The Personal Information Protection and Electronic Documents Act ("PIPEDA") came into force nearly 20 years ago. PIPEDA, as well as its "substantially similar" counterparts in British Columbia, Alberta and Quebec, were landmark pieces of legislation that forced the private sector to begin taking seriously the privacy of the consuming public.
Though PIPEDA has had a largely positive impact insofar as protection of privacy is concerned, much has changed in the two decades since its enactment. Enter Bill C-11: the Digital Charter Implementation Act, 2020. The Act, which is part of Canada's broader "Digital Charter" initiative announced last year, will, if passed, enact the Consumer Privacy Protection Act ("CPPA") and the Personal Information and Data Protection Tribunal Act ("PIDPTA"). Collectively, this legislation would change Canada's privacy landscape by overhauling PIPEDA and making Canada's consumer privacy protections more relevant to the modern data protection context.
The CPPA would effectively take the "PIP" out of "PIPEDA" by repealing privacy protection measures currently found in PIPEDA, and instead addressing the protection of personal information in the private sector context in dedicated legislation. The familiar concepts from PIPEDA, currently found in its Schedule 1, take centre stage in the CPPA: matters of accountability; appropriateness of purpose; limiting collection, use and disclosure of personal information; consent; retention and accuracy of personal information; transparency, access and amendments to personal information; and challenging compliance all make an appearance.
Despite familiar language, there are many important new features present in the CPPA's inaugural draft. A fact sheet published by Innovation, Science and Economic Development Canada highlights a number of these features, including:
Modernized consent rules: The CPPA requires that in advance of seeking an individual's consent to the collection, use or disclosure of personal information, that organization must - in "plain language" - identify the purpose and methods for the collection, use or disclosure of personal information; identify the consequences of the collection, use and disclosure; and name the third parties to whom the information may be disclosed, among other things.
Data mobility: The CPPA provides individuals with the power to direct organizations holding their personal information to transfer that information to another organization. The organization that currently holds the information must then, "as soon as feasible" disclose the information as directed. The CPPA contemplates a "data mobility framework" that will facilitate these transfers, which will be detailed further in regulations.
Algorithmic transparency: The CPPA contains an interesting modern application of the "openness" principle found in PIPEDA, in that the CPPA will require organizations that rely on algorithms - or "automated decision systems" - to make readily available, in "plain language", an account of how the algorithm makes predictions, recommendations or decisions. The obligation only arises when the predictions, recommendations or decisions could have a significant impact on the individual in question.
In addition to the above, the CPPA promises mechanisms for individuals to better control their online identity by making it easier to withdraw consent from organizations that use their personal information, and will provide legislated standards for de-identifying information.
Another key aspect of the CPPA is its enhanced enforcement measures - a feature many have long criticized PIPEDA as lacking. Under the CPPA, the federal Privacy Commissioner (the "Commissioner") will be empowered to make orders mandating that organizations comply with applicable requirements under the CPPA, which orders may, for purposes of enforcement, be made an order of the Federal Court such that they are enforceable in the same manner.
Further, if the Commissioner finds certain provisions of the CPPA have been violated, which provisions primarily deal with matters of limiting collection of personal information, consent, retention and disposal of personal information and security safeguards, the Commissioner may recommend significant administrative penalties. These recommendations will be considered by a newly created Personal Information and Data Protection Tribunal (the "Tribunal"), which will be established by the PIDPTA. These penalties could see offending organizations on the hook to pay up to 3% of their global revenues or $10 million for CPPA violations, whichever is greater. In the most serious cases, that penalty could be has high as 5% of global revenue or $25 million, whichever is greater.
Finally and significantly, the CPPA provides individuals with a private right of action against organizations that violate certain of its provisions. The right arises in the event that an individual is affected by a contravention of the CPPA and either (a) the Commissioner has confirmed the contravention and the finding has not been appealed in the applicable time frame, or (b) the Tribunal has made a final decision confirming that an organization contravened the CPPA.
Now that we have an idea of the roles the CPPA and PIDPTA will play, there are some lingering questions that we will be tracking closely as these Acts make their way through the legislative process:
- What does "plain language" mean? The "plain language" standard arises in several instances in the CPPA and will be the standard against which organizations' privacy policies and related verbiage are judged. While simple enough from a conceptual standpoint, the fact is that privacy can be complex. How would an organization explain inherently complicated data flows in "plain language"? The answer to this and similar questions will have important impacts on how organizations approach privacy.
- Will the private right of action survive? To date, the Federal Government has been reluctant to grant consumers a private right of action for violations of information-related rights. For instance, in 2017 the government suspended the coming into force of provisions in Canada's Anti-Spam Legislation ("CASL") that would grant individuals the right to sue organizations that send them electronic messages without their consent. The possibility of a private right of action for privacy violations under PIPEDA has been a subject of conversation at the Office of the Privacy Commissioner for some time, and it was no surprise to see it incorporated into the CPPA. However, whether it actually comes into force is an important consideration to monitor. Read more about the proposed private right of action under CASL.
- Will CASL get an overhaul? The CPPA and the PIDPTA may signal a broader willingness from the Federal Government to engage in governance activities in the digital space. If that is the case, we may see CASL become the subject of an overhaul similar to that of PIPEDA.
- How will provincial privacy legislation be affected? PIPEDA only applies in jurisdictions that do not have "substantially similar" legislation in force. Currently, that list includes British Columbia, Alberta and Quebec. Will the passing of the CPPA and PIDPTA mean those provinces need to change their legislation to regain the "substantially similar" designation? And what of Ontario, which is in the process of developing its own privacy legislation?
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.