Bill C-11 and startups: the good, the bad, and the ugly
Authors
Ronak Shah
Molly Reynolds
Marko Trivun
If your startup operates in Canada and deals with data that may include personal information, then you are familiar with PIPEDA1. Recently, the federal government introduced its long awaited privacy reform bill—Bill C-11—which overhauls PIPEDA by creating a modern and responsive law. It gives Canadians more control over their personal information and provides innovative businesses with clarity on their obligations. In this article and companion video featuring members of our Privacy and Emerging Companies and VC practices, we explore the implications of the proposed reform for emerging and high growth technology and digital companies.
What you need to know
- Bill C-11 proposes to replace PIPEDA with the Consumer Privacy Protection Act (CPPA) and create a new administrative tribunal, the Personal Information and Data Protection Tribunal. It is unlikely that the proposed requirements under CPPA would come into effect before the end of 2022; however, as a founder it is important to understand the new rules to adjust your data management practices. In addition, VCs will ask you at your next board meeting, or during a future financing round, about what you are doing to understand CPPA implications on your company.
- Even though CPPA contains several new obligations for businesses and new consumer rights, CPPA represents a PIPEDA 2.0-style reboot rather than a wholesale import of the E.U.’s more stringent privacy law, GDPR. This means companies that have invested in PIPEDA compliance will be able to build on their existing privacy and data governance frameworks and will not need to start from scratch.
- Overall, CPPA:
- retains PIPEDA’s balancing of the need to protect an individual’s privacy against businesses’ commercial interests;
- largely remains technology neutral;
- continues to use consent as the central basis for the processing of personal information, while adding a few new consent exemptions for certain “business operations” and “internal R&D”;
- requires transparency about the use of predictive algorithms and plain language explanations of how personal information is processed;
- provides individuals with the right to data portability and the right to request deletion of personal information; and
- expands the federal Office of the Privacy Commissioner of Canada’s (OPC) powers, including the ability to impose mandatory orders and to recommend that the Tribunal impose financial penalties.
The good, the bad and the ugly
Even though the CPPA will likely undergo significant revisions as a result of the legislative process, we have outlined below key changes that VCs and startups should monitor. The table below breaks down these key highlights into three categories: improvements in privacy law; changes that increase regulatory burden; and changes that increase businesses’ potential liability/risk profile or significantly raises the regulatory burden.
|
The good |
||
|
CPPA provision |
Summary of the proposed rule change |
Implications for startups |
|
Service provider exemption |
This exemption now allows accountable organizations to transfer personal information to a service provider (now a defined term2) without individual knowledge or consent. However, as the accountable party3 the organization is required to impose controls (contractual or otherwise) on service providers to ensure equivalent protections4. |
This new exemption recognizes that as businesses go digital, they need to be able to seamlessly outsource functions to service providers and share data across borders. |
|
Business operations exemption |
This new consent exemption permits companies to collect and use personal information if it is:
|
If your startup is already established and compliant with PIPEDA, in practice it is unlikely that your business will see an expanded ability to process personal information without consent given that many of these activities are already permissible as a condition of service or with implied consent under PIPEDA. |
|
Data portability |
Individuals will have a new right to request that an organization transfer the personal information it has collected from them to another organization. However, the details and scope of application will be set out in a data portability framework regulation. |
Data mobility will be a boon to startups. In addition to creating a more level-playing field, innovative startups will benefit from access to data in greater volumes. At the same time, startups will need to develop processes and implement data hygiene best practices to ensure they are efficiently able to de-lineate between the information they directly collected from the individual versus data (and IP) the organization created. |
|
The bad |
||
|
CPPA provision |
Summary of the proposed rule change |
Implications for startups |
|
De-identification |
CPPA introduces a few de-identification related provisions:
|
Even though the CPPA settles a long-standing ambiguity by allowing organizations to de-identify information without consent, it limits the use of de-identified information to a few purposes (internal R&D and socially beneficial purposes). Such an approach to “de-identification” has the effect of expanding the law’s jurisdiction beyond personal information. |
|
Right to disposal5 |
Individuals can request that an organization delete their personal information, subject to legal retention obligations or where it can’t be severed from others’ personal information. This right is limited to information collected from the individual (i.e., not information created by the organization, such as inferential data, or obtained from third parties). |
Given the requirement to ensure that service providers permanently delete personal information, this requirement will not only impact organizations that directly collect information from individuals for their own purposes but also startups that work along the data processing and management supply chain. In addition to implementing processes to ensure they can give effect to such requests, organizations will need to keep up-to-date data inventories to make sure they are able to delete all of the personal information in their possession or under their control. |
|
Algorithmic transparency |
CPPA’s new algorithmic transparency requirement has two components:
CPPA does not include a right to object to or opt out of the use of such automated tools. |
It is important to note that the right to an explanation does not contain the “significant impact” qualifier included in the disclosure requirement. This means, organizations will need to be able identify, track and document all automated systems that use an individual’s personal information to make determinations and to be able explain in plain language how their information was used to make a “prediction, recommendation or decision”. |
|
Business transaction exemption |
PIPEDA permits organizations to share personal information without consent for due diligence purposes in a business transaction. CPPA proposes to add a new requirement that the seller de-identify personal information before sharing it with a potential buyer. |
If passed in its current form, this would have significant impacts on investment diligence and deal process by adding time and expense for the startup to de-identify information critical to evaluating the transaction (e.g., information about key customers or (for limited federal entities) employees). |
|
The ugly |
||
|
CPPA provision |
Summary of the proposed rule change |
Implications for startups |
|
Scalable privacy management program |
Organizations must take into consideration the volume and sensitivity of personal information under their control when developing privacy management programs. |
This requirement will significantly impact data-intensive startups. Any organization—irrespective of size or stage of development—that handles large volumes of personal information and/or processes sensitive information will be required to implement robust privacy practices. This means startups will need to allocate significant resources to privacy management from the get-go. |
|
Penal regime and investigation powers |
CPPA proposes to give the OPC the following supplemental powers:
|
This will increase the burden of regulatory investigations on businesses, because their data processing activities may be interrupted even before the OPC has decided if the company is offside the new law. The ability to force an organization to change its business model and recommend a financial penalty will heighten the impact of a negative OPC finding beyond the current name and shame regime. |
|
Fines |
For more egregious contraventions8 of the CPPA an organization could face a criminal conviction and be fined up to 5% of annual global revenue or $25 million, whichever is greater. These offences would be prosecuted by the Attorney General of Canada. |
Fines under the new regime will raise multiple related risks for companies, such as whether such costs can or will be insured or indemnified, the business and reputational impact of a criminal conviction as opposed to a regulatory finding, and shareholder or consumer litigation arising from findings of intentional misconduct. |
|
Private right of action |
CPPA introduces a private right of action in court following a finding of non-compliance by the OPC or the Tribunal. Unlike in some international regimes, CPPA does not propose statutory damages—rather claimants must prove loss or injury. |
Businesses may see increased litigation activity in cases where the OPC has found they violated CPPA but the facts wouldn’t otherwise support a damages award under common law causes of action such as privacy torts, negligence or breach of contract. For example, it may be easier in a data breach case for consumers to prove breach of the statutory requirement to implement appropriate safeguards than that criminal hacking was a violation of a duty the company owed to consumers which in turn caused them to suffer loss. |
Next steps
Even though the CPPA is subject to changes as it winds its way through the parliamentary review process (and is a couple years away from being enforced), it is important to understand how the CPPA impacts your company and develop plans to address gaps in compliance. This is especially critical since investors and potential buyers will, as part of their due diligence, soon begin to ask questions relating to the proactive steps you have taken to comply with CPPA, just like they did prior to the implementation of EU’s GDPR and California’s CCPA.
_________________________
1 Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5
2 Under CPPA, ‘service providers’ include parent corporations, subsidiaries, affiliates as well as third-party vendors.
3 CPPA deems personal information collected, used or disclosed on behalf of an organization by a service provider to be under the control of the organization (not the service provider) if the organization determines the purposes of collection, use or disclosure.
4 Additionally, under CPPA, service providers are generally exempt from the direct application of the CPPA when processing data for another organization. However, service providers will be required to notify accountable organizations of any data breaches.
5 CPPA defines “disposal” as the permanent and irreversible deletion of personal information.
6 However, OPC cannot recommend that a penalty be imposed on an organization for a contravention of the CPPA, if the OPC is of the opinion that, at the time of the contravention, the organization was in compliance with the requirements of an approved certification program.
7 Organizations may rely on a due diligence defence which, if successful, prevents the Tribunal from imposing a penalty.
8 Such fines are available when an organization knowingly contravenes CPPA provisions relating to breach reporting or record keeping, using de-identified information to identify an individual, failing to adequately retain information subject to an access request, denying whistleblower protections or obstructing OPC proceedings.