The Canadian government tabled draft legislation on November 17 that would make significant changes to the federal private sector privacy landscape. Bill C-11, the Digital Charter Implementation Act (DCIA), would replace Part 1 of the Personal Information Protection and Electronic Documents Act with the Consumer Privacy Protection Act (CPPA), create the Personal Information and Data Protection Tribunal Act (PIDPTA), and make minor amendments to several other laws.
The CPPA encapsulates the most fundamental aspects of Part 1 of PIPEDA, as it remains focused on providing individuals with control over how their personal information is collected, used and disclosed by organizations in the course of commercial activity. However, there are several important changes in both form and substance.
First, federal privacy law would exist in a standalone act, no longer bound to other, unrelated parts dealing with electronic documents. And, although the CPPA remains rooted in the ten privacy principles, unlike PIPEDA, it does not incorporate wholesale and build on the Canadian Standards Association Model Code for the Protection of Personal Information (which was an unusual way to draft a law).
In terms of substance, here are some of the most important changes:
- Privacy management program. Organizations would be required to maintain a privacy management program setting out policies and procedures the organization takes to protect personal information, deal with privacy complaints, train personnel, and develop materials to explain an organization’s policies, practices and procedures. The Office of the Privacy Commissioner (OPC) would be authorized to demand access to these policies at any time.
- Appropriateness. The CPPA incorporates and builds on the “reasonable purposes” clause of PIPEDA with a more comprehensive standard for when it is appropriate to process personal information.
- Exceptions for business activities. The CPPA defines a list of “business activities” for which an organization can process personal information without consent.
- Transfers to service providers. The CPPA would firmly establish that knowledge and consent are not required to transfer personal information to a service provider. It also helpfully clarifies when an organization is considered to have control over personal information.
- De-identified information. The CPPA defines circumstances in which de-identified information can be processed.
- Automated decision-making. If an organization uses an “automated decision system” to make a prediction, recommendation or decision about a person, the organization would be required to, on request, explain the prediction, recommendation or decision, and how the personal information used to make the prediction, recommendation or decision was obtained.
- Data mobility. Individuals would have the right to transfer their data between organizations if those organizations are subject to a “data mobility framework” defined in regulation.
- Disposal of data: The CPPA would provide individuals with an explicit right to request the deletion of their personal information.
- Revised OPC powers. The OPC would have the authority to make orders requiring compliance with the Act and to recommend penalties.
- Tribunal. The new Personal Information and Data Protection Tribunal would hear appeals from OPC orders. It would also have the ability to impose penalties, if recommended by the OPC.
- Penalties. The CPPA provides for maximum penalties of up to 3% of global revenue or C$10 million for most contraventions, and up to 5% of global revenue or C$25 million for certain offences.
- Codes of practice and certification. The CPPA would allow for the creation of codes of practice and certification programs to facilitate compliance with the Act, which would be subject to approval by the OPC.
- Private right of action. Individuals affected by contraventions of the law would have a right to sue for actual damages suffered. This right would only be available following an OPC finding that a contravention had occurred, which is not successfully appealed to the tribunal.
The DCIA would create the most significant change in Canadian privacy legislation in 20 years, aligning federal private sector privacy law – which applies throughout the country except in Alberta, British Columbia and Quebec – more closely with the EU General Data Protection Regulation. However, Bill C-11 still has a long road to travel before it becomes law, which is far from certain. The federal legislative process tends to move very slowly, and with a minority government in power, a vote of non-confidence in Parliament could trigger the election of a new government, which may prefer a different route.