On November 17, 2020, Bill C-11, An Act to enact the Consumer Privacy Protection Act and the Personal Information and Data Protection Tribunal Act and to make consequential and related amendments to other Acts (Bill C-11), received first reading in the House of Commons. Part 1 of Bill C-11 repeals Part 1 of the Personal Information Protection and Electronic Documents Act (PIPEDA) and enacts the Consumer Privacy Protection Act (CPPA) to protect the personal information of individuals while recognizing the need of organizations to collect, use or disclose personal information in the course of commercial activities. Part 2 enacts the Personal Information and Data Protection Tribunal Act, which establishes an administrative tribunal to hear appeals of certain decisions made by the Privacy Commissioner under the CPPA and to impose penalties for the contravention of certain provisions of the CPPA.
Bill C-11 is also called the Digital Charter Implementation Act, 2020, which aims to operationalize the Digital Charter, containing these 10 principles:
- Universal Access
- Safety and Security
- Control and Consent
- Transparency, Portability and Interoperability
- Open and Modern Digital Government
- A Level Playing Field
- Data and Digital for Good
- Strong Democracy
- Free from Hate and Violent Extremism
- Strong Enforcement and Real Accountability
As can be seen from the fact sheet relating to the Digital Charter, there is a clear intention to keep pace with other countries that are taking aggressive action to support trust and privacy, while simultaneously allowing innovation that promotes a strong economy.
Here are a few of the main changes that would be in Bill C-11:
- An emphasis on tougher penalties that carry more severe consequences. A newly created Tribunal would be able to impose, upon the recommendation of the Privacy Commissioner of Canada, a monetary penalty of the higher of $10,000,000 and three percent of the organization’s gross global revenue in its financial year before the one in which the penalty is imposed. There are further, more serious offences that would lead to the imposition of a fine of a maximum of the higher of $25,000,000 and five percent of the organization’s gross global revenue in its previous financial year (prosecuted by the Attorney General of Canada). One example would be a situation where an organization fails to report to the Commissioner any breach of security safeguards; another example would be where an organization fails to keep and maintain a record of every breach of security safeguards involving personal information under its control. Organizations should also note that there would be a right of action created for individuals, where it could be possible for individuals to bring a claim against an organization for damages for loss or injury suffered as a result of a contravention.
- New consumer rights. There would be a new right to receive an explanation about the use of an automated decision system to make a prediction, recommendation or decision about an individual, and of how the personal information was used. In addition, there would be a right for individuals to have their personal information disposed on request, where “disposal” would mean the permanent and irreversible deletion of personal information. And where the organization has transferred the information to a service provider, it would have to inform it of the disposal request and confirm that it has also disposed of the information. Moreover, there would be a right to data portability, which would allow individuals to request from organizations that their personal information be transferred to another organization that they designate if both organizations are subject to a data mobility framework (this is to be provided under the regulations).
- New responsibilities regarding consent. As you may recall, organizations would have to obtain an individual’s valid consent for the collection, use or disclosure of the individual’s personal information unless otherwise provided by the law, and the individual’s consent must be obtained at or before the time of the collection of personal information. If the information is used or disclosed for a new purpose, consent would have to be sought before the information is used or disclosed for the new purpose. Moreover, when seeking consent from individuals, organizations would have to provide individuals with the following information in plain language in order for there to be meaningful consent: the purposes for the collection, use or disclosure of the personal information; the way in which the personal information is to be collected, used or disclosed; any reasonably foreseeable consequences of the collection, use or disclosure of the personal information; the specific type of personal information that is to be collected, used or disclosed; and the names of any third parties or types of third parties to which the organization may disclose the personal information. Further, consent must be expressly obtained, unless the organization establishes that it is appropriate to rely on an individual’s implied consent, taking into account the reasonable expectations of the individual and the sensitivity of the personal information that is to be collected, used or disclosed. And, individuals must be allowed to withdraw their consent.
What does this mean for organizations?
While Bill C-11 has just been introduced on November 17, 2020, it has already gone to second reading on November 24, 2020. As can be seen from Michael Geist’s recent interview with the Innovation, Science and Industry Minister, Navdeep Bains, the plan is to move things forward to the Ethics Committee. In the case where Bill C-11 is adopted, there would be a coming into force period of roughly 12–18 months to give organizations the time to prepare and meet the requirements, create regulations, and establish the Tribunal.
Accordingly, it is recommended that organizations take a careful look at Bill C-11 and examine their own policies and procedures to ensure that they can meet the requirements in time. When preparing, it is important for organizations to:
- Review the breach reporting and notification requirements and keep in mind the consequences for noncompliance. Given the significant fines associated with noncompliance, it would be very important to take another look at the organization’s plan for responding to breaches.
- Begin constructing a more comprehensive privacy management program. It would be necessary to set out the details, some of which include the organization’s policies, practices, and procedures regarding: the protection of personal information; how requests for information and complaints are received and dealt with; the training and information provided to the organization’s staff respecting its policies, practices and procedures; and the development of materials to explain the organization’s policies and procedures put in place to fulfil its privacy obligations. In fact, although it is not yet clear how (it would have to be in the manner provided by the regulations), organizations would be able to apply to the Privacy Commissioner for approval of a code of practice or certification program; the Privacy Commissioner would then be able to decide whether to approve it if the Privacy Commissioner determines that it meets the criteria set out in the regulations.
- Review the organization’s policies and procedures in regards to consent requests. Organizations would need to be able to express themselves using plain language so that consumers can clearly understand what is being asked of them when they are trying to make meaningful decisions about whether they agree to certain terms. Moreover, organizations would also have to allow individuals to withdraw their consent in respect of using their personal information.
- Prepare for new consumer rights. It would be important for organizations to embrace and be ready to comply with the new consumer rights mentioned above.
- Ensure that the organization’s processes involving de-identifying data without consent are being complied with in accordance with the specific provisions. There are certain situations where organizations would be able to use and disclose de-identified data without the consent of individuals. One example is where organizations would be able to disclose de-identified data to public entities in some cases for socially beneficial purposes. A “socially beneficial purpose” would mean a purpose related to health, the provision or improvement of public amenities or infrastructure, the protection of the environment, or any other prescribed purpose.
- Be clear on what happens when data is transferred to a service provider. Organizations are accountable for personal information that is under their control, and this control remains with the organization even where the information has been transferred to a service provider.
- Be aware of the consent exceptions. For instance, there would be a new consent exception where organizations would be able to collect or use individuals’ personal information without their knowledge or consent if: it is made for a certain business activity (necessary to provide or deliver a product or service that the individual has requested; carried out in the exercise of due diligence to prevent or reduce the organization’s commercial risk; necessary for the organization’s information, system, or network security; necessary for the safety of a product or service that the organization provides or delivers; in the course of which obtaining the individual’s consent would be impracticable because there is no direct relationship with the individuals; or any other prescribed activity); a reasonable person would expect such a collection or use for that activity; and the personal information is not collected or used for the purpose of influencing the individual’s behaviour or decisions. It is also important to note that organizations may transfer an individual’s personal information to a service provider without their knowledge or consent.