On June 16, 2022, the federal government took a second shot at a complete overhaul of the private sector privacy law regime that both protects individuals’ personal information and regulates organizations’ privacy practices. Bill C-27: Digital Charter Implementation Act, 2022 will implement the Consumer Privacy Protection Act (CPPA) to replace the federal Personal Information Protection and Electronic Documents Act (PIPEDA), which has regulated the collection, use and disclosure of personal information in the course of commercial activity in Canada since 2001. While updated a number of times since it took effect, the broad consensus is that PIPEDA is in need of a general overhaul. The government’s first shot to do so was the 2019 Bill C-11: Digital Charter Implementation Act, 2019. However, Bill C-11 languished in Parliament, ultimately dying with the federal October 2019 federal election. The consensus at the time was that Bill C-11 required revision before it was passed in any event (though it did give organizations a sense of what to expect). Bill C-27 is very similar, though not identical, to Bill C-11, and creates three new laws:
Here’s a look at 12 key differences between the regulation of the collection, use and disclosure of personal information under PIPEDA, and under the newest version of the CPPA.
1. Complete Restructuring
The Bill C-27 version of the CPPA, as was the Bill C-11 version, is a completely different structure compared to PIPEDA.
CSA Model Code. PIPEDA included a schedule taken from the Canadian Standards Association (CSA) Model Code for the Protection of Personal Information, and essentially said, “follow that”. In contrast, the CPPA, similar in structure to the provincial Personal Information Protection Acts of Alberta and British Columbia, incorporates the CSA Model Code’s 10 principles in the body of the actual Act rather than in a schedule. The 10 principles in the new Act are largely unchanged, except the language is necessarily modified so it’s more “statutory” compared to that typically in an industry standards document. This isn’t surprising; though written in the 90’s, the principles were based on the Organization for Economic Co-operation and Development (OECD) guidelines, and versions of all the ten principles exist in all modern privacy laws. What is changed, however, is the additional detail about what organizations must do to comply with the law.
Privacy Management Program. A prime example is principle 1 of the CSA model code. This required that an organization “implement policies and practices to give effect to the CSA Model Code principles”. However, section 9 of the new CPPA explicitly requires that an organization implement and maintain a privacy management program that “includes the policies, practices and procedures the organization has put in place to fulfill its obligations under this Act”. The CPPA further sets out particular policies, practices and procedures the program must cover and the factors the organization must take into account in developing its program. The organization must provide its privacy management program to the Privacy Commissioner on request.
Documenting Consent. Another example is with respect to documenting consent. The CSA Model Code implicitly required organizations to record and document the purposes for which they collect, use or disclose any personal information. The new CPPA expressly spells this requirement out. In addition, section 15 of the CPPA sets out in detail what’s required for consent to be valid. Essentially, it requires not only identifying the purposes for which the personal information will be used, but also communicating in plain language: how the information will be collected; the reasonably foreseeable consequences of the proposed collection, use and disclosure; and what types of information will be disclosed and to whom.
2. Big Consequences
The 2022 version of the CPPA will carry significant consequences for those that breach it.
Administrative Monetary Penalties. Bill C-27 will implement significant penalties for non-compliance with the CPPA – though slightly different from those proposed in Bill C-11. The 2022 version of the CPPA authorizes a maximum administrative monetary penalty in one case of the higher of $10M and 3% of the organization’s gross global revenue in its financial year before the one in which the penalty is imposed. The first version of the CPPA would have authorized administrative monetary penalties and fines of up to $25M or 5% of global revenue, whichever is higher. Currently, PIPEDA only authorizes penalties for violation of the Digital Privacy Act’s data breach response obligations, and those are still markedly lower than those under the CPPA: the maximum fine for breaching the Digital Privacy Act is $100,000 per violation (though if there were multiple violations, which would not be uncommon, the fines could add up).
Quasi-Criminal Prosecutions. The CPPA also provides for quasi-criminal prosecutions that can carry even higher financial consequences. The Crown prosecutor can decide whether to proceed by way of either: an indictable offence, with a fine not exceeding the higher of $25M and 5% of the organization’s gross global revenue; or a summary offence, with a fine not exceeding the higher of $20M and 4% of the organization’s gross global revenue. If there is a prosecution, the usual rules of criminal procedure and fairness, like the presumption of innocence and proof beyond a reasonable doubt, apply.
3. Enlarged Privacy Commissioner Role & Powers
The most significant difference between PIPEDA and the CPPA, both in its Bill C-11 and Bill C-27 forms, reflects what many privacy advocates have called for: a move away from the traditional ombuds model. Under the CPPA, the Privacy Commissioner is no longer an ombuds with a focus on nudging companies to compliance and solving problems for individuals; it has veered strongly towards enforcement – and a much more adversarial regime. As with PIPEDA, enforcement starts either with a complaint by an individual, or the Commissioner can initiate a complaint of their own accord. However, from that point on the process will change.
Investigation. The CPPA sets out more circumstances than did PIPEDA in which the Commissioner can decline to investigate. After the investigation, the Commissioner can refer the matter to an inquiry.
Inquiries. Inquiries have many more procedural protections for fairness and due process than under PIPEDA’s ad hoc system. For example, the CPPA guarantees each party a right to be heard and to be represented by counsel. While in practice this has typically occurred, it will be required under the CPPA. In addition, the CPPA requires the Privacy Commissioner to develop rules of procedure and evidence, make then public, and follow them.
Orders. At the end of the inquiry, the Commissioner can issue compulsory orders of measures a party must take to comply with the CPPA or orders it stop doing something that contravenes the CPPA. Under PIPEDA, the Privacy Commissioner only has the power to make recommendations to a breaching organization. As under PIPEDA, the Commissioner can also continue to name and shame violators. Notably, the Commissioner can’t itself levy any penalties, but they can recommend that the new Privacy and Data Protection Tribunal do so.
4. New Personal Information and Data Protection Tribunal
As under Bill C-11, the new regime under Bill C-27 implements a new, specialized “Personal Information and Data Protection Tribunal” to replace the current role of the Federal Court under PIPEDA – with greater powers.
Appeals. The CPPA will allow organizations accused of violating the CPPA a new right to appeal the Privacy Commissioner’s findings, interim orders and final orders. Under PIPEDA, only complainants and the Commissioner can seek a hearing in the Federal Court after the Commissioner has issued their finding.
Role. The Tribunal’s role is to determine whether any penalties recommended by the Privacy Commissioner are appropriate. It also hears appeals of the Privacy Commissioner’s findings, interim or final orders, and decisions not to recommend any penalties be levied. Under PIPEDA, a Federal Court hearing after the Commissioner has issued their finding is “de novo” (new): the Court starts fresh and makes its own findings of fact and determinations of law, based on the parties’ submissions. In contrast, the Tribunal will review the Commissioner’s decision under a stricter standard: “correctness” for questions of law; and “palpable and overriding error” for questions of fact or questions of mixed law and fact. Practically, this means that while organizations that collect, use or disclose personal information will now have the opportunity to appeal the Commissioner’s decision, that appeal will be subject to a stricter standard of review. The Tribunal’s decisions are subject to limited judicial review before the Federal Court.
Jurisdiction. While the Tribunal’s jurisdiction is currently limited to the CPPA, it’s expected that will grow. For example, the “online harms” consultation of the last year anticipated that the Tribunal would also review determinations made under the relevant legislation.
Members. Unlike Bill C-11, Bill C-27 requires that at least three of the Tribunal members have expertise in privacy.
5. Global Application
As did PIPEDA, the CPPA will apply to the collection, use and disclosure of personal information in the course of commercial activity and to employee information of federally-regulated organizations. However, as under Bill C-11, the Bill C-27 version of CPPA also applies to all personal information an organization collects, uses or discloses interprovincially or internationally. In the past, the federal Privacy Commissioner asserted this was implied under PIPEDA; it’s now express. There are some carve-outs for government institutions under the federal Privacy Act, for personal or domestic, journalistic, artistic and literary uses of personal information and for business contact information. This expanded application reflects the increased digitization and globalization of the economy, that knows no border, and that the COVID-19 Pandemic accelerated. However, there are two problematic aspects to this expansion:
Breadth. It’s not expressly limited to commercial activity, so an argument could be made that it applies to non-commercial or employee personal information (which would otherwise be beyond the scope of the law) that crosses borders.
Redundancy & Duplication. For organizations with operations in Quebec, British Columbia and in Alberta (the only Canadian provinces with provincial general privacy legislation that’s substantially similar to PIPEDA), it must now comply not only with the substantially similar provincial privacy laws of both provinces, but also with the CPPA, when it moves data from one province to another. That seems redundant.
Furthermore, the CPPA fails to fill the cross-border gap that also exists under PIPEDA: it doesn’t expressly extend to personal information imported into Canada from the European Union under an EU adequacy finding. Under the General Data Protection Regulation (GDPR), organizations can only export from the EU personal data to countries the EU determines have adequate protections. So an EU adequacy finding still only applies to the extent the CPPA, as does PIPEDA, covers. A clear extension of the CPPA to personal information imported from Europe would have been beneficial to ensure confidence that the adequacy finding from the EU, present and future, applies across the board.
6. Statutory Right of Action
As did Bill C-11, the Bill C-27 version of the CPPA creates a new privacy breach legal claim. An individual can sue an organization (within two years of the Commissioner’s finding) for compensation where the Privacy Commissioner decides the organization violated the individual’s privacy under the CPPA, and the Personal Information and Data Protection Tribunal upholds that finding. While PIPEDA limits any action to recover compensation for a violation of privacy to the Federal Court, the CPPA will also allow aggrieved individuals to file such actions in the superior court of a province. However, the wording of the CPPA makes it unclear whether a violator is also exposed to class action liability. While PIPEDA limits the ability to seek compensation for a violation from the court system to complainant to the Privacy Commissioner, the CPPA broadens this to “an individual who is affected” by a violation.
7. Data Portability & Deletion
Both versions of the CPPA provide for new individual rights of data portability and deletion. Consumers can require an organization to transfer their data to another organization (subject to regulations that aren’t yet available), likely a boon to open banking. However, the Bill C-27 version of the CPPA does narrow the data portability provisions compared to that in the Bill C-11 version by requiring that data portability be connected to a “data mobility framework”. Individuals can also require that an organization delete the personal information it’s collected about them, subject to some limitations, in what appears to be a limited form of the “right to erasure”.
8. Algorithmic Transparency
As did the Bill C-11 version of the CPPA, the Bill C-27 CPPA requires algorithmic transparency. Individuals will have the right to require an organization to explain how an automated decision-making system made a prediction, recommendation or decision about the individual that could have a significant impact on them.
9. Collection, Use & Disclosure Without Consent
One difference from PIPEDA under both the Bill C-11 and Bill C-27 versions of the CPPA that will delight some and enrage others is the circumstances under which an organization can collect, use and disclose personal information without consent.
Certain Business Activities. The CPPA allows collection and use without consent for certain business activities where it would reasonably be expected to provide the service, for security purposes, for safety, or for other prescribed activities. Notably, an organization can’t use this exception where the personal information is to be collected or used to influence the individual’s behaviour or decisions.
Legitimate Interest. There’s also a “legitimate interest” exception to consent for collection, use and disclosure requiring an organization to document any possible adverse effects on the individual, mitigate them, and finally weigh whether the legitimate interest outweighs any adverse effects. However, it’s unclear how “adverse effects” will be measured.
10. No Change to Access by Law Enforcement (Yet)
Surprisingly, the exceptions that can apply when the government or policing authorities seek personal information from an organization remain the same as those in section 7(3) of PIPEDA. For example, the CPPA includes a mirror of the “lawful authority” provision from PIPEDA, which the Supreme Court of Canada effectively said in its 2014 decision in R. v. Spencer is meaningless. Section 44 says,
An organization may disclose an individual’s personal information without their knowledge or consent to a government institution or part of a government institution that has made a request for the information, identified its lawful authority to obtain the information and indicated that the disclosure is requested for the purpose of enforcing federal or provincial law or law of a foreign jurisdiction, carrying out an investigation relating to the enforcement of any such law or gathering intelligence for the purpose of enforcing any such law.
In R. v. Spencer, the Supreme Court’s issue was essentially, “what does ‘lawful authority’ mean”? The new CPPA makes no effort to answer this question. It’s likely this section of the CPPA will require further revision in the future. In the meantime, organizations’ response to any such request should similarly remain unchanged: “Come back with a warrant”.
11. Anonymizing & De-Identifying Data
As did the Bill-C11 version of the CPPA, the Bill C-27 version of CPPA makes new rules around the de-identification of data – including allowing for organizations to use an individual’s personal information without their consent in order to de-identify their data – but appears to limit other uses of de-identified data. Under certain circumstances, organizations can also disclose de-identified data to public entities for socially beneficial purposes. However, the CPPA now takes an interesting approach to anonymous and de-identified data by officially creating two separate categories:
Anonymize. To anonymize is defined as “to irreversibly and permanently modify personal information, in accordance with generally accepted best practices, to ensure that no individual can be identified from the information, whether directly or indirectly, by any means.” So, effectively there’s no reasonable prospect of re-identification. The CPPA doesn’t regulate anonymous data because, by definition, there’s no reasonable prospect of re-identification.
De-identify. To de-identify data means “to modify personal information so that an individual cannot be directly identified from it, though a risk of the individual being identified remains.” So, you’re essentially using data with the identifiers removed. The CPPA does regulate de-identified data and generally prohibits attempts to re-identify it. It also says that in some cases, de-identified data can be used or even has to be used in place of fully identifiable personal information.
12. Codes of Practice
As did the Bill C-11 version of the CPPA, the Bill C-27 CPPA introduces the concept of “Codes of Practice”. Notwithstanding the requirement for a privacy management program, the CPPA allows private organizations to establish a “code” and internal certification programs for complying with the CPPA, which the Privacy Commissioner will approve. Once approved, this “code” will effectively establish the organization’s legal compliance obligations.
Please contact your McInnes Cooper lawyer or any member of our Privacy, Data Protection & Cyber Security Team @ McInnes Cooper to discuss how to prepare to comply with the new Consumer Privacy Protection Act.