Bill C-36: Federal government revives privacy legislation

On Monday, the federal government introduced Bill C-36, which would enact the Protecting Privacy and Consumer Data Act (PPACDA). The PPACDA would introduce a number of significant reforms to Canada’s private sector privacy law, some of which were proposed in bills introduced in 2020 and 2022 but never passed.

What you need to know

• Violations of the PPACDA could carry administrative monetary penalties (AMPs) up to the greater of 3% of global revenue or $10 million. Criminal offences could attract fines up to the greater of 5% of global revenue or $25 million. Violations could also give rise to a private cause of action.
• The PPACDA includes requirements related to consent, children’s privacy, cross-border data transfers, automated decisions, and privacy management programs.
• The PPACDA would also create new consent exemptions, codify de-identification and anonymization standards, and establish a new three-tier enforcement regime.
• If passed, the PPACDA will impose a robust enforcement regime to address organizations’ privacy practices. Organizations should carefully monitor legislative developments and review existing privacy practices to close any potential compliance gaps.

Background

The government teased the introduction of new privacy legislation in its Artificial Intelligence Strategy released last week (for more on the AI Strategy, read our recent bulletin). The PPACDA revives many of the provisions set out in predecessor legislation proposed in 2020 and 2022 by the previous government (for more, read our piece on the most recent predecessor, the Consumer Privacy Protection Act), but also contains some notable changes.

The old

Like the Consumer Privacy Protection Act (CPPA), the PPACDA will replace Part 1 of PIPEDA, which will be renamed the Electronic Documents Act. The PPACDA retains and revives many of the provisions proposed in the CPPA, with some notable changes. Like its predecessor legislation, the PPACDA’s key aspects include:

• Penalties: The PPACDA would impose significant fines and administrative monetary penalties (AMPs) for breaching the Act. AMPs may be imposed of up to the greater of $10 million or 3% of the organization’s gross global revenue. For certain criminal offences, fines may be imposed up to the greater of $25 million or 5% of the organization’s gross global revenue.
• Consent and exemptions: Consent remains a cornerstone of the PPACDA’s regime, with certain exemptions for businesses using personal information without consent (such as for certain necessary business activities, transfers to service providers, activities in which an organization has a legitimate interest, or internal analytics using de-identified information). Organizations must use “plain language” when providing information around consent. Organizations are prohibited from providing false or misleading information or using deceptive or misleading practices to obtain consent.
• Data subject rights: Individuals are provided the right of access to, correction of, and disposal of their personal information; the right to request information about automated decisions; and certain data mobility rights.
• Privacy management program: The PPACDA requires organizations to implement and maintain a privacy management program that includes policies, practices, and procedures to fulfill their obligations. This includes the protection of personal information, how requests and complaints are handled, training provided, and explanatory materials. The nature of the program must consider the volume and sensitivity of personal information under the organization’s control.
• Business transaction requirements: Businesses sharing personal information during due diligence in business transactions must de-identify personal information before sharing.

The new

The PPACDA introduces the following notable changes to the CPPA.

New compliance requirements

• Privacy impact assessments: The PPACDA would require organizations to complete a privacy impact assessment (PIA) before:
  • Relying on the legitimate interest exemption to consent. Though specific PIA requirements will be prescribed by regulations, the purpose of the PIA is to identify and mitigate foreseeable adverse impacts on individuals.
  • Transferring or disclosing information outside of Canada. Organizations must identify risks associated with the transfer or disclosure of information and implement measures to mitigate the risks identified, such as contractual privacy protection measures. These requirements align with the transfer impact assessment requirement in Québec’s Act respecting the protection of personal information in the private sector (the Private Sector Act). The organization must provide the Commission with access to, or a copy of, the PIA on request. While requirements for this type of PIA are also not yet prescribed, organizations can expect that they will reflect, at least in part, the transfer impact assessment requirements in Québec’s Private Sector Act.
  This requirement, alongside a requirement to consider trade obligations in the enforcement of the Act, signals that even amid broader discussions and concerns about data sovereignty, the government does not intend to substantially hinder cross-border transfers in the future.
• Automated decision-making: Organizations are obliged to provide notice of the use of automated decision-making to make a prediction, recommendation, or decision where it could have a “legal or similarly significant effect” on the individual—a slightly narrower requirement than the one imposed by the CPPA (which only required an “impact” on individuals). Notably, like the CPPA, this applies to any decision using an automated decision system, which is broader than the existing requirement under Québec’s Private Sector Act that applies only to exclusively automated decisions (i.e., with no human input). Like Québec’s law, the PPACDA now provides individuals with an express right to make written representations to have an employee of an organization review predictions, recommendations, or decisions about them using automated processes.

New definitions and concepts

• De-identification and anonymization: The Act sets out requirements for both de-identified and anonymized information:
  • De-identified information. The Act defines “de-identified information” as information from which an individual cannot be directly identified (though a risk of identification remains). The PPACDA allows for certain uses of de-identified information without knowledge or consent, sets out the narrow circumstances in which de-identified information can be used to identify an individual, and provides that certain rights under the Act (including rights to correction, access, and disposal) do not apply to de-identified information. Organizations that handle large amounts of de-identified data (e.g., for training artificial intelligence models) may take comfort in the government’s acknowledgement of the business utility of retaining de-identified data without having to rely on anonymization, which can reduce the effectiveness of those models.
  • Anonymized information. If information has been anonymized in accordance with the Act, the PPACDA will not apply to it. The Act defines “anonymization” to mean irreversibly and permanently modifying personal information such that there is no “reasonably foreseeable risk” that an individual can be directly or indirectly identified. The new addition of the reasonableness standard aligns with existing regimes in Ontario (public sector) and Québec. The Act further provides that an organization need not obtain consent to anonymize personal information. Further guidance on anonymization may follow by regulation.
• Sensitive information: The PPACDA includes a definition for “sensitive” that aligns with existing regulatory guidance about sensitive personal information (and with similar definitions in other regimes, such as the GDPR). This definition provides welcome certainty for organizations when analyzing how the sensitivity of information impacts their obligations under the Act, including, most notably, the obligations to report privacy incidents and to obtain express rather than implied consent, both of which turn on a sensitivity analysis.
• Fundamental right: The PPACDA acknowledges the fundamental right to privacy in its purpose.
• Children’s privacy: The PPACDA deems any personal information of a “child” (defined as an individual under 18) to be sensitive personal information, attracting heightened privacy requirements. Importantly, the Commission, the Commissioner and the Division are each required to take into account the best interests of children in exercising their powers and performing their duties and functions under the Act.

New enforcement mechanisms

• Enforcement regime: The Act removes the current oversight by the Office of the Privacy Commissioner of Canada (OPC) and replaces it with a three-tier enforcement regime and a right of appeal at the Federal Court:
  • The Privacy and Consumer Data Commissioner (the Commissioner) will act as investigator for complaints made under the PPACDA. Following the investigation, the Commissioner may serve the organization a notice of contravention (which must include a proposed penalty), enter into a compliance agreement with the organization, or discontinue the complaint. The Commissioner may propose interim orders (in exigent circumstances) and compliance orders.
  • The Digital Safety and Data Protection Commission of Canada (the Commission), to be established under the Digital Safety Act, will act as adjudicator. Parties may appeal to the Commission for a review of a notice of contravention (including the proposed penalty), proposed interim order, or proposed compliance order set by the Commissioner. The Commission will have the power to issue the penalties, compliance orders, and interim orders proposed by Commissioner (which it can confirm, cancel, or vary). It may also independently issue interim orders in exigent circumstances as it sees fit.
    • As in the CPPA, the Commission will be empowered to disclose information (including potentially privacy incident reports and other information submitted by organizations) to other regulators in a notable departure from the current OPC regime.
    • Organizations are also required to provide the Commission with access to its privacy management program policies, practices, and procedures on request.
  • The Privacy and Consumer Data Division (to be established under the Commission), acting as mediator, will be empowered to resolve disputes and complaints under the Act through mediation and conciliation.
  An organization may appeal a decision or order of the Commission in respect of a notice of contravention to the Federal Court, and may apply for leave to appeal a decision of the Commission in respect of an interim order. Even so, concerns surrounding the independence of these new regulatory bodies, which arose from the CPPA, will likely carry over to the PPACDA given the interconnected review and appeal process between the Commissioner and the Commission.
• Private right of action: Individuals who have suffered a loss or injury for an organization’s breach of the Act will have a private right of action in the Federal Court after the Commissioner or Commission makes a finding that a contravention of the Act has occurred. The PPACDA expands the circumstances under which an individual can bring a private right of action, specifically including when an organization enters into a compliance agreement with the Commissioner that does not provide for the payment of damages—calling into question whether the right of action will be overused.
• Third-party audits: The Commissioner, while auditing an organization’s personal information management practices, may require the organization to obtain an audit report conducted by a third party approved by the Commissioner. While the workaround may be intended to require an audit where an organization refuses to provide access to its systems to the Commissioner, this broad power may pose issues for organizations.

Looking forward

Like the former CPPA, the PPACDA presents a robust enforcement regime to address organizations’ privacy practices. As the PPACDA moves through Parliament, organizations should monitor developments to prepare for its eventual enactment. Organizations should review their existing privacy management regimes and operations against the framework proposed under the PPACDA. Organizations can certainly leverage work done in recent years to prepare for compliance with the former CPPA and Québec’s Law 25, but should bear in mind the additional obligations and key differences introduced by the PPACDA.