On June 15, 2022, the Minister of Innovation, Science and Industry, François-Phillippe Champagne introduced Bill C-27, An Act to enact the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Act and to make consequential and related amendments to other Acts (or Digital Charter Implementation Act, 2022). This long-awaited piece of legislation is in a sense the faithful successor of the former Bill C-11, tabled in 2020, which died on the order paper in August 2021 ("C-11 (2020)")..
Bill C-27 reintroduces two Acts that will sound familiar for those who followed Bill C-11 (2020), namely the Consumer Privacy Protection Act (CPPA) and the Personal Information and Data Protection Tribunal Act. The novelty of C-27 primarily lies in the introduction of a third legislation, the Artificial Intelligence and Data Act ("AIDA").
Bill C-27 seeks to replace the Personal Information Protection and Electronic Documents Act ("PIPEDA") with a modernized and stronger privacy and data protection legal framework in Canada. This article focuses on the key differences between the proposed legislation and the actual federal privacy regime in the private sector governed by PIPEDA.
What you need to know
This article provides an overview of the key aspects of the CPPA and their impact on Canadian businesses.
As more fully detailed herein, the CPPA is introducing a new privacy regime that would introduce the following changes, which were already introduced with C-11 (2020) and have not changed with this new version of C-27:
- New enforcement tools:
- The newly constituted Personal Information and Data Protection Tribunal would have powers to impose, upon recommendation by the Office of the Privacy Commissioner of Canada, administrative monetary penalties of C$10,000,000 or, if greater, the amount corresponding to three per cent of the organization's global gross revenues in its previous fiscal year.
- Reinforced fines in the case of penal proceedings for a maximum of C$25,000,000, or, if greater, the amount corresponding to five per cent of the organization's global gross revenues in its previous fiscal year.
- New private right of action for individuals.
- New provisions to enable the creation of "codes of practice" and "certification programs".
- New individual rights inspired by European law: right to be informed of automated decision-making, right to disposal and right to mobility.
- Reinforced accountability rules:
- New definition of the notion of "control".
- New obligation to establish, implement and make available a privacy management program.
- Clarity concerning the role and responsibilities of service providers.
- Reinforced consent requirements, including greater clarity concerning the notion of valid consent.
- Some less stringent rules: new consent exceptions for de-identified information and legitimate business practices.
The new version of the CPPA (C-27) is also introducing new changes from the previous version C-11 (2020). To assist you in your review of Bill C-27, we have prepared a comparative chart describing the most significant changes introduced by C-27 compared to C-11 (2020). More specifically, we have summarized these key changes at the beginning of each section.
The federal government's proposal to modernize the Personal Information Protection and Electronic Documents Act (PIPEDA) - a legislation that was enacted nearly two decades ago, is as ambitious as it is cautious in its attempt to meaningfully enhance privacy protections for individuals. The proposal, which would effectively replace PIPEDA's privacy provisions with the Consumer Privacy Protection Act (CPPA), aims to operationalize the Canadian government's Digital Charter as well as past proposals to strengthen privacy in the digital age in order to address the challenges posed by the digital economy and new technologies. The novelty of C-27 primarily lies in the introduction of a third legislation, the Artificial Intelligence and Data Act ("AIDA"). Otherwise, the proposal is relatively similar to C-11 (2020) as it would enact the Personal Information Data Protection Tribunal Act, establishing a new Personal Information and Data Protection Tribunal, which would have the ability to impose significant penalties. Further, the most serious violations of the CPPA could result, upon prosecution, in fines, which have been described as the strongest among G7 privacy laws, including the European Union's General Data Protection Regulation (GDPR) and the California Consumer Privacy Act of 2018 (CCPA).
While clearly inspired by similar initiatives in other countries, namely the EU's GDPR and California's CCPA, the Canadian proposal is unique in its approach in that, in many instances, it affords businesses with greater flexibility and clarity relative to the present privacy regime's requirements. Most notably, it borrows directly from past guidance and decisions issued by the federal privacy commissioner, the Office of the Privacy Commissioner of Canada (Commissioner), and provides individuals with new rights that are more narrowly framed than those currently found under the GDPR. In this sense, it bears noting that on many aspects, the Québec Act respecting the protection of personal information in the private sector ("Québec Private Sector Act"), as modified by Bill 64 ("Bill 64"), is considerably more onerous than the CPPA, raising a number of challenges from an interoperability standpoint for businesses operating at a national level. For a more detailed analysis of Québec Bill 64's proposed amendments, please see review our Compliance Guide on Bill 64.
The differences between Québec Bill 64 and the CPPA highlight the importance of enhancing consistency among different privacy law regimes, especially as Canada's adequacy status under the GDPR, which affords Canadian businesses handling personal data that is subject to the GDPR with a competitive advantage, is currently up for review. Furthermore, we can expect similar talks of reform concerning the Alberta Personal Information Protection Act (Alberta PIPA) and the British Columbia Personal Information Protection Act (BC PIPA), which, in addition to the Québec Private Sector Act, are deemed "substantially similar" to PIPEDA and therefore apply in lieu thereof for intra-provincial privacy matters. Indeed, in December 2021, a special committee appointed by the British Columbia Legislative Assembly published a report recommending significant changes to the BC PIPA. In addition, in June 2021, the Ontario Government published a white paper that sets out a model for a first private-sector privacy law statute for this province (see "Ontario moves forward with privacy legislation initiative").
Enforcement - Summary of changes in C-27 from the previous version C-11 (2020)
The CPPA introduces major changes to the federal privacy enforcement regime which will create significant compliance risks for businesses. Most notably, the CPPA will grant new order-making powers to the Commissioner. Additionally, the Commissioner may make recommendations to the Tribunal for the imposition of penalties of up to C$10,000,000 or three per cent of the organization's global gross revenues, whichever is higher. In contrast, equivalent fines under the GDPR and Québec Bill 64 use a cap of two per cent.
Further, the most egregious CPPA violations would constitute offences punishable, upon prosecution, with a fine up to C$25,000,000 or five per cent of the organization's global gross revenues. This upper limit is higher than the one currently found in either the GDPR or Québec Bill 64, which is capped at four per cent (although Québec Bill 64 provides for the doubling of fines for subsequent offences).
Powers of the Commissioner
Current powers maintained - investigations, compliance agreements and audits. The CPPA carries forward certain powers found in PIPEDA including that individuals may file complaints or the Commissioner can initiate a complaint on its own initiative (s. 82 CPPA replacing s. 11 PIPEDA). The Commissioner also maintains the following powers:
- Carrying out investigations in respect of a complaint (s. 83 CPPA replacing s. 12 PIPEDA);
- Entering into compliance agreements with organizations who have contravened the statute (s. 87 CPPA replacing s. 17.1 PIPEDA); and
- Conducting audits regarding an organization's compliance with the statute (s. 97 CPPA replacing s. 18 PIPEDA).
New powers - compliance orders and recommendations of penalties. The CPPA, however, will grant the Commissioner new powers to conduct an inquiry after investigating a complaint (s. 89) or non- compliance with a compliance agreement (s. 90). At the conclusion of an inquiry, the Commissioner is required to render a decision in which it may issue a compliance order (s. 93), if the Commissioner finds that organization has contravened the CPPA.
- Compliance orders. The CPPA would grant the Commissioner significant new powers to order organizations to do the following:
- Take measures to comply with the statute;
- Stop doing something that is in contravention of the statute;
- Comply with a compliance agreement; and
- Make public any measures to correct its policies, practices or procedures (s. 92(2)).
- An organization will be able to appeal a compliance order to the Tribunal, as discussed below. However, if the compliance order is not appealed, it will be enforceable in the same manner as an order of the Federal Court (s. 104).
- Penalty recommendation. The Commissioner is also required to decide whether to make a recommendation that the Tribunal impose a penalty for violating the CPPA's key provisions (s. 94). Unlike privacy regulators under other regimes (e.g., the GDPR and Québec Bill 64), the Commissioner will not have powers to directly impose penalties for CPPA violations.
Monetary penalties imposed by the Tribunal
The Tribunal will have the power to impose a penalty on an organization after giving the organization and the Commissioner the opportunity to make representations and if the Tribunal determines that it is appropriate to do so (s. 95(1)). The Tribunal must rely on either the Commissioner's findings or its own findings in the case of appeal (s. 95(2)). Significantly, organizations will have a defence of due diligence (s. 95(3)).
The maximum penalty for all the contraventions in a recommendation taken together is the higher of C$10,000,000 and three per cent of the organization's gross global revenue in its financial year before the one in which the penalty is imposed (s. 95(4)). The statute sets out the factors that the Tribunal must consider in determining the amount of the penalty (s. 95(5)).
Appeals to the Tribunal
The CPPA will also grant complainants and organizations a right to appeal before the Tribunal (s. 101) any decision issued by the Commissioner in which it finds that the organization has contravened, or not, the CPPA. This will also extend to any compliance order issued by the Commissioner against the organization and any decision issued by the Commissioner in which it decides not to recommend the imposition of a penalty. The decisions of the Tribunal are final and binding, subject only to a right to seek judicial review of the decision in Federal Court.
Certain more egregious conduct could constitute an offence leading to a fine of a maximum of the higher of C$25,000,000 and five per cent of the organization's gross global revenue in its previous financial year (s. 128). Such as for offences provided under section 28 of PIPEDA, these offences would be prosecuted by the Attorney General of Canada.
The following will constitute an offence under section 128 of the CPPA:
- Knowingly contravening the breach reporting and notification requirements (s. 58), including record-keeping requirements (s. 60(1));
- Knowingly contravening the requirement to retain personal information that is subject to an access request (s. 69);
- Knowingly using de-identified information to identify an individual (s. 75);
- Knowingly contravening a compliance order issued by the Commissioner; and
- Obstructing the Commissioner in the investigation of a complaint, in conducting an inquiry or in carrying out an audit.
Private right of action
The CPPA will introduce a new private right of action (s. 107). Individuals affected by a contravention of the CPPA may bring a claim against the organization for damages to compensate for loss or injury suffered due to that contravention, provided that:
- The Commissioner finds that the organization has contravened the CPPA and the finding may no longer be appealed, either because the time limit to appeal has expired or the Tribunal has dismissed a prior appeal; or
- The Tribunal finds that the organization has contravened the CPPA.
The CPPA also provides individuals with a private right of action against organizations convicted of an offence under the CPPA (e.g., failing to report to the Commissioner, maintain records or certain information; penalizing an employee for reporting a CPPA contravention; or using de-identified information to identify an individual). Individuals affected by the act or omission of the organization which led to the conviction may bring a claim for the loss or injury suffered.
In each case, after a limitation period of two years after the date of the Commissioner's finding, the Tribunal's decision or conviction of a CPPA offence (as applicable) applies (s. 107(3)).
The private right of action under the CPPA appears to be considerably broader than the one introduced by Bill 64 in Québec, which is limited to an award of punitive damages of at least $1,000 when infringement is intentional or results from a gross fault.
Whistleblowing and anti-reprisal provisions
The CPPA maintains the whistleblowing protection that is currently included in PIPEDA (s. 126 CPPA replacing s. 27 PIPEDA). The Commissioner has used information received under this provision to initiate a complaint on at least one occasion (PIPEDA Case Summary #310). Similarly, the CPPA will also include an anti-reprisal provision which mirrors the one included in PIPEDA (s. 127 CPPA replacing s. 27.1 PIPEDA).
Codes of practice and certification programs
Sections 76 and 77 of the CPPA will bring in new provisions to enable the creation of "codes of practice" and "certification programs", a means of encouraging voluntary, sectoral practices that favour privacy protection. Similar provisions are included in Articles 40 to 43 of the GDPR and may provide for greater certainty in the application of the CPPA.
In order to further encourage the development of improved and consistent privacy practices, the CPPA will allow any organization, whether or not subject to the CPPA and including government institutions, to seek the Commissioner's approval of codes of practice and certification programs. Doing so will not necessarily be proof of compliance with the CPPA. However, the Commissioner has discretion to decline to investigate certified organizations (s. 83(1)(d)) and is prohibited from recommending that a penalty be imposed against an organization "if the Commissioner is of the opinion that, at the time of the contravention of the provision in question, the organization was in compliance with the requirements of [an approved] certification program (s. 93(3))". Organizations may choose to voluntarily comply and maintain certification as a means of reducing the risks associated with non-compliance with the CPPA and highlighting their committed to privacy compliance.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.