Privacy modernization with a northern touch: the proposed Digital Charter Implementation Act

The federal government has introduced Bill C-11 the Digital Charter Implementation Act, 2020, into Parliament. Bill C-11 aims to modernize the framework for the protection of personal information in the private sector and provide individuals with greater control over their information.

Video: Watch Ronak Shah and Molly Reynolds on our privacy and data governance team share their initial reactions to the proposed CPPA.

What you need to know

• The Bill proposes to create a new privacy statute, the Consumer Privacy Protection Act (CPPA)—as well as a new administrative tribunal, the Personal Information and Data Protection Tribunal (Data Protection Tribunal).
• The Privacy Commissioner’s powers will be expanded, including with respect to mandatory orders and financial penalties.
• Consumers will have a private right of action following a regulatory investigation, but must prove loss in order to recover damages.
• The CPPA includes several new obligations for businesses and new consumer rights, ranging from algorithmic transparency to data deletion requirements, but is not a mirror image of the EU’s GDPR.

Key highlights

While the Bill will undergo significant debate through the legislative process, outlined below are key highlights that businesses should monitor.

The new Act continues to use a principles-based approach, and, for the most part, remains technology neutral.

Consent continues to remain at the center of CPPA.

• CPPA establishes the need for express consent unless the organization can demonstrate that implied consent is appropriate in the circumstances. This largely aligns with regulatory guidance in recent years interpreting the scenarios in which organizations can rely on implied or express consent.
• CPPA codifies the narrow circumstances in which consent to the handling of personal information can be a ‘conditions of service’, but again does not significantly differ from regulatory interpretations of current PIPEDA.

Consent exemptions. CPPA outlines a number of consent exemptions similar to those outlined previously under PIPEDA, such as processing personal information to investigate fraud, financial abuse or collect debts. In addition, it includes:

• Business operations exceptions: Bill C-11 introduces a business operations exemption to consent if the collection and use is:
  • within the reasonable expectation of the individual;
  • not for the purposes of influencing the individual’s behaviour or decisions (i.e., not for marketing or profiling); and
  • for limited, prescribed activities such as service delivery, safety, risk mitigation or cybersecurity.

While this clarification will be useful, it is unlikely that businesses will see an expanded ability to process personal information without consent given that many of these activities are already permissible as a condition or service or with implied consent under PIPEDA. The proposed exemption is not as flexible as GDPR’s legitimate interest basis for processing, which is not centered around a particular purpose.

• De-identification exemption: organization may use an individual’s personal information without their knowledge or consent to de-identify the information. This will also provide certainty to organizations that anonymize personal information for analytics and other purposes. However, other provisions of the CPPA purport to regulate the use of de-identified data, raising questions about whether the legislative intent it to expand the law’s jurisdiction beyond personal information.

Limited use of de-identified information. under Bill C-64 de-identified information can only be used without an individual’s consent for:

• the organization’s internal research and development purposes; and
• socially beneficial purposes.

Additionally, organizations must not use de-identified information to identify an individual, except in order to test the effectiveness of security safeguards used to protect the information.

Service provider obligations. Organizations may transfer personal information to a service provider without individual knowledge or consent. This is a welcome clarification following the uncertainty that flowed from the Privacy Commissioner’s Equifax decision. In addition, service providers are generally exempt from direct application of the CPPA when processing data for another organization; the accountable company must contractually impose equivalent obligations. However, service providers will be required to notify accountable organizations of data breaches.

Change in prospective business transaction exemption. PIPEDA permits organizations to share personal information without consent for due diligence purposes in a business transaction. CPPA proposes to add a new requirement that the seller de-identify personal information before sharing it with a potential buyer. If passed, this would have significant impacts on deal process—additional time and expense would be required to de-identify information critical to evaluating the transaction, such as financial or salary information about key customers or employees. The standard of de-identification required is not articulated in the Bill, raising the prospect that potential buyers will be deprived of relevant information during diligence because of the process used to strip out personal identifiers. The rationale for this requirement is unclear, given that there is also a requirement that only personal information necessary to evaluating the transaction may be shared under the existing exemption.

Data portability. Bill C-11 introduces a sparse right to data portability. An individual may request that an organization transfer the personal information it has collected .from the individual to another organization. However, the details and scope of application will be set out in a data portability framework regulation.

Right to deletion. the proposed legislation would allow individuals to request that organizations delete their data, subject to legal retention obligations or where it can’t be severed from others’ personal information. CPPA also imposes an obligation on the accountable organization to ensure that service providers have deleted the information. The scope of the severance exemption may be significant for companies engaged in data analytics and machine learning in which personal information is stored in pseudonymized or defragmented formats or blockchain technology that makes record deletion difficult.

Algorithmic transparency.  CPPA contains new transparency requirements for automated systems that make significant predictions, recommendations or decisions about individuals. Individuals would also have the right to request that businesses explain how a prediction, recommendation or decision was made by an automated decision-making system and explain how the information was obtained. Unlike the GDPR however, the Bill does not include a right to object to or opt out of such automated tools.

Prohibition on routinely updating personal information. Bill C-11 proposes a prohibition on regularly updating personal information unless it is necessary to fulfil the purposes for which the information is collected, used or disclosed. This will impose additional transparency requirements on organizations that routinely collect and refresh sensitive personal information from third-parties such as credit reporting agencies, and increase the burden to demonstrate why such regular updating is necessary for business, risk or legal purposes.

OPC powers. The CPPA proposes to give the Privacy Commissioner extensive order making powers, including to require an organization to modify its practices and to make public any steps to correct practices; and to recommend fines to the Data Protection Tribunal.

Penalties. The Bill proposes GDPR-level penalties and fines:

• the higher of $10 million or 3% of the organization’s annual gross global revenue for failure to comply with certain requirements under the Act (e.g. limiting collection, data retention, breach notification etc.)
• up to 5% of revenue or $25 million, whichever is greater, for various offences including failure to comply with an OPC order or knowingly contravening CPPA’s breach notification or record keeping requirements.

Private right of action. Bill C-11 introduces a private right of action in the Federal Court or Superior Court as long as the OPC or the Data Protection Tribunal have issued findings of non-compliance. Unlike in some international regimes, Bill C-11 does not propose statutory damages—claimants must prove loss or injury.

Next steps

Bill C-11 will proceed through committee review and consultation. The Government’s focus on providing certainty for business, facilitating data-driven innovation and international harmonization suggest that there will be opportunities for industry consultation during this process.