Covid-19 has proven that we are increasingly becoming a more digital society. The shift towards virtual service delivery and operations in various sectors presents opportunities for innovation and greater system and service accessibility but also presents privacy and security risks as more data and personal information is being collected, used and stored in new ways.
On November 17, 2020, long awaited privacy law reform was finally introduced by Minister of Innovation, Science and Industry Navdeep Bains. Bill C-11, the Digital Charter Implementation Act. (Bill C-11 or the Bill). The Bill proposes two new pieces of legislation, the Consumer Privacy Protection Act (CPPA), which would replace the current Personal Information Protection and Electronic Documents (PIPEDA), and a new administrative tribunal (Data Protection Tribunal) under the Personal Information and Data Protection Tribunal Act (PIDPTA). The new framework seeks to update and build on PIPEDA provisions, including its 10 Fair Information Principles and draws on the European Union’s General Data Protection Regulation (GDPR). This blog post provides a high-level overview of some of the key elements of the proposed legislation.
Why is Bill C-11 Important?
Generally, the Bill is an important step forward in modernizing Canada’s privacy laws to keep up with technological innovations and a growing digital economy.
The introduction of Bill C-11 comes at a time when Ontario is considering privacy legislation for its own private sector, not-for-profits and charities, in an effort to close the gap in privacy laws in the province. (read our blog here). The changes and direction of Bill C-11 may foreshadow what we might see here in Ontario.
The proposed CPPA provides for greater enforcement powers, including to the Federal Privacy Commissioner and through the Data Protection Tribunal, and new rights for individuals. It has a much clearer structure than PIPEDA, making it easier to follow, which is helpful for organizations to understand its obligations and for individuals to understand their rights.
However, the initial draft of the Bill has attracted criticism, including from the Privacy Commissioner who noted that the Bill fails to take a rights-based approach to privacy which would recognize privacy as a basic human right, affirming individuals’ rights to be live free from unjustified intrusion or surveillance by Canada and organizations, a right that has been recognized by the Supreme Court of Canada and our constitution.
What are the key takeaways?
The Bill will be analyzed and debated in the legislature over the coming months however, there are a number of changes that are worth highlighting at the outset:
- New Enforcement Powers and Penalties:
- The Privacy Commission now has the authority to issue orders relating to compliance and orders to stop using or collecting personal information.
- Greater penalties and fines for non-compliance issued by the Data Protection Tribunal:
- the higher of $10 million or 3% of the organization’s annual gross global revenue for failure to comply with certain requirements of the CPPA (i.e. use, collection of personal information and security safeguards);
- the higher of $25,000,000 and 5% of the organization’s gross global revenue in its financial year before the one in which the organization is sentenced for failing to comply with a Privacy Commissioner’s order or knowingly breaching certain CPPA requirements.
- Enhanced Consent Requirements
- Consent is the cornerstone of Bill C-11. Express consent must be obtained for the collection, use or disclosure of a person’s personal information. Consent must be expressly obtained unless an organization can demonstrate it is appropriate in the circumstances to rely on a person’s informed consent. Section 15 of Bill C-11 includes provisions on what makes consent valid with a focus on providing plain language information about an organization’s data and information practices. This is an important provision for the purposes of openness and transparency, but does alter existing obligations under PIPEDA. However, there is no consideration of a person’s understanding of the information or alternatives to ensure a person understands.
- There is also a prohibition on obtaining consent using false, misleading or deceptive information and/or practices which would render the consent invalid.
- Broader Consent Exceptions
- Despite enhanced consent provisions, Bill C-11 also contains additional consent exceptions from the current PIPEDA exceptions. These include:
- Business Operations Exception: Allows business to collect and use personal information without the person’s knowledge when the person could reasonably expect the organization to do so and the information is not being collected in order to influence the person’s behaviour or decision. The Bill outlines various activities businesses can engage in and collect and use information without a persons consent including: an activity that is necessary to provide or deliver a product or service that the individual has requested from the organization, due diligence and network security reasons, protecting the safety of a product or service or it would be impracticable to obtain a person’s consent given the indirection relationship between the organization and the person.
- Socially Beneficial Purpose: A important addition in Bill C-11 is allowing organizations to disclose a person’s information if it is de-identified and used for purposes related to health, the provision or improvement of public amenities or infrastructure, the protection of the environment or another prescribed purpose. This includes disclosure to a government entities and public health institutions.
- De-Identified Information
- The Bill allows for organizations to de-identify personal information and introduces limited purposes an organization may use and disclose a person’s personal information if it has been de-identified. It requires organizations to “ensure that any technical and administrative measures applied to the information are proportionate to the purpose for which the information is de-identified and the sensitivity of the personal information.” There are also significant penalties for misuse of de-identified information. Without regulations at this time, it is too early to tell the impact of this new practice.
- While it seems that the further exceptions outlined above and the new rules around-de-identification have been included to promote innovation and keep up with realities of our digital world, these expansions of organization’s ability to collect and use a person’s information without their knowledge, arguably weakens the consent requirements and gives people less control and say over their own information.
- New Individual Rights
- Data Portability: Bill C-11 introduced an individual right to data portability which would allow individuals to request organizations to transfer their personal information to another organization. Again, much of the substance of this right is still unknown and will be set out in future regulations.
- Right to have data deleted: Bill C-11 also introduces an individual right to request organizations permanently delete (or “dispose” of) their personal information, subject to certain legal requirements.
- Right of Action: The Bill introduces a new private right of action for individuals, which would allow a person to claim damages for loss or injury but only if an organization is found to be in breach of the CPPA. The key here is that before this right is triggered, the Privacy Commissioner or the Data Protection Tribunal must make an order that the organization is in violation of their obligations.
- Artificial Intelligence and Automated Decision Making:
- Bill C-11 contains new transparency provisions which further reflect the increasing use of Artificial Intelligence and technology-based decision-making processes. First, the proposed CPPA requires “organization [that] have used an automated decision system to make a prediction, recommendation or decision about the individual, the organization must, on request by the individual, provide them with an explanation of the prediction, recommendation or decision and of how the personal information that was used to make the prediction, recommendation or decision was obtained. Second, agencies using “automated decision systems” must provide a “general account” of how an organization intends to use personal information generally, and how it intends use automated decision systems to make decisions that could have a serious impact on a person, and how an organization applies the exceptions set out in the CPPA.
- Despite enhanced consent provisions, Bill C-11 also contains additional consent exceptions from the current PIPEDA exceptions. These include:
What does this mean for the Developmental Services Sector and other not-for-profits?
Without final regulations, it is unclear to what extent Bill C-11 will apply to not-for-profits and charities. The Bill adopts the same application wording as in PIPEDA, applying to an organization that “collects, uses or discloses in the course of commercial activities.” However, the definition of “commercial activity” is broader under Bill C-11 than under PIPEDA. Under Bill C-11 commercial activities include a ”particular transaction, act or conduct or any regular course of conduct that is of a commercial character, taking into account an organization’s objectives for carrying out the transaction, act or conduct, the context in which it takes place, the persons involved and its outcome.”
Without an express provision excluding not-for profits and charities from the Act, it would be best practice for Developmental Services (DS) Sector agencies and other not-for-profits to undertake a review of existing policies or develop new policies and procedures and plan for the new legislative changes. Privacy is important to all individuals and people have expectations of transparency and accessibility and concerns about the security of their personal information when they share it with agencies. From both a legal and reputational perspective, ensuring your agency has robust privacy and data management practices that are in line with federal privacy laws is important as it reduces risk and harm to you, people supported and other stakeholders you engage with.
PooranLaw will continue to monitor the development of Bill C-11, including changes to the Bill and consultations to be held regarding the Bill.
Note: This article provides general information only and does not constitute, and should not be relied upon as, legal advice or opinion. PooranLaw Professional Corporation holds the copyright to this article and the article and its contents may not be copied or reproduced in any form, in whole or in part, without the express permission of PooranLaw Professional Corporation.