PIPEDA Reform – Bill C-27

On June 16, 2022, the Honourable François-Philippe Champagne, Minister of Innovation, Science and Industry (ISED), and the Honourable David Lametti, Minister of Justice and Attorney General of Canada, introduced the Digital Charter Implementation Act, 2022, known currently as Bill C-27.

Bill C-27 introduces three new Acts:

  1. Consumer Privacy Protection Act (CPPA); is an Act to support and promote electronic commerce by protecting personal information that is collected, used, or disclosed in the course of commercial activities. It provides clear rules around data collection and use practices, consent, exceptions to consent, risk mitigation, and more significant documentation of internal processes. It also strengthens protections for minors against improper use of their data. Once passed, this law will replace the Personal Information Protection and Electronic Documents Act (PIPEDA).

  2. Personal Information and Data Protection Tribunal Act; is an Act that provides a recourse mechanism for enforcement of the CPPA. The Tribunal would impose monetary penalties and rule on appeals from orders by the federal Privacy Commissioner.

  3. Artificial Intelligence and Data Act (AIDA); is an Act that will rule over the development and deployment of high-impact AI systems.

Many of the proposed provisions are similar to what was in the previous Bill C-11 (which died on the order paper after the 2021 federal election), such as:

  • Openness and transparency; an organization must make readily available, in plain language, information that explains the organization’s policies and practices

  • Data deletion rights for individuals

  • Mandatory breach reporting

  • Significant penalties for non-compliance

  • An opportunity for codes of practice and certifications to be approved by the Office of the Privacy Commissioner (OPC)

This new bill also includes greater protections for children and stricter rules for organizations building artificial intelligence systems.

While the bill provides a view into compliance expectations, regulations will be published after it passes to clarify excepted business activities and to give rules for adopting codes of practice and certifications.

 

Penalties and More Power for the Privacy Commissioner

The proposed penalties under the CPPA are significant.

Following an investigation, if the OPC determines that a penalty should be imposed on an organization, they must file an application with the Tribunal for an order imposing the penalty. The Tribunal, before which both the Commissioner and the organization may appear, can accept the Commissioner’s recommendation or determine that another level of penalty is appropriate.

The maximum penalty is the higher of $10,000,000 and 3% of the organization’s gross global revenue. There is no information in the bill as to who would sit on the Tribunal, but at least three of the three to six members appointed must have experience in the information and privacy law field.

Offences include:

  • Not implementing and maintaining a privacy management program

  • Breaches not reported

  • Inadequately retained access requests

  • Intentionally re-identifying individuals

  • Breaching an order of the Commissioner

Such offences can result in fines of up to $25,000,000 and 5% of the organization’s gross global revenue.

A private right of action is established under which anyone affected by a breach can bring a claim for actual loss or harm, but only if the Commissioner or the Tribunal has made a finding of a breach, or the organization has been convicted of an offence. This new right of action may lead to class actions.

The Commissioner will also be given an order-making power to require organizations to take specific steps to correct deficiencies in their practices. Orders can be appealed to the Tribunal.

A separate series of criminal penalties are related to AIDA.

 

Assessments, Privacy Programs, and Record-Keeping

Before collecting or using personal information, an organization must identify any potential adverse effect on individuals that could likely result from the collection or use of their data and take reasonable measures to reduce the impact and mitigate or eliminate those risks.

Additionally, organizations must implement and maintain a privacy management program that includes policies, practices, and procedures that the organization has put in place. The program must address the protection of personal information, how requests for information and complaints are received and dealt with, the training of staff, and material for explaining such policies and procedures to the public.

If collecting information without consent pursuant to the legitimate interests exception (see below), the organization must also assess for risks of harm to individuals and record its assessment. Organizations must also provide copies of the assessments to the Commissioner upon request.

 

Valid Consent

For data collection, use, and disclosure, express consent (opt-in) is required for most commercial purposes.

Consent is only valid if, in plain language, the purposes for the collection, use, or disclosure of data are revealed, the consequences are detailed, the types of personal information involved are described, and the names are revealed of any third parties (or types of third parties) to which the organization may disclose the personal information.

 

Legitimate Interest

An organization may collect or use an individual’s personal information without their knowledge or consent if the data collection or use is something that individuals would expect and outweighs any potential adverse effect on them.

While the burden of consent is taken off individuals, the government was vocal about legitimate interests not being misused.

The government framed it as a balancing act of affording organizations some flexibility while ensuring appropriate oversight. The Privacy Commissioner can mitigate or eliminate risks for individuals by keeping watch on how legitimate interest is used.

 

Sensitive Personal Information and Minors

Under the CPPA, and similar to PIPEDA, determining what sensitive personal information constitutes is still a contextual analysis. Organizations must take into account the volume and sensitivity of the personal information under their control and consider the sensitivity of information when determining retention periods.

The personal information of minors is considered to be sensitive information. There is no definition for “minor” in the Act, which was purposeful, according to ISED. Instead, provinces and territories will have definitions that can apply.

 

De-Identification

The bill clarifies that personal information that has been de-identified is still considered personal information and is subject to the law.

It also describes the authority organizations have to de-identify data without obtaining the consent of the individual to whom the personal information relates. And using de-identified information for research and “socially beneficial purposes” by or for public sector entities would be acceptable.

 

Codes of Practice and Certifications

The CPPA explores building regulations for OPC-approved codes of practice and certifications, through which organizations can have their procedures and policies certified as compliant.

These accountability frameworks would not preclude an organization from complying with the CPPA more broadly.

 

Other Notable Features

  • The government believes the bill will maintain Canada’s adequacy under the GDPR.

  • Political parties are not covered by the bill.

  • Using anonymization is defined as a form of disposal.

 

Enactment Process

Any bill brought forward must go through a standard process within Parliament. This process includes several readings, committee, and (sometimes) stakeholder consultation before being approved by the House of Commons and the Senate before receiving royal assent. Typically, this process takes many months, and with the government resting over the summertime, second reading may not happen until the Fall.

The entire process may take six months to a year and, once passed, won’t come into force immediately upon royal assent. There will be a 12-18 transition period so that businesses are in a position to comply. Regulatory development will need to happen during that time as well.

 

What DAAC Program Participants Should Know

The DAAC will monitor how this bill progresses.

In the meantime, a refreshed set of DAAC Principles will be released in early September, which will inch participants closer to the requirements of the CPPA. And keep watch in the future for other new AdChoices program features, such as a self-assessment form and new compliance interpretation guidance.

Is your company not yet part of the AdChoices self-regulatory program? The DAAC program is well-established and has tools ready to assist you with your compliance efforts. Now is an excellent time to join as bills such as C-27 become talking points at your boardroom table.

Please get to know what we do by contacting us at info@daac.ca today.