On June 16, 2022, Bill C-27, the Digital Charter Implementation Act, 2022, was introduced and received first reading in the House of Commons. Bill C-27 is in fact a second attempt at the overhaul of Canada’s federal privacy framework—as you may recall, I wrote about the previous attempt, Bill C-11, here.
Bill C-11 died on the order paper in 2021 before the federal election. Bill C-27 was recently re-introduced in Parliament by the Government of Canada to create a new statutory framework governing personal information practices in the private sector.
Bill C-27 would create three new statutes:
- Consumer Privacy Protection Act (CPPA): this would repeal and replace the privacy framework in PIPEDA
- Personal Information and Data Protection Tribunal Act (PIDPTA): this would create an administrative tribunal to review certain decisions made by the Privacy Commissioner of Canada (Commissioner) and impose penalties for contraventions of CPPA, and
- Artificial Intelligence and Data Act (AIDA): this would create a risk-based approach to regulating trade and commerce in AI systems
Essentially, both CPPA and PIDPTA look familiar, as they are updated (with a few modifications) from Bill C-11; on the other hand, AIDA is completely new. And the parts of PIPEDA having to do with electronic documents would survive separately as Electronic Documents Act.
While some of Bill C-27 is recognizable to Bill C-11, it is important to touch on some of the highlights of CPPA and PIDPTA (the focus of this article):
- The new tribunal would be able to impose (on recommendation by the Commissioner, or on its own findings on appeal) significant administrative penalties and fines for violations of CPPA (up to the greater $10,000,000 and three percent of the organization’s gross global revenue).
- For certain offences involving more serious misconduct, there could be a fine of a maximum of the higher of $25,000,000 and five percent of the organization’s gross global revenue in its previous financial year. These offences would be prosecuted by the Attorney General of Canada, and could include: knowingly contravening the breach reporting and notification requirements; knowingly contravening the requirement to retain personal information that is subject to an access request; knowingly using de-identified information to identify an individual; knowingly contravening a compliance order issued by the Commissioner; and obstructing the Commissioner in the investigation of a complaint in conducting an inquiry or in carrying out an audit.
- The Commissioner would, in addition to keeping current powers, have new powers to make orders, including orders to require organizations to take measures to comply with CPPA, stop doing something that is in contravention of CPPA, comply with a compliance agreement, and make public any measures to correct its policies, practices or procedures. Organizations would be able to appeal a compliance order to the tribunal (if the compliance order is not appealed, it would be enforceable in the same manner as an order of the Federal Court).
- There would be a private right of action for individuals, and the person would be able to claim damages for loss or injury that the individual has suffered as a result of an offence or contravention (this would apply only if an organization is convicted of an offence under CPPA or is found to have contravened CPPA).
- There would be provisions that would allow for the creation of codes of practice and certification programs to encourage voluntary practices that favour privacy protection. And there would also be provisions that would allow any organization to seek the Commissioner’s approval of codes of practice and certification programs. They would then be allowed to choose to voluntarily comply.
- There would be a requirement that each organization implement and maintain a privacy management program containing the policies, practices, and procedures that the organization uses to fulfil its CPPA obligations. Organizations must discuss the protection of personal information, the handling of inquiries and complaints, the training of staff on policies and procedures, and the development of materials to explain the policies and procedures. Organizations, when developing their privacy management programs, must consider the volume and sensitivity of the personal information under their control. Organizations would also have to give the Commissioner access to their policies, practices and procedures upon request; the Commissioner may subsequently provide guidance on or recommend that corrective measures be taken.
- There would be provisions requiring organizations to identify and record each of the purposes for which it collects, uses, or discloses any personal information, at or before the time of collection. If the organization determines that the personal information collected is to be used or disclosed for a new purpose, the organization would have to record that new purpose before using or disclosing that information for the new purpose.
- There would be several changes regarding consent. For example, there would be a confirmation that express consent is the main form of required consent and that information must be provided in plain language so that the individual would reasonably be able to understand. Also, organizations may rely on implied consent if doing so is “appropriate” in the circumstances, having regard to the reasonable expectations of the individual and the sensitivity of the personal information. Additionally, there would be an introduction of a consent exception for specified business activities. This includes an exception for certain processing operations carried out for the purpose of an activity in which the organization has a legitimate interest. Another exception involves exceptions for de-identified information: organizations would enjoy consent exceptions for de-identified information involving the socially beneficial purposes exception and internal research, analysis and development exception. There would also be an added protection of minors in regards to consent.
- An inclusion of the “reasonable person” test—organizations may collect, use, or disclose personal information only in a manner and for the purposes that a reasonable person would consider appropriate in the circumstances (whether or not consent is required).
- The creation of individual rights including: the right to data portability (the right to obtain personal information in a useable format from certain organizations established by regulation); the right of disposal (the limited right to have personal information deleted by an organization); the right to be informed of automated decision-making systems (the right to receive an explanation about the use of an automated decision system to make a prediction, recommendation or decision about individuals that could have a significant impact on them).
- There would be provisions enabling organizations to store and access personal information outside Canada. Also, organizations must ensure that service providers provide a level of protection equivalent to that which the organization is required to provide under the statute.
- Security safeguards would have to include reasonable measures to authenticate the identity of the individual to whom the personal information relates.
- There would be some new definitions. To “de-identify” would mean to modify personal information so that an individual cannot be directly identified from it, though a risk of the individual being identified remains. To “anonymize” would mean to irreversibly and permanently modify personal information, in accordance with generally accepted best practices, to ensure that no individual can be identified from the information, whether directly or indirectly, by any means. And, there would be a provision stating that CPPA would not apply to personal information that has been anonymized. Lastly, there would be a prohibition on re-identifying de-identified information. That said, organizations would be allowed to request the Commissioner’s authorization to re-identify an individual based on de-identified information, if the Commissioner believes it is clearly in the interests of the individual.
As mentioned above, AIDA would constitute a significant change since Bill C-11. I will discuss these changes in my next post.
- Bill C-27: a look at proposed AI provisions - August 9, 2022
- Bill C-27: Federal privacy law reform re-introduced - July 5, 2022
- Electronic surveillance in the workplace—what do employees think? - June 7, 2022