PIPEDA Reform & Provincial Privacy Proposals
PIPEDA reform has been a long time coming.
On November 17 the federal government introduced Bill C-11, the Digital Charter Implementation Act, by which it proposes to replace PIPEDA with a new act, the Consumer Privacy Protection Act (CPPA), and to enact the Personal Information and Data Protection Tribunal Act, to create a quasi-judicial tribunal to impose monetary penalties and rule on appeals from orders by the federal Privacy Commissioner.
The government has many strong incentives, both practically and reputationally, to enhance PIPEDA. Canada must remain adequate under Europe’s General Data Protection Regulation (GDPR), and it is right to assess this area of legislation right now while other countries - and provinces - are doing the same.
This announcement by Minister Bains, and Innovation, Science and Economic Development Canada (ISED) introducing Bill C-11 is tied to the “Digital Charter” announced back in May 2019. And there are significant new rights within it, such as data portability, data deletion and algorithmic transparency.
The penalties are also significant and will be determined by the new Tribunal. If, following an investigation, the Commissioner determines that a penalty should be imposed on an organization, the Commissioner must file an application with the Tribunal for an order imposing the penalty. The Tribunal, before which both the Commissioner and the organization may appear, can accept the Commissioner’s recommendation or determine that another level of penalty is appropriate. The maximum penalty is the higher of $10,000,000 and 3% of the organization’s gross global revenue. As of writing, there is no information as to who would sit on the Tribunal, but at least one of the three to six members appointed must have experience in the field of information and privacy law.
Offences, including for breaches not reported, inadequately retained access requests, intentionally re-identifying individuals and breaching an order of the Commissioner all can result in fines of up to $25,000,000 and 5% of the organization’s gross global revenue.
A private right of action is established under which anyone affected by a breach can bring a claim for actual loss or harm, but only if the Commissioner or the Tribunal has made a finding of breach, or the organization has been convicted of an offence. This new right of action may lead to class actions.
The Commissioner will be given an order-making power to require organizations to take specific steps to correct deficiencies in their practices. Orders can be appealed to the Tribunal.
Openness and transparency are featured, as they were under PIPEDA, highlighting that an organization must make readily available, in plain language, information that explains the organization’s policies and practices. This call for “plain language” notices to consumers is a long-standing need. There are creative ways organizations are already starting to do this as part of being involved in the DAAC’s program.
The role of consent has been reconfirmed and strengthened. The consent requirement is more prescriptive than under PIPEDA, requiring a disclosure closer to the GDPR standard. Consent is only valid if, in plain language, the purposes are revealed, the consequences for the collection are detailed, the types of personal information involved are described, and – this is important for DAAC program participants in particular – the names are revealed of any third parties or types of third parties to which the organization may disclose the personal information.
Implied consent is also preserved however it is defined more clearly (and potentially more restrictively) than under PIPEDA. Express consent is required unless is it appropriate to rely on implied consent, taking into account the individual’s reasonable expectations and the sensitivity of the information.
As under PIPEDA, organizations cannot make providing a product or service conditional on consent beyond what is necessary for the product or service. This may be a tricky area for publishers in particular.
Organizations would only be able to collect personal information that is necessary for its disclosed and recorded purposes. This is a key consideration for organizations that are using data for secondary purposes, such as building advertising profiles, which was not disclosed to the consumer at the time of collection.
The CPPA also describes the authority organizations have to de-identify data without obtaining the consent of the individual to whom the personal information relates. It remains to be determined whether de-identified data would still be considered “personal information”.
Seeking to address circumstances where express consent may be either difficult to obtain or not appropriate, the CPPA includes expanded exceptions to the consent requirement, including for designated “business activities”. The business activities consent exception category is available if (i) the collection or use would be expected by a reasonable person, and (ii) the information is not collected for the purpose of influencing a person’s behaviour or decision.
Of particular interest to digital media will be the category of business activity described as: “an activity in the course of which obtaining the individual’s consent would be impracticable because the organization does not have a direct relationship with the individual”. While the limitation regarding influencing an individual’s behaviour or decision would disqualify direct internet advertising uses, this exception will provide scope for social media, search engines and research-oriented service providers to collect information about internet users without express consent.
In addition to the new consent exceptions, the CPPA provides for several measures to encourage innovation, including de-identifying information for research and “socially beneficial purposes” and the establishment of codes of practice and certifications approved by the Commissioner by which organizations can have their procedures and policies certified as compliant. These accountability frameworks would not preclude an organization from complying with the CPPA more broadly, but they could provide alternative approaches for establishing consent for certain business practices.
Regulations will be published including potentially to provide greater clarification regarding excepted business activities, and to provide rules for adoption of codes of practice and certifications.
Quebec’s Bill 64
Anticipating the PIPEDA reform initiative, Quebec also introduced legislation to update its private sector privacy law, tabling in June Bill 64, An Act to modernize legislative provisions as regards the protection of personal information. Bill 64 more closely follows the GDPR’s prescriptive approach than the CPPA, but similar to the CPPA includes the new privacy rights of data portability, the right to be forgotten and algorithmic transparency.
Bill 64 proposes some potentially onerous new rules including a requirement to conduct privacy impact assessments for any “information system project” or “electronic service delivery project” involving the processing of personal information and for any transfer of information outside of Quebec to a jurisdiction not on a list approved as having equivalent protection to that of Quebec.
Of particular interest to digital advertisers and DAAC participants, Bill 64 requires that prior to the use of any technology that permits the identification, locating or profiling of a user, an organization must proactively disclose this use and provide an opt-out. This requirement will apply to internet tracking technologies such as cookies, pixels and beacons and other IDs. It likely will dictate the adoption of “cookie notices” now becoming increasingly prevalent in North American internet advertising - originating with the EU’s “Cookie Directive” but now also in effect required under the California Consumer Privacy Act.
Usefully, Bill 64 includes an explicit recognition permitting the use of information without consent for secondary purposes provided those purposes are related to the original purposes. Similar to the CPPA, Bill 64 permits the use of de-identified information for an organization’s internal research purposes.
Bill 64 will require parental consent for collection of information from children under 14 unless clearly for the child’s benefit. PIPEDA and the CPPA do not differentiate between adults, youth (18 and below) and children (under 13 years of age), but the Office of the Privacy Commissioner of Canada (OPC) has consistently viewed personal information relating to youth and children as being of particular sensitivity, especially the younger they are, and has required parental consent for collection of personal information from children under 13 years of age.
The Quebec government is conducting hearings regarding Bill 64 and has indicated that it will introduce a revised bill in January, presumably reflecting comments provided by stakeholders.
Ontario’s Privacy Law Consultation
In August, the Ontario government commenced a consultation with respect to the potential adoption of a private sector privacy law for Ontario.
In its consultation document, the government indicated that the law would address many of the issues now reflected in the federal PIPEDA reform initiative including enhanced consent, increased transparency, rights of portability and erasure, as well as encouraging innovation. Not emphasized in the consultation document but clearly on the table for any Ontario initiative would be the extension of privacy protections to Ontario-based private sector employees and privacy obligations for charities, not for profit organizations and political parties, none of which are addressed under the federal privacy law.
The DAAC submitted to the Ministry of Government and Consumer Services of Ontario in September. Read the submission here. The government closed its consultation in October and is now reviewing next steps in this initiative, presumably which will be informed by the proposed PIPEDA reform legislation.
If you found this summary useful, please consider joining the Digital Advertising Alliance of Canada’s self-regulatory program for interest-based advertising to support our future work. Join by clicking here.