After a hiatus of almost two years, the Canadian Government has finally recommenced its long awaited overhaul of existing federal private sector privacy legislation. On June 16, 2022, Bill C-27, An Act to enact the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Act and to make consequential and related amendments to other Acts known as the Digital Charter Implementation Act, 2022 (“Bill C-27”) received its first reading in Parliament. The Artificial Intelligence and Data Act is not covered in this article and will be summarized separately.
The Commissioner can also recommend to the newly established Personal Information and Data Protection Tribunal (the “Tribunal”) that it should impose financial penalties if an organization has contravened the CPPA.4 The Tribunal presides over hearings related to financial penalties recommended by the Commissioner and non-penalty related appeals.5 The Tribunal can impose administrative monetary penalties for contraventions of the CPPA up to the greater of $10,000,000 or 3% of the organization’s gross global revenue in its financial year before the one which in the penalty is imposed.6
Moreover, the CPPA introduces new offenses with even higher financial punishments. These offenses include:
- if an organization fails to report to the Commissioner any breach of security safeguards involving personal information under its control where the breach may result in a reasonable risk of significant harm to an individual,7
- if an organization fails to keep and maintain a record of every breach of security safeguards involving personal information,8
- if an organization attempts to re-identify individuals using de-identified information not in accordance with the prescribed exceptions,9 and
- if an organization disposes of personal information after an individual has requested access to it and the individual not exhausted the individual’s recourse under the CPPA.10
Any organization that is found guilty of any of the offenses listed above can face a fine up to the greater of $25,000,000 or 5% of the organization’s gross global revenue in its financial year before the one in which the organization is sentenced for indictable offenses, or $20,000,000 or 4% for summary convictions, respectively.11
Private Right of Action
The CPPA establishes a new private right of action for individuals, who are affected by an act or omission by an organization that constitutes a contravention of the CPPA. The private right of action allows these individuals to sue the organization for damages for loss or injury that the individual has suffered as a result of the organization’s contravention of the CPPA. To commence this action, the Office of the Privacy Commissioner and the Tribunal must have made findings that the organization has contravened the CPPA, and the finding was not appealed to the Tribunal or the Tribunal has denied the appeal.12
Codification of the 10 Privacy Principles and New Requirements
The CPPA codifies the Ten Fair Information Principles of the Personal Information Protection and Electronic Documents Act (“PIPEDA”) into law 13 and introduces new requirements on organizations.
Every organization must implement and maintain a privacy management program, which among other requirements, must be attuned to the volume and sensitivity of the personal information being collected, used and stored. 14 These programs are reviewable by the Commissioner on request, who may provide guidance and recommend corrective measures to the organization. 15
Anonymous and De-identified Information
Bill C-27 contains a revised definition of de-identified information and has added a definition of “anonymise” to distinguish between the two forms of information. “Anonymise” means to irreversibly and permanently modify personal information, in accordance with generally accepted best practices, to ensure that no individual can be identified indirectly or directly from the information, whether directly or indirectly, by any means. By contrast, “deidentify’ means to modify personal information so that an individual cannot be directly identified from it, though a risk of the individual being identified remains. Anonymous information is not personal information — 16indeed to anonymise personal information amounts to its disposal.17 De-identified information is always personal information except with respect to certain provisions.18
Drawing on the Commissioner’s previously published “Guidelines for obtaining meaningful consent”, the CPPA explicitly prescribes how organizations acquire valid consent. In most cases, an organization must obtain express consent from an individual and disclose the following information:
- the purposes for the collection, use or disclosure of personal information determined by the organization,
- the way in which the personal information is to be collected, used or disclosed,
- reasonable foreseeable consequences of the collection, use or disclosure of personal information when obtaining consent from an individual,
- the specific type of personal information that is to be collected, used and disclosed, and
- the names or types of third parties to which the organization may disclose personal information when obtaining consent from an individual.19
This information must be written in plain language that an individual to whom the organization’s activities are directed would reasonably be expected to understand.20
Bill C-27 states that the personal information of minors would be considered to be sensitive personal information.21 Consequently, according to the previous guidance of the Commissioner, organizations would require express consent to collect, use, and disclose personal information of minors.
Additionally, Bill C-27 allows for organizations to collect and use personal information without knowledge and consent of individuals if the collection and use are made for a business activity which the organization has a legitimate interest that outweighs the potential adverse effect on the individual resulting from that collection or use.22 This new exception is subject to a reasonableness test. Organizations wishing to avail themselves of this new exception must perform assessments of how the business activity would adversely impact the individual; 23document those assessments,24 and disclose descriptions of these business activities to individuals publicly.25
Automated Decision Systems
The Bill also specifically references an organization’s privacy obligations around automated decision systems - any technology that assists or replaces the judgment of human decision- makers through the use of a rules-based system, regression analysis, predictive analytics, machine learning, deep learning, a neural network or other techniques. Organizations that use personal information to inform their automated decision systems to make predictions about individuals are required to:
- deliver a general account of the organization’s use of any automated decision system to make predictions, recommendations or decisions about individuals that could have significant impacts on them,26 and
- retain the personal information related to the decisions for sufficient period of time to permit the individual to make a request for access 27 (as described below).
Security Safeguards and Breaches of Security Safeguards
Bill C-27 has expanded the scope of security safeguards to include reasonable measures to authenticate the identity of the individual to whom the personal information relates. Furthermore, the Bill confirms that organizations must protect personal information through physical, organizational and technological security safeguards. The level of protection provided by those safeguards must be proportionate to the sensitivity of the information. In addition to the sensitivity of the information, the organization must, in establishing its security safeguards, take into account the quantity, distribution, format and method of storage of the information. The security safeguards must protect personal information against, among other things, loss, theft and unauthorized access, disclosure, copying, use and modification and must include reasonable measures to authenticate the identity of the individual to whom the personal information relates.
Under the CCPA, organizations have control over personal information even when a service provider collects, uses, and disclose the personal information on the organization’s behalf. 28 The new Bill C-27 requires organizations to ensure, by contract or otherwise, that the service provider provides an “equivalent” level of protection, rather than “substantially similar” protection, the baseline protection used under Bill C-11. 29 The change from “equivalent” to “substantially similar” seems to suggest that Bill C-27 is endeavouring to impose a stronger or less flexible standard on organizations that uses service providers.
“Service provider” is now broadly defined under the Bill as an organization, including a parent corporation, subsidiary, affiliate, contractor or subcontractor, that provides services for or on behalf of another organization to assist the organization in fulfilling its purposes.
In addition, service providers now have an obligation to maintain adequate security safeguards to protect personal information and inform the organization that controls the personal information of any breach of the service provider’s security safeguards as soon as feasible30 If a service provider violates the latter, the Tribunal may impose an administrative monetary penalty as described above.31
Codes of Practice and Certification Programs
The CPPA allows the Commissioner to approve and certify codes of practice and certification programs designed by non-governmental entities. These codes and certifications must offer the same or substantially the same or greater protection of personal information under the CPPA. However, the organizations that comply with these codes of practice or certification programs must still meet their obligations under the CPPA.32
New Rights for Individuals
In addition to codifying the information rights for individuals discussed in the PIPEDA’s Fair Information Principles,33 CPPA establishes three new rights for individuals regarding their personal information:
- Data mobility rights: individuals can request an organization to directly transfer their personal information from one organization to another (subject to both organizations being part of a data portability framework),34
- Transparency and explanation rights: individuals can request an explanation from organizations that use automated decision systems using the individual’s personal information to make a prediction, recommendation or decision about the individual that could have a significant impact on the individual,35 and
- Disposal rights: individuals can request an organization dispose of their personal information in specific circumstances.36Under the proposed Act, “dispose” means the organization will be responsible for permanently and irreversibly deleting the personal information or to anonymize it, as defined under the Act.
However, these rights do not extend to de-identified information derived from an individual’s personal information.37
While this is only the first reading of Bill C-27, we anticipate the second reading will happen shortly and debates and committee will follow which may result in additional changes to the draft Bill. Ensure you that subscribe to our legal updates to get the latest on Bill C-27 and related privacy/technology legislation.
For more information about Bill C-27, please contact a member of Torkin Manes’ Technology, Privacy & Data Management Group.
1 An Act to enact the Consumer Privacy Protection Act and the Personal Information and Data Protection Tribunal Act and to make consequential and related amendments to other Acts also known as the Digital Charter Implementation Act, 2020.
5 The Personal Information and Data Protection Tribunal Act (“PIDPTA”). See PIDPTA, s. 5.
7 CPPA, s. 58(1) and 128.
8 CPPA, s. 60(1) and 128.
13 The Ten Fair Information Principles are as follows: Accountability; Identifying Purposes; Consent; Limiting Collection; Limiting Use, Disclosure and Retention; Accuracy; Safeguards; Openness; Individual Access; and Challenging Compliance.
30 CPPA, s. 57(1) and 61.
33 The right to withdraw consent from a provider to collect, use, and disclose their personal information, and to access and correct their personal information.
35 CPPA, s. 63(3).Bill C-27 limits this right to decisions that could have a significant impact on the individual. Moreover, organizations no longer need to account for how the prediction, recommendation or decision was arrived at but instead must only explain the reasons or principal factors that led to the prediction, recommendation or decision.
36 CPPA, s. 55(1). Bill C-27 narrows this right to three specific circumstances: (i) the information that was collected, used or disclosed in contravention of the CPPA; (ii) the individual has withdrawn consent in whole or in part to the collection, use or disclosure of its personal information; or (iii) the information is no longer necessary for the continued provision of a product or service requested by the individual. Bill -27 also expands the exceptions contained in Bill C-11 for organizations to deny disposal requests.