The federal minority government released draft legislation to update and modernize Canada’s federal private sector privacy legislation. The present law, the Personal Information and Electronic Documents Act, was initially passed in 2001 and fully came into effect in 2004. We will not go into a detailed explanation of Canada’s federal division of powers or the application of PIPEDA but will instead focus on the proposed changes.
It is important to remember that a key goal of PIPEDA was to allow the continued flow of data from the European Union after it had passed the original Privacy Directive, something that has taken on new importance since the Court of Justice of the European Union’s "Schrems II" decision. That decision did not touch on Canada’s adequacy but, clearly, the EU's expectations since the General Data Protection Regulation came into place have increased, and the mandate for the European Data Protection Board is to review all adequacy findings.
The proposed changes will be implemented through the Digital Charter Implementation Act. It amends a number of pieces of legislation. First, Part 1 amends and renames PIPEDA, which will be known as the Consumer Privacy Protection Act. Part 2 establishes a specialized privacy and data protection tribunal through the Personal Information and Data Protection Tribunal Act.
It’s not coincidental if the law’s title reminds you of the California Consumer Privacy Act; Canadian Minister of Innovation, Science and Industry Navdeep Bains in his briefing on Nov. 17 , 2020, referred to it directly, saying that our law would be stronger than California’s. These are some of the key features of the reforms.
- Privacy management program: Section 9 requires organizations to maintain a privacy management program setting out policies and procedures the organization takes to protect personal information, deal with privacy complaints, train personnel, and develop materials to explain an organization’s policies and procedures. It also allows "on-demand" access to the Office of the Privacy Commissioner of Canada for these policies.
- Appropriateness: Credit to Valencia IIP Advisors Managing Director of Privacy Michael Power for pointing this out: While there are no provisions explicitly addressing privacy risk assessment or privacy by design, Section 12 outlines factors for the appropriateness of processing and calls for an assessment of the proportionality of the loss of privacy against the benefits as mitigated by organizational measures.
- Meaningful consent: PIPEDA was already a consent-based regime. The new act codifies guidance from the privacy commissioners, who have made clear their approach to consent would mirror that taken under the GDPR. It also removes the burden of having to obtain consent when it would not provide any meaningful privacy protection.
- Legitimate interests: Section 18 codifies the circumstances in which an organization does not have to rely on consent, such as where a person would not reasonably be required, or for instance, to deliver a requested service or is required for the organization to protect itself.
- Automated decision-making: PIPEDA was ill-suited to address automated or algorithmic decision-making. The CPPA provides for algorithmic transparency, and the right of individuals to require an explanation of how automated decisions about them were made.
- Deidentified information: PIPEDA’s definition of personal information as being “information about an identifiable individual” has presented challenges in the era of Big Data. The proposed legislation takes a more risk-based approach, allowing for the use of deidentified information and clarifying when it can be used without consent.
- Data portability/mobility: Individuals would be given the right to transfer their data from one organization to another. Also, there is the concept of "data mobility frameworks" to be approved by regulation as secure mechanisms for enabling mobility.
- Right to erasure: Discussed during Bains’ briefing, the CPPA will permit individuals to require organizations, including social media companies, to delete data and allow individuals to withdraw consent for the use of their information.
- Enhanced enforcement and oversight: Those familiar with PIPEDA are aware of the OPC's limited enforcement powers under that law. The OPC currently operates in a largely ombudsman capacity. It can investigate and report upon complaints, make recommendations and enter into compliance agreements with organizations, but it has no power to levy fines. The CPPA remedies this by providing order making abilities and penalties, including orders for cessation of processing activities.
- As mentioned above, the Personal Information and Data Privacy Tribunal would potentially be a "quicker" and less formal path to enforcement of the OPC’s orders, which are now given the effect of a Federal Court order.
- Administrative monetary penalties may be ordered of up to 3% of global revenue or C$10 million (approximately US$7.6 million) for noncompliant organizations. The draft legislation also contains an expanded range of offenses for certain serious contraventions of the law, subject to a maximum fine of 5% of global revenue or C$25 million (approximately US$19 million).
- Codes of practice and certification: The CPPA would permit the approval of codes of practice and certification for certain activities and sectors, as well as also provides certain protections to participants in relation to complaints and orders.
- A private right of action: Individuals will be able to sue for a privacy violation if the OPC determines there is a privacy violation and it is upheld by the tribunal. It is worth noting that harms under Canadian law are not limited to financial harms; what is open is how this may play out in a class proceeding context.
- Transfers to service providers: The issues relating to consent that arose in the Equifax decision are resolved by providing that consent is not required where a transfer is made to a service provider (s. 19).
What remains to be seen now is how this new legislation will (or won’t) integrate with provincial laws. Quebec has tabled changes to make its law very GDPR-like; British Columbia, before its recent election, was also considering changes; and Alberta recently announced plans to update its health privacy law.
As mentioned above, Ontario initiated consultations in the late summer for its own possible private sector privacy law. A major challenge for any federal system is how to respect the constitutional divisions of power while providing a national framework that supports intrajurisdictional (in this case, provincial) trade and consistency. Due to the work of our commissioners and our principles-based laws, we have had remarkable consistency in the interpretation and application of privacy laws across Canada. Given this history, there is likely little appetite for a complex, patchwork approach — particularly given the current economic climate.
Another significant threshold we will have to address is the question of EU adequacy. Bains touched on this in his briefing by discussing interoperability with the GDPR, and the need to retain adequacy. Many of the issues that "Schrems II" raised in relation to the EU-U.S. Privacy Shield agreement are not quite so serious for Canada to overcome but must still be addressed.
This story is, of course, far from over, and we are only at the beginning of serious discussions on how to structure privacy in Canada’s federal system and meet the CPPA’s many goals. But one thing is certain: If and when the Digital Charter Implementation Act receives royal assent, it will fundamentally change the privacy landscape in Canada from coast to coast to coast.
Photo by Ravi Patel on Unsplash
The newly updated edition of “Canadian Privacy: Data Protection Law and Policy for the Practitioner” is crucial for anyone responsible for information risk management, information security, information auditing or legal compliance for clients or organizations based in Canada or subject to Canadian jurisdiction.
If you want to comment on this post, you need to login.