On June 16, 2022, the federal government introduced Bill C-27, the Digital Charter Implementation Act, to enact the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act, and the Artificial Intelligence and Data Act.
Here I’m going to focus solely on the implementation of the Consumer Privacy Protection Act or CPPA, which sets out the privacy obligations of private sector organizations and the powers of the Privacy Commissioner.
The CPPA answers to the need to modernize Canada’s privacy legislation framework. It makes clear that the economic interests of Canadian businesses are to be balanced with the protection of individuals’ privacy.
Following are some of the important considerations that business owners need to be aware of moving forward under this new regime.
Anonymized versus de-identified information.
The CPPA distinguishes anonymized information (irreversibly and permanently modified personal information such that an individual cannot be identified from it) and de-identified information (modified personal information such that direct identification of an individual is not possible, though a risk remains). Anonymized personal information is exempt from the application of the CPPA.
Privacy management program.
Every organization must have a program that includes policies, practices, and procedures respecting the protection of personal information. This includes: how requests for information and complaints are received and dealt with; training and information provided to the organization’s staff respecting its policies, practices and procedures; and the development of materials to explain the organization’s policies and procedures. In developing a compliant program, an organization must consider the volume and sensitivity of the personal information under its control. Organizations are required to provide access to their privacy management programs on request to the Privacy Commissioner.
Transferring information to service providers.
Organizations may transfer personal information to a service provider if they ensure that equal protection of the personal information is in place. The most common means to affect this will be through a contract, but other methods are permitted.
Whether or not consent is required, an organization may collect, use, or disclose personal information only in a manner, and for purposes, that a reasonable person would consider appropriate in the circumstances. An organization must determine at or before the time of the collection of any personal information, each of the purposes for which the information is to be collected, used, or disclosed, and record those purposes. (This is the closest the government comes to imposing a requirement on private businesses to conduct a privacy impact assessment.)
Unless provided otherwise in the act, an organization must obtain an individual’s valid consent for the collection, use, or disclosure of the individual’s personal information. Consent must be obtained at the time or before the personal information is collected. The CPPA provides a list of information that must be provided to the individual for consent to be valid, which includes the names of any third parties or types of third parties to which the organization may disclose the personal information.
Exceptions to consent.
The act allows an organization to collect or use an individual’s personal information without their knowledge or consent if made for a business activity listed in the legislation, and if a reasonable person would expect the collection or use for the activity, and it is not for the purpose of influencing the individual’s behaviour or decisions.
An organization can collect or use an individual’s personal information without their knowledge and consent if for the purpose of an activity in which the organization has a legitimate interest that outweighs any potential adverse consequence on the individual, provided that a reasonable person would expect the collection or use for the activity, and it is not for the purpose of influencing the individual’s behaviour or decisions. However, there are conditions that must be met before an organization can rely on the legitimate interest exception.
The CPPA codifies that personal information can be transferred to a service provider without an individual’s knowledge or consent.
The right to be forgotten.
With limited exceptions, individuals have been given the right to be forgotten. By written request, an individual can have their personal information permanently and irrevocably deleted by an organization.
An organization must protect personal information through physical, organizational, and technological security safeguards. The level of protection provided by those safeguards must be proportionate to the sensitivity of the information. In establishing its security safeguards, the organization is to consider the quantity, distribution, format and method of storage of the information.
If an organization uses an automated decision system to make a prediction, recommendation or decision about the individual that could have a significant impact on them, it must, on written request by the individual, provide them with an explanation of the prediction, recommendation, or decision. The explanation is to include the following: the type of personal information that was used to make the prediction, recommendation, or decision; the source of the information; and the reasons or principal factors that led to the prediction, recommendation, or decision.
If organizations are subject to a data mobility framework, an individual can request to have their personal information transferred between the organizations. No guidance has yet been provided as to what types of organizations will be included in the data mobility framework.
De-identification of personal information.
Measures used to de-identify information must be proportionate to the purpose for which the information is de-identified, and the sensitivity of the information. A prohibition on the use of de-identified personal information is set out in the act, with limited exceptions.
Powers of the Commissioner.
In most circumstances, following a complaint, the Privacy Commissioner will investigate. Complaints may be initiated by an individual or the Commissioner. After investigating a complaint, the Privacy Commissioner can initiate an inquiry. Each party is guaranteed a right to be heard and can be represented by counsel.
After completing an inquiry, the Commissioner can recommend that the Personal Information and Data Protection Tribunal Act impose an administrative penalty if an organization has breached certain provisions of the CPPA.
The maximum penalty for all the contraventions is $10,000,000, or 3% of the organization’s gross global revenue in the financial year preceding the penalty, whichever is higher.
Right of action.
If the Privacy Commissioner finds that an organization has contravened the CPPA, and as a result of that contravention an individual suffers a loss or injury, that individual can bring an action for damages against that organization.
Organizations are prohibited from acting against a person who notifies the Privacy Commissioner of the organization’s contravention of (or intention to contravene) the CPPA.
Offence and punishment.
Organizations that contravene certain provisions of the CPPA, or that obstruct an investigation, inquiry or audit by the Privacy Commissioner, may be fined a maximum of $25,000,000, or 5% of the organization’s gross global revenue in its financial year before the one in which the organization is sentenced, whichever amount is greater.
Too far or not far enough?
The preamble in Bill C-27 to the Digital Charter Implementation Act indicates that the protection of the privacy interests of individuals with respect to their personal information is essential to individual autonomy and dignity, and to the full enjoyment of fundamental rights and freedoms in Canada. However, it stops short of creating privacy as a human right, as did its predecessor. It appears the federal government is trying to balance flexibility and innovation of businesses, with a strong privacy regime to protect the personal information of individuals.
The bottom line.
Businesses should start to review and adjust their privacy management practices and policies to comply with the requirements of the CPPA. The Lerners Privacy, Information and Data Security Group is available to assist organizations with its statutory compliance.