And then it grew teeth: Canada’s privacy law gets enforcement-laden overhaul
If passed in its current form, the DCIA will replace the Personal Information Protection and Electronic Documents Act (“PIPEDA”) by preserving the Electronic Documents part (and rehousing it within the newly created Electronic Documents Act), peeling out and replacing the remainder of PIPEDA as a new federal statute, the Consumer Privacy Protection Act (the “CPPA”), and establishing a new Personal Information and Data Protection Tribunal (the “Tribunal”) under the Personal Information and Data Protection Tribunal Act (the “Tribunal Act”).
The DCIA is intended to modernize the framework for the protection of personal information in the Canadian private sector, and appears to borrow key concepts from the European Union’s General Data Protection Regulation (the “GDPR”) and the California Consumer Privacy Act (the “CCPA”), while retaining the core of existing federal privacy law in Canada.
As currently proposed, highlights of the DCIA include:
- The Office of the Privacy Commissioner of Canada (the “Commissioner”) will continue to oversee organizations’ compliance with privacy law but will now have the power to issue orders and make recommendations for administrative monetary penalties (“AMPs”) up to 3% of global revenue or $10 million for non-compliant organizations, and an expanded range of serious contravention offences with AMPs up to 5% of global revenue or $25 million.
- The Tribunal, made up of 3-6 members appointed by the Governor in Council, will be granted the authority to levy AMPs, based upon the recommendations of the Commissioner, and hear appeals of the orders of the Commissioner.
- New rights for consumers including: data portability rights, transparency requirements for “automated decision systems”, de-identification rights, and disposal rights.
- Allowing a private right of action for breaches of the statute found and not overturned by the new Tribunal, although the proposed statute does not purport (so far) to provide for statutory damages.
- An individual’s prior informed consent is now required “for the collection, use or disclosure” of personal information unless one of the exemptions applies. See the proposed changes analysis section of this article for a detailed summary and analysis of such exemptions.
- Informed consent requires that the individual was provided with plain language details regarding the types of personal information to be collected, used, or disclosed and the purposes, means, and reasonably foreseeable consequences of such collection, use and disclosure.
Over the coming months, our Privacy, Data Protection and Access to Information team will be keeping close tabs on the parliamentary journey of the CPPA and will be providing regular updates on its development as it moves through second reading and the committee process. In the interim, businesses are encouraged to be proactive in reviewing the proposed legislation and their current privacy practices to get a jump start on any significant changes that may be required as a result of the CPPA. If you or your business would like to discuss these potential changes and how we may be able to assist, please do not hesitate to contact the authors or any member of the DLA Piper team.
Proposed Changes Analysis
What follows is a deeper dive into some of the changes proposed in the current draft of the CPPA including analysis on consent requirements, the application of the CPPA, legislative mechanics, and a brief historical background on the development of the CPPA.
Consent
The consent provisions of CPPA merit special review, because CPPA essentially re-writes what is currently enunciated as a loose “principle” of consent set out in Schedule 1 to PIPEDA. Under the CPPA, consent to collect, use or disclose personal information must be obtained in advance and the individual must be provided with the following information in plain language:
- the purpose of the collection, use or disclosure;
- the way it will be collected, used or disclosed;
- any reasonably foreseeable consequences of the collection, use or disclosure;
- the specific type of information to be collected, used or disclosed; and
- the names of any third parties or types of third parties to whom disclosure may be made.
Whereas PIPEDA’s principles expressed that “an organization should generally seek express consent when the information is likely to be considered sensitive”, CPPA states that consent must be expressly obtained unless the organization establishes that it can rely on implied consent, taking into account reasonable expectations of the individual and the sensitivity of the information. This means express consent will be the “default” rule. Individuals continue to be able to withdraw their consent “on giving reasonable notice to an organization”, after which the organization must “as soon as feasible after that” cease collecting, using or disclosing the personal information.
There are a number of exceptions to consent requirements, as might be expected, of which some (it’s a long list!) are summarized below; and, please note that while some of these are carry-overs from PIPEDA, they are more prescriptively described in the CPPA:
- if a reasonable person would expect collection or use as part of an activity, as long as:
i. the activity is necessary to deliver a requested product or service, carried out to reduce
commercial risk or exercise due diligence, necessary for information, system or network
security, or necessary for product or service safety; or
ii. consent is not practical because the organization does not have a direct relationship with
the individual.
However, this exemption only applies if the information will not be used for the purpose of influencing the individual’s behavior and decisions (think targeted advertising); - for a transfer to a service provider (however there are obligations for an organization to ensure privacy and security for the personal information);
- for internal research and development (if the information is de-identified);
- if used and disclosed for a potential business transaction (other than one where the primary purpose is getting access to personal information), as long as the information is de-identified (note: this is a new requirement) and the organizations have an agreement in place to:
i. appropriately treat the information as confidential;
ii. return it if the transaction does not proceed; and
iii. only disclose that which is necessary to determine whether to proceed and, if so, complete
the transaction;
- if used and disclosed for a completed transaction pursuant to the requirements above, provided that one of the parties to the completed transaction notifies the affected individuals that their information was disclosed within a reasonable time;
- collection, use or disclosure in the course of employment, business or profession if the collection is consistent with the purposes for which it was produced;
- managing an employment relationship in a federal work, undertaking or business;
- disclosure for legal process purposes (getting legal advice; witness statements; prevention, detection or suppression of fraud; debt collection; emergency uses that threaten life, health or security; conducting investigations where consent would compromise the investigation; lawful government requests; etc.);
- certain “public interest” purposes including:
i. acting in respect of an emergency that threatens the life, health or security of any individual;
ii. disclosures to a government institution for victims of financial abuse;
iii. communication with next of kin, identifying injured or ill individuals;
iv. statistical or scholarly research;
v. disclosures of records to organizations documenting historic or archival importance; or
vi. journalistic, artistic, or literary purposes;
- disclosure after 100 years of the personal information’s creation (though one might question why a private organization retained personal information for that long…) or 20 years after the death of an individual; and
- a new permitted disclosure for “socially beneficial purposes” relating to:
i. health;
ii. the provision or improvement of public amenities or infrastructure;
iii. the protection of environment; or
iv. any other prescribed purpose, however, only if the disclosure is made on a de-identified
basis to governments, health care, post-secondary educational, public libraries or other
prescribed institutions.
Application
The application of the CPPA is essentially the same as the application of PIPEDA; it will apply to every organization in respect of personal information that:
- the organization collects, uses or discloses in the course of commercial activities; or
- is about an employee of, or an applicant for employment with, the organization and that the organization collects, uses or discloses in connection with the operation of a federal work, undertaking or business.
Like PIPEDA, the constitutional separation of powers in Canada prevent the CPPA from applying where there is substantially similar provincial legislation, and the Governor in Council may, by order, if satisfied that the legislation of a province that “is substantially similar to this Act” applies to an organization, activity or group of them, exempt them from the application of the CPPA for matters within that province (for example, provincial health privacy statutes, or statutes such as British Columbia’s and Alberta’s privacy legislation and Québec’s Act respecting the protection of personal information in the private sector). The CPPA clarifies that it will apply in respect of personal information:
- that is collected, used or disclosed inter-provincially or internationally by an organization; or
- that is collected, used or disclosed by an organization within a province, to the extent that the organization is not exempt from the application of this Act under an order made by the Governor in Council (although, for constitutional reasons, the CPPA, like PIPEDA, cannot apply to employees’ personal information in provincially-regulated businesses).
Mechanics
Under the DCIA, Part 1 of PIPEDA will be repealed. Part 1 of PIPEDA: (a) contains the “guts” of the restrictions on an organization’s collection, use and disclosure of personal information; (b) incorporates Schedule 1 (the Principles Set Out in the National Standard of Canada Entitled Model Code for the Protection of Personal Information, CAN/CSA-Q830-96); (c) provides for exceptions from the general obligation to obtain prior consent for the collection, use or disclosure of personal information; (d) sets out the right of access and correction to one’s own personal information; and (e) sets out the powers of the Privacy Commissioner of Canada (for example, to review decisions made by organizations under PIPEDA, to investigate complaints of a breach of PIPEDA and to issue findings and recommendations in connection with complaints). The repealed part of PIPEDA would be replaced by the substantive provisions of the CPPA.
Part 2 of PIPEDA, entitled “Electronic Documents” will be all that remains, and thus the name of PIPEDA will become the “Electronic Documents Act” with some amendments.
Parts 3, 4, and 5 of PIPEDA which deal with amendments to the Canada Evidence Act, Statutory Instruments Act, and Statute Revision Act are also correspondingly included within the DCIA.
History of these Amendments
Back in June of 2015, the Digital Privacy Act was enacted in Canada, which gave PIPEDA a “makeover”, but did not repeal large parts of PIPEDA, or add any significant penalties or order-making powers to what remained fairly toothless legislation. PIPEDA did allow for the Commissioner to seek a Federal Court ruling if an organization refused to follow the Commissioner’s recommendations, but this rarely happened in practice. Instead, the main change in PIPEDA brought about by the Digital Privacy Act was a new requirement for reporting (to federal regulators) and notification (of affected individuals) of information security breaches which meet a “real risk of significant harm” test.
On May 21, 2019, the Minister announced ten principles for “Canada’s Digital Charter” and indicated that changes would be coming to PIPEDA, in line with those principles. The ten principles of “Canada's Digital Charter” were identified as:
- Universal Access
- Safety and Security
- Control and Consent
- Transparency, Portability and Interoperability
- Open and Modern Digital Government
- A Level Playing Field
- Data and Digital for Good
- Strong Democracy
- Free from Hate and Violent Extremism
- Strong Enforcement and Real Accountability
It was originally expected that the proposed amendments to PIPEDA would be tabled sometime in early 2020, but the Covid-19 pandemic, of course, intervened. For the past month or so, there has been much discussion about a federal privacy bill being introduced in Parliament but until Tuesday, no draft of the legislation was made available.
Conclusion
As noted above, privacy law in Canada is likely to change significantly relatively soon. Please stay tuned for more updates from DLA Piper’s Privacy, Data Protection, and Access to Information team as new information about the CPPA and the DCIA is made available to the public.
This article provides only general information about legal issues and developments, and is not intended to provide specific legal advice. Please see our disclaimer for more details.