On November 17, 2020, the Minister of Innovation, Science and Industry, The Honourable Navdeep Bains, introduced Bill C-11 – the Digital Charter Implementation Act, 2020. This bill introduces new privacy legislation for private sector organizations that are currently governed by the Personal Information Protection and Electronic Documents Act.
If passed, the Consumer Privacy Protection Act (CPPA) would come into effect. This legislation sets out, much more clearly, the privacy and information security obligations that Canadian businesses must meet. The Minister heralded the CPPA as increasing control and transparency for consumers when their personal information is handled by an organization.
The key highlights of the Consumer Privacy Protection Act include:
- Privacy management program. Every organization must implement a privacy management program that includes the organization’s policies, practices and procedures respecting the protection of personal information; how requests for information and complaints are received and dealt with; the training and information provided to the organization’s staff respecting its policies, practices and procedures; and the development of materials to explain the organization’s policies and procedures.
- Transfer of information to service providers. An organization can transfer clients’ personal information to a service provider without their knowledge and consent (however, the organization has to ensure that the service provider has substantially the same protections of personal information as the organization).
- Right to be forgotten. An individual may request, in writing, that an organization dispose of their personal information that it has collected from the individual. With limited exception, the organization is to dispose of the information as soon as feasible.
- Privacy policies and practices are to be made available in plain language.
- Algorithmic transparency. If an organization uses algorithms or artificial intelligence, on request, it must explain how a prediction, recommendation or decision about an individual was made, and how the information was obtained.
- Response to an access request. An organization must respond to an access request from an individual within 30 days, but can have a 30-day extension, after providing reasons for the need for the extension to the individual.
- Data mobility. An organization must disclose the personal information that it has collected from an individual to another organization designated by the individual, if they are both subject to the Act’s data mobility framework.
- De-identification of personal information. The de-identification measures applied to personal information must be proportionate to the purpose for which the information is de-identified and the sensitivity of the personal information.
- Expanded powers of the Privacy Commissioner. The Privacy Commissioner has the power to make orders regarding compliance with the Act. It may also recommend that a penalty be imposed by the newly created Information and Data Protection Tribunal if certain provisions of the Act are contravened.
- New right of action: cause of action exists for individuals who are affected by an act or omission by an organization that constitutes a contravention of the CPPA against the organization for damages for loss or injury that the individual has suffered as a result of the contravention. To commence this action, the Office of the Privacy Commissioner and the Personal Information and Data Protection Tribunal must have made findings that the organization has contravened the CPPA, and the finding was not appealed to the Tribunal or the Tribunal has denied the appeal.
- Significant fines if an organization contravenes specific sections of the Act, breaches a compliance order, or obstructs the Privacy Commissioner’s investigation of a complaint, inquiry or audit. The maximum fine is the higher of $25 million and 5% of the organization’s global gross revenue.
- Creation of the Information and Data Protection Tribunal. The Tribunal will hear appeals of the Privacy Commissioner’s findings, decisions and orders.
With a minority government in Parliament, it remains to be seen if Bill C-11 will come into effect. Second reading occurred on November 24, 2020, and there certainly wasn’t consensus among the parties on this piece of legislation. Where there is a consensus, although perhaps not in Parliament, is on the pressing need for Canada’s private sector privacy legislation to be updated to better reflect the current realties of business in a digital world.
For more information on how your business can ensure it is in compliance with the most current privacy statutory obligations, contact a member of the Lerners Privacy, Data and Information Security Group.