(Gale-force) winds sweeping the Canadian privacy landscape
How will Bill C-11 change the way organizations process personal information?
Article by Laila Paszti, John Cassell, Julie Himo, Alexis Kerr, Sara A. Levine, QC – Norton Rose Fulbright
New privacy legislation proposed by the federal government will usher in sweeping changes on how Canadian organizations collect, use, disclose and retain personal information. Organizations will face enhanced scrutiny on how they process personal information and will be required to comply with new privacy obligations. Non-compliance may be subject to corrective orders and may be punishable by administrative monetary penalties of the greater of up to 5% of global revenue or Cdn $25 million.
On November 17, the federal government introduced Bill C-11, the Digital Charter Implementation Act, 2020), which enacts the Consumer Privacy Protection Act (CPPA) and the Personal Information and Data Protection Tribunal Act and makes related amendments to other acts.
Bill C-11 seeks to enact significant changes to Part 1 of Canada’s existing federal private sector privacy legislation, the Personal Information Protection and Electronic Documents Act (PIPEDA). It is expected that amendments to the Bill may be proposed as it makes its way through the parliamentary process.
Fundamental shift in enforcement
Significantly, Bill C-11, as drafted, will fundamentally change the current enforcement model under PIPEDA by granting the Privacy Commissioner of Canada (OPC) significant order-making power and the authority to recommend the imposition of administrative monetary penalties. Bill C-11 will also create a new Personal Information and Data Protection Tribunal to hear appeals from orders issued made by the OPC, and to determine and impose on organizations any administrative monetary penalties recommended by the OPC. Individuals will also have a private right of action for actual damages suffered.
Consent and proposed exemptions
While these proposed amendments to the enforcement model certainly up the compliance ante for organizations, Bill C-11 also proposes certain important amendments to the existing consent model under PIPEDA. Bill C-11 will also do away with the requirement for individual knowledge and consent as a precondition to engaging in certain, enumerated business activities that should be obvious to the reasonable individual, as well as for certain socially beneficial purposes. The Bill also clarifies that the transfer of personal information by an organization to its service provider may be done without individual knowledge or consent.
For organizations wanting to get a head start on the impending law, below are elements of the CPPA that an organization may need to consider in terms of making adjustments to its privacy compliance program. This is by no means intended to be an exhaustive list. In addition, the specific elements an organization will need to consider will depend on the scope and reasons for collecting, using and processing personal information:
- Review your breach response plan. While the mandatory breach reporting obligations in the CPPA are generally in line with those in PIPEDA, the OPC will have greater powers of investigation and the potential consequences of violating those obligations are far more significant. For example, any organization that knowingly violates its breach reporting obligations may be liable to a fine that is the greater of up to 5% of global revenue or $25 million. Companies will want to review their breach response plans in the face of enhanced scrutiny and harsh fines. (Organizations may also want to consider our previous update on breach response planning.)
- Implement a privacy management program. The CPPA will require organizations to implement a privacy management program that includes its policies, practices and procedure, taking into account the volume and sensitivity of personal information under its control. While PIPEDA had a similar requirement to implement policies and practices, Bill C-11 contemplates a more formal and rigorous program.
- Review privacy policies and notices. The CPPA will require organizations to use “plain language” in their privacy policies, consent notices, etc. (which was not an express requirement under PIPEDA) while setting out prescribed information about the processing of personal information to ensure that such processing is done transparently.
- Assess whether the organization can deliver new individual privacy rights. The CPPA offers privacy rights that mirror those of gold standard privacy legislation such as the Europe’s General Data Protection Regulation (GDPR) including (i) the right to transfer personal information from one organization to another (“the right to portability”), and (ii) the right to have an organization delete personal information it holds about the individual, subject to exceptions. In the world of artificial intelligence and big data, the CPPA grants individuals broad rights to an explanation of how an automated decision-making system reaches a prediction, decision or recommendation about the consumer. However, it is organizations that are responsible for the processes that give effect to those privacy rights. This may require an organization to review its processes and procedures to determine whether it can operationally give effect to those rights (e.g., with respect to the use of particular AI such as neural networks), and whether this can be done in an efficient and cost-effective manner.
This long-anticipated Bill seeks to usher in privacy legislation in Canada that is comparable to the most stringent global privacy regimes such as the GDPR and the California Consumer Privacy Act. There are, however, certain key differences in how privacy rights are affected.
While Industry Canada has indicated in its technical briefings on Bill C-11 that there will be some grace period between royal assent and entry into force of the new legislation, a best practice implemented by organizations in their preparation for compliance with the GDPR and CCPA is also recommended here: that compliance efforts are best started early to avoid a rush to review and revise policies, processes and procedures necessary to comply with what are expected to become the new requirements. In a nutshell, it is not too early to engage with the new Bill C-11.