On November 17, 2020, the Federal Government introduced Bill C-11, the Digital Charter Implementation Act, 2020 ("Bill C-11"). While Bill C-11 has only passed First Reading at the time of writing this update, it proposes a number of changes that would impact the way that organizations handle personal information. Significantly, Bill C-11 would replace Part 1 of the Personal Information and Electronic Documents Act ("PIPEDA") with the new Consumer Privacy Protection Act ("CPPA").
If Bill C-11 passes, much like under PIPEDA, federally regulated employers would be subject to the CPPA with respect to the personal information of their employees. An employer is considered to be federally regulated where they are involved in a federal work, undertaking or business. This includes, but is not limited to, organizations involved in air transportation, radio broadcasting, banking and inter-provincial or international transportation.
Below we provide an overview of some of the key changes proposed by Bill C-11 and the CPPA specifically.
Consent Requirements and Exemptions
a. Consent Requirement and Application
Each year, federally regulated private-sector employers are required to file an employment equity report with the federal Minister of Labour. The amendments introduce modified reporting obligations that introduce measures to address wage gaps within the designated groups through the inclusion of new pay transparency reporting obligations. The measures are part of the Federal Government's initiative to assist Canadian workplaces to "become more just, inclusive, diverse and ultimately more productive". Moreover, the measures raise awareness of wage gaps that affect women, Aboriginal peoples, persons with disabilities, and members of visible minorities.
The CPPA does not introduce significant changes to the current consent requirements under PIPEDA. Under the CPPA, organizations would still be required to receive consent from individuals before collecting, using or disclosing their personal information (the "consent requirement"). Meaningful consent can be expressed explicitly or it can be implied, in certain circumstances.
b. Proposed Exemptions to Consent Requirements
The CPPA sets out a list of exceptions to the consent requirement that mirror a number of the exceptions under PIPEDA.
For federally regulated employers, there is still an exception to the consent requirement for employee information. Under the CPPA, the consent requirement would not apply where the collection, use or disclosure of personal information is for the purpose of hiring, managing or dismissing an individual, and the individual is informed that their personal information will be, or may be, used for such purposes.
The CPPA also proposes a number of new exceptions that are not found under PIPEDA. These newly proposed exceptions are related to "business operations". For example, under section 18 of the CPPA, organizations may collect or use an individual's personal information without their knowledge or consent if the use of the information is related to the delivery of a product or service that the individual requested. There are two other new exceptions that may be of interest to employers:
- Transfer to service provider - section 19 would permit organizations to transfer an individual's personal information to a service provider without their knowledge or consent.
- Business transactions - sections 22(1) and (2) would allow organizations to share personal information without an individual's consent or knowledge when it arises during a business transaction. The caveat to this is that Bill C-11 will require sellers in these business transactions, to de-identify personal information prior to sharing such information with buyers. This would likely include removing employee information such as salaries and other personal identifiers.
Penalties and Enforcement
a. Office of the Privacy Commissioner (the "Privacy Commissioner")
If Bill C-11 is passed, the Privacy Commissioner would remain responsible for enforcing privacy-related laws, such as the CPPA. However, the CPPA introduces a number of new powers to the Privacy Commissioner, including:
- The power to issue a compliance order, which could require an organization to comply with the CPPA, to cease violating the CPPA, to comply with a compliance agreement, or to publicize any measures that are taken to order compliance with the CPPA.
- The power to recommend a penalty to the new Data Protection Tribunal.
b. Data Protection Tribunal
As noted above, the CPPA would also introduce the Data Protection Tribunal (the "Tribunal"). If Bill C-11 is passed, the Tribunal would have the authority to penalize organizations for failing to comply with the CPPA. The available penalties are significant and include the following:
- Where there is a violation of the CPPA, the Tribunal may impose a maximum penalty of $10,000,000 or 3% of an organization's gross global revenue in the financial year before the year the penalty is being imposed, whichever is greater.
- Where there is an interference with an investigation, inquiry or audit by the Privacy Commissioner, the Tribunal may award a penalty of up to $25,000,000 or 5% of an organization's gross global revenue in the financial year before the year the penalty is being imposed, whichever is greater.
c. Private Right of Action
Bill C-11 also introduces a private right of action. Under the CPPA, individuals would be permitted to bring an action against organizations in respect of violations of the Act. There are certain conditions that would need to be met before such an action could be commenced. For example, the allegation of a violation of the CPPA must be supported by the Privacy Commissioner or the Tribunal. If all of the conditions are met, an affected individual would be entitled to damages for loss or injury suffered as a result of the organization's actions or failure to act.
Voluntary Options for Organizations
The proposed CPPA does provide an opportunity for organizations to take proactive steps to ensure compliance and limit the risk of liability under the Act. In particular organizations can create "Codes of Practice" and "Certification Programs". These Codes and Programs appear to be similar to other workplace policies and organizational rules regarding the protection of personal information. While approval of these Codes or Programs would not relieve organizations of their obligations under the CPPA, they may provide a basis to limit potential liability. For example, an approved Certification Program could be used as a defence where an organization is faced with a potential investigation or penalty.
Check the Box
With the potential changes to privacy legislation in Canada, employers should be aware of how this might affect business operations and the handling of personal information:
- Federally regulated employers should be aware that the CPPA would apply to personal information related to their employees. Additionally, the CPPA adopts similar language found in PIPEDA regarding the exception to the consent requirement for federally regulated employers. Under the CPPA, federally regulated employers would be exempt from the consent requirement as it relates to personal information used within the context of an employment relationship (i.e. hiring, managing and terminating) and where affected employees are aware of this.
- Employers should also be aware of the newly proposed exemptions that may apply to them if Bill C-11 is passed. The proposed updates may change the way organizations handle personal information, depending on the nature of the business activity or operation that an organization is involved in.
- While it is uncertain how the proposed private right of action will be interpreted and applied by the courts, employers should be aware of how it could influence disputes surrounding employee discipline and/or dismissals. In particular, under both the current regime established by PIPEDA and the proposed CPPA, employers cannot discipline employees for raising concerns over an organization's compliance with privacy laws. If an employee alleged that an employer reprised against them for this reason, the employer could be found to have violated the CPPA and be exposed to additional liability associated with a separate action, if commenced.
- Employers should also be cautious in navigating the various changes that would be introduced under the new CPPA. Given that the CPPA introduces serious financial penalties for failing to comply with the new privacy rules, it will be important to be diligent when dealing with matters related to personal information. To reduce potential exposure under the CPPA, employers should stay updated on the progress of Bill C-11 and introduce a Code of Practice and/or Certification Program under the CPPA when available.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.