Authors
Ronak Shah
The federal government has introduced Bill C-11 the Digital Charter Implementation Act, 2020, into Parliament. Bill C-11 aims to modernize the framework for the protection of personal information in the private sector and provide individuals with greater control over their information.
While the Bill will undergo significant debate through the legislative process, outlined below are key highlights that businesses should monitor.
The new Act continues to use a principles-based approach, and, for the most part, remains technology neutral.
Consent continues to remain at the center of CPPA.
Consent exemptions. CPPA outlines a number of consent exemptions similar to those outlined previously under PIPEDA, such as processing personal information to investigate fraud, financial abuse or collect debts. In addition, it includes:
While this clarification will be useful, it is unlikely that businesses will see an expanded ability to process personal information without consent given that many of these activities are already permissible as a condition or service or with implied consent under PIPEDA. The proposed exemption is not as flexible as GDPR’s legitimate interest basis for processing, which is not centered around a particular purpose.
Limited use of de-identified information. under Bill C-64 de-identified information can only be used without an individual’s consent for:
Additionally, organizations must not use de-identified information to identify an individual, except in order to test the effectiveness of security safeguards used to protect the information.
Service provider obligations. Organizations may transfer personal information to a service provider without individual knowledge or consent. This is a welcome clarification following the uncertainty that flowed from the Privacy Commissioner’s Equifax decision. In addition, service providers are generally exempt from direct application of the CPPA when processing data for another organization; the accountable company must contractually impose equivalent obligations. However, service providers will be required to notify accountable organizations of data breaches.
Change in prospective business transaction exemption. PIPEDA permits organizations to share personal information without consent for due diligence purposes in a business transaction. CPPA proposes to add a new requirement that the seller de-identify personal information before sharing it with a potential buyer. If passed, this would have significant impacts on deal process—additional time and expense would be required to de-identify information critical to evaluating the transaction, such as financial or salary information about key customers or employees. The standard of de-identification required is not articulated in the Bill, raising the prospect that potential buyers will be deprived of relevant information during diligence because of the process used to strip out personal identifiers. The rationale for this requirement is unclear, given that there is also a requirement that only personal information necessary to evaluating the transaction may be shared under the existing exemption.
Data portability. Bill C-11 introduces a sparse right to data portability. An individual may request that an organization transfer the personal information it has collected .from the individual to another organization. However, the details and scope of application will be set out in a data portability framework regulation.
Right to deletion. the proposed legislation would allow individuals to request that organizations delete their data, subject to legal retention obligations or where it can’t be severed from others’ personal information. CPPA also imposes an obligation on the accountable organization to ensure that service providers have deleted the information. The scope of the severance exemption may be significant for companies engaged in data analytics and machine learning in which personal information is stored in pseudonymized or defragmented formats or blockchain technology that makes record deletion difficult.
Algorithmic transparency. CPPA contains new transparency requirements for automated systems that make significant predictions, recommendations or decisions about individuals. Individuals would also have the right to request that businesses explain how a prediction, recommendation or decision was made by an automated decision-making system and explain how the information was obtained. Unlike the GDPR however, the Bill does not include a right to object to or opt out of such automated tools.
Prohibition on routinely updating personal information. Bill C-11 proposes a prohibition on regularly updating personal information unless it is necessary to fulfil the purposes for which the information is collected, used or disclosed. This will impose additional transparency requirements on organizations that routinely collect and refresh sensitive personal information from third-parties such as credit reporting agencies, and increase the burden to demonstrate why such regular updating is necessary for business, risk or legal purposes.
OPC powers. The CPPA proposes to give the Privacy Commissioner extensive order making powers, including to require an organization to modify its practices and to make public any steps to correct practices; and to recommend fines to the Data Protection Tribunal.
Penalties. The Bill proposes GDPR-level penalties and fines:
Private right of action. Bill C-11 introduces a private right of action in the Federal Court or Superior Court as long as the OPC or the Data Protection Tribunal have issued findings of non-compliance. Unlike in some international regimes, Bill C-11 does not propose statutory damages—claimants must prove loss or injury.
Bill C-11 will proceed through committee review and consultation. The Government’s focus on providing certainty for business, facilitating data-driven innovation and international harmonization suggest that there will be opportunities for industry consultation during this process.
To discuss these issues, please contact the author(s).
This publication is a general discussion of certain legal and related developments and should not be relied upon as legal advice. If you require legal advice, we would be pleased to discuss the issues in this publication with you, in the context of your particular circumstances.
For permission to republish this or any other publication, contact Janelle Weed.
© 2023 by Torys LLP.
All rights reserved.