

The CPPA also provides whistleblower provisions that will protect any person who notifies the Privacy Commissioner of non-compliance with the law. This provision would support enforcement of the act by encouraging employees or representatives to report non-compliant behaviour.<SUP>4</SUP>

In addition to the legislative penalties, individuals who are affected by a violation of Bill C-11 will have a private right of action to seek damages for loss or injury. The limitation period for bringing the action is within two years of the Commissioners finding.<SUP>5</SUP>

Consent

The CPPA places greater emphasis on the obligation of private institutions to obtain consent.  Organizations must obtain valid consent from an individual before using or disclosing any personal information regarding that individual. The consent must be express, unless the organization can demonstrate that it is appropriate to rely on implied consent in the given circumstances. Consent cannot be obtained by using false or misleading information or using deceptive or misleading practices. An individual can, on reasonable notice, withdraw his consent in whole or in part.<SUP>6</SUP>

However, there are many exceptions to the requirement for consent<SUP>7</SUP>:

• Business activities which include the delivery of a product or service, due diligence, system or network security, safety of a product and others.
• Transferring and individual’s personal information to another service provider
• De-identifying an individual’s personal information
• Research and development if the information is de-identified before it is used
• Prospective and completed business transactions
• Information produced in employment, business or profession
• Employment relationship — federal work, undertaking or business
• Disclosure to lawyer or notary
• Witness statement
• Prevention, detection, or suppression of fraud
• Debt collection
• Publicly available information

There are also other exceptions that fall into the category of “public interest”<SUP>8</SUP>:

• Individual’s interest
• Emergency that threatens the life, health or security of any individual.
• Identification of an individual who is injured, ill or deceased.
• Communication with the next of kin or authorized representative
• Financial abuse
• Statistical or scholarly study or research
• Records of historic or archival importance
• Disclosure after period of time
• Journalistic, artistic or literary purposes
• Socially beneficial purposes

Finally, there are additional exceptions for investigations, disclosures to government institutions, disclosures required by law.<SUP>9</SUP> With such a large list of exceptions, it appears that consent will be the rule and exceptions may be limited to a prescribed list of activities appearing in the law. These lists will likely be debated as interests’ groups identify moments when consent should be explicit.

New Provisions

Although transparency was part of PIPEDA, Bill C-11 will also ensure greater transparency and accountability in how organizations use the personal information they collect.  Businesses will have to obtain consent from their clients in clear, plain, and simple terms, setting aside the long, bulky, and incomprehensible 20-page legal documents. Also, the CPPA gives an individual the right to access their personal information that is held by any organization.<SUP>10</SUP> This takes into consideration a growing concern expressed by many in the processing of decisions by automation or artificial intelligence. Recognizing that automation and artificial intelligence is limited to the quality of the information held, this provision would address the concern that faulty data can lead to highly prejudicial automated decision-making. The CPPA states in Section 63(3): 

If the organization has used an automated decision system to make a prediction, recommendation or decision about the individual, the organization must, on request by the individual, provide them with an explanation of the prediction, recommendation or decision and of how the personal information that was used to make the prediction, recommendation or decision was obtained.

Furthermore, Bill C-11 will allow clients and users to understand how their personal data is collected and grant them rights in reference to transferring their data from one organization to another. The new mobility of personal information right takes into consideration the reality of modern times and the necessity of transferring data between organizations. When two organizations are subject to the data mobility framework provided by the law, an individual will be able to direct an organization to disclose personal information that it has on this individual to another designated organization.<SUP>11</SUP>

Bill C-11 also includes a new privacy right, which is the de-identification of personal information. Basically, de-identification means to:

modify personal information — or create information from personal information — by using technical processes to ensure that the information does not identify an individual or could not be used in reasonably foreseeable circumstances, alone or in combination with other information, to identify an individual.<SUP>12</SUP>

When used reasonably and for the right purposes, de-identified information can be very useful for statistical purposes. However, there is always a concern that de-identified information can be reverse engineered and personal information may be restored. To address this concern the CPPA prohibits the use of de-identified information in order to identify an individual, unless it is used “to conduct testing of the effectiveness of security safeguards that the organization has put in place to protect the information”.<SUP>13</SUP> Severe penalties will be given to those who do not comply with the rule.

Bill C-11 will also give individuals the right to have their information deleted when they withdraw their consent. The right to retention and disposal of personal information grants any individual the right to write a request to an organization to dispose of the information on the individual that is held by the organization. An organization can refuse to dispose of the information if the disposing would result in the disposal of personal information on another individual from whom this information cannot be removed. A refusal is also permitted if other requirements of the CPPA, of a federal or provincial law or of the reasonable terms of a contract prevent the disposing. If an organization refuses a request from an individual, it must notify the individual in writing of the reasons for denying this request and inform the individual of its recourse.<SUP>14</SUP> One can imagine that the concept of information that “cannot be disposed” will require further development. 

How will CPPA affect Quebec’s organizations?

Bill C-11 stipulates that the Governor in Council may, by order, exempt organizations, activities, or class of a specific province from the application of the CPPA if the legislation of the given province is substantially similar to the CPPA. With the two current Quebec laws, the Act respecting Access to documents held by public bodies and the Protection of Personal Information and the Act respecting the protection of personal information in the private sector, it is most likely that Quebec organizations will not be subject to the CPPA. We can assume that businesses in Quebec that are subject to PIPEDA, such as corporations falling under the federal jurisdiction, will be subject to the CPPA.

It is important to note that Quebec is in the process of adopting a bill that will equally modify the privacy legislation applicable in Quebec, An Act to Modernize Legislative provisions as Regards the Protection of Personal Information (Bill 64). Bill 64 resembles Bill C-11, as it also seeks to strengthen the protection of personal information. If you want to read more on Bill 64, see our article on this subject here.

In its current form, Bill C-11 will drastically update Canada’s privacy regime. Although it is in its early stage, the essence of Bill C-11 is simple: protect Canadians’ information with a strict new privacy law.