Digital Charter Implementation Act, 2020 (Bill C-11) – Overview of changes to the applicable regime
In recent years, technological advances have led to a sudden digitization of daily life and, consequently, of personal information. More than ever, data, including personal information, has become a commodity used to predict individuals’ behaviour. “[I]n an era in which data is constantly flowing across borders and geographic boundaries and significant economic activity relies on the analysis, circulation and exchange of personal information,”1 it is increasingly necessary to regulate this digital revolution to allow organizations and individuals to benefit from its undeniable advantages while limiting the potential privacy risk.
Over the past five years, legislators have been working to change the legal framework that applies to personal information. Europe led the way in 2016 with the General Data Protection Regulation (“GDPR”), and California followed suit in 2018 with the California Consumer Protection Act (“CCPA”). Quebec and Canada are not far behind. Indeed, on June 12, 2020, Quebec introduced Bill 64, An Act to modernize legislative provisions as regards the protection of personal information (“Bill 64”) in the National Assembly. Now it is the federal government’s turn to enter the arena.
On November 17, 2020, the Minister of Innovation, Science and Industry introduced Bill C-11 (the “Bill” or “C-11”), which seeks to enact the Consumer Privacy Protection Act (the “CPPA”) and the Personal Information and Data Protection Tribunal Act (“PIDPTA”). The Bill repeals Part 1 of the Personal Information Protection and Electronic Documents Act (“PIPEDA”) and replaces its short title with the Electronic Documents Act.The principles of Part 1 of PIPEDA will now be enshrined in the CPPA, which will incorporate the 10 well-known fair information principles in a more conventional legislative format, rather than in an appendix, as is currently the case for PIPEDA.
Once adopted, C-11 will result in significant changes to the regulatory framework for the protection of personal information at the federal level. Indeed, it proposes granting new rights to individuals while imposing new requirements on organizations, particularly to achieve greater transparency. C-11 also proposes increased powers for the Privacy Commissioner of Canada (the “Commissioner”), a new Personal Information and Data Protection Tribunal and substantial penalties for contraventions of the law.
We begin this series of publications on the Bill by providing an overview of the main changes to the applicable regime:
1. Changes to consent requirements
a. Consent: form and validity
b. New exceptions to the requirement for consent
i. “Business activities”
ii. De-identification of personal information
– “Internal research and development”
– “Socially beneficial purposes”
2. Obligations of organizations
a. Accountability of organizations and service providers
b. Privacy management program
c. Publicly available information
3. Rights conferred on individuals
a. Right to withdraw consent
b. Right to be informed of an automated processing operation
c. Right to mobility of personal information
a. New Commissioner’s powers: inquiries and orders
b. Personal Information and Data Protection Tribunal
c. Substantial penalties
d. Private right of action
1. Changes to consent requirements
a. Consent: form and validity
The Bill provides clear guidance on the concept of consent and the manner in which an organization must obtain consent to collect, use or disclose an individual’s personal information. C-11 provides that an organization that collects, uses or discloses personal information must first obtain the consent of the individual concerned (s. 15(1)), and that consent must be obtained no later than the time the information is collected, or, if for purposes other than those identified, before using or disclosing it for those other purposes (s. 15(2)).
Similar to PIPEDA, the Bill favours obtaining express consent but leaves the door open to implied consent in certain circumstances, the appropriateness of which will have to be assessed based on the sensitivity of the information and the reasonable expectations of the individual concerned (s. 15(4)). The Bill specifies, however, that there can be no implied consent for the collection or use of electronic addresses using a computer program designed or marketed primarily to generate or retrieve electronic addresses, nor for the collection of personal information by computer in contravention of federal law (s. 52(4)).
Inspired by the Guidelines for obtaining meaningful consent published in 2018, the Bill further provides that, for consent to be valid, the organization must first inform the individual, in plain language, of the following:
- purposes for the collection, use or disclosure of personal information;
- how the information will be collected, used or disclosed;
- the reasonably foreseeable consequences of the collection, use or disclosure of personal information;
- the specific type of personal information collected, used or disclosed; and
- the names or classes of third parties to whom the personal information may be disclosed (s. 15(3)).
b. New exceptions to the requirement for consent
The Bill maintains most of the exceptions to the consent requirement in PIPEDA. However, it innovates by adding certain exceptions.
i. “Business activities”: The Bill provides that consent will not be required for the collection and use of personal information in the context of “business activities,” under two conditions:
- a reasonable person would expect such collection and use;
- the information is not collected or used to influence the behaviour or decisions of the individual.
Business activities for which consent is not required include activities necessary for the provision or delivery of a product or service requested by the individual, activities carried out for due diligence purposes to reduce or prevent business risks, activities necessary for the security of the organization’s information, systems and networks, or activities necessary for the safety of a product or service (s. 18).
ii. De-identification of personal information:The Bill formally incorporates the concept of “de-identified information.” The Bill defines the verb “de-identify” as the act of modifying personal information (or creating information from personal information) by technical means so that the information does not identify an individual and cannot, in reasonably foreseeable circumstances, be used, alone or in combination with other information, to identify an individual (s. 2).
Thus, the Bill clarifies that an organization may use an individual’s personal information to de-identify him or her without the individual’s knowledge or consent (s. 20). In carrying out de-identification, however, the organization must ensure that it uses processes that are proportionate to the purposes for which the information is de-identified and to the sensitivity of the information (s. 74). The Bill also prohibits the use of de-identified information, alone or in combination with other information, to identify an individual, except to verify the effectiveness of security safeguards (s. 75).
- “Internal research and development”: Like Bill 64, C-11 states that de-identified information may be used for internal research and development purposes (s. 21) without the consent or knowledge of the individual.
- “Socially beneficial purposes”: The Bill also states that organizations may, without the individuals’ consent or knowledge, disclose an individual’s de-identified information for a “socially beneficial purpose” to a government institution in Canada (or a part thereof), a health care institution, a post-secondary educational institution, a public library or an organization that is mandated by law or by contract with a government institution in Canada (or a part thereof) (s. 39(1)). A “socially beneficial purpose” means any purpose relating to health, the provision or improvement of public services and infrastructure, the protection of the environment or any other regulatory purpose (s. 39(2)).
2. Obligations of organizations
a. Accountability of organizations and service providers
The Bill clarifies the notion of an organization’s “accountability” for personal information. It reiterates the principle in PIPEDA that an organization is accountable for personal information under its control (s. 7(1)). It does, however, specify that the information is “under the control” of the organization that decides to collect it and identifies the purposes for which it is collected, used or disclosed, whether the organization collects the information itself or through a service provider (s. 7(2)).
“Service provider” means any organization, including a parent organization, subsidiary, affiliate, contractor or subcontractor, that provides a service in the name of or on behalf of another organization to enable it to carry out its purposes (s. 2).
Similar to PIPEDA, C-11 provides that an organization transferring information to a service provider must ensure, contractually or otherwise, that the service provider provides a level of protection equivalent to the level the organization is legally required to maintain (s. 1). Like the GDPR, C-11 distinguishes between the responsibilities of the organization and those of its service provider. Thus, except for the obligation to protect the information through security safeguards (s. 57) and notify the organization that controls the personal information of any breaches (s. 61), the obligations in the statute will not apply to the service provider with regard to information transferred to it unless the service provider collects, uses or discloses the information for a purpose other than that for which it was transferred (s. 11(2)).
Of note, C-11 clarifies that an organization may transfer information to a service provider without the individual’s consent or even knowledge (s. 19). Thus, for the purposes of the Bill, the service provider is not considered to be a “third party” to whom the information could be transferred or communicated and whose identity must therefore be disclosed (s. 15(3)(e)).
b. Privacy management program
Under PIPEDA (s. 4.1.4), organizations were required to implement policies, practices and procedures in order to meet their obligations under the statute. This remains unchanged, subject to the following clarifications (s. 9(1)):
Under C-11, all of an organization’s policies, practices and procedures are known as a “privacy management program.” The Bill specifies that in developing such a program, an organization must consider the volume and sensitivity of personal information under its control (s. 9(2)). Also, at the Commissioner’s request, the organization will be required to provide access to its program’s details (s. 10).
There are three interesting new features in the Bill on this subject:
- Any organization may seek the Commissioner’s guidance on its privacy management program (s. 109(e)).
- Any organization, whether or not it is subject to the law (an “entity”), may apply to the Commissioner for approval of a code of practices it intends to put in place to protect personal information (s. 76).
- Any entity may also apply to the Commissioner for approval of a certification program that includes: a code of practice to implement privacy protection; guidelines for interpreting and implementing the code; a mechanism by which the entity administering the program may certify an organization as complying with the code; a mechanism for independent verification of compliance with the code; and disciplinary measures for non-compliance with the code, including the revocation of a certification (s. 77).
c. Publicly available information
In the spirit of transparency that underlies the Bill, the legislator provides for additional privacy protection information to be made available to the public. In addition to the information that organizations were already required to make publicly available under PIPEDA (s. 4.8.2), the Bill adds the following (s. 62):
- a description of the type of personal information under the organization’s control;
- a general account of the use of “automated decision systems” to make predictions, recommendations or decisions about individuals;
- whether it transfers personal information interprovincially or internationally with “reasonably foreseeable privacy implications”; and
- how an individual may make a request for the disposal of personal information.
3. Rights conferred on individuals
In addition to the rights of access and amendment of personal information already provided in PIPEDA (s. 63), C-11 provides new rights for individuals.
a. Right to withdraw consent
The Bill gives individuals the right to withdraw their consent, in whole or in part, to the collection, use and disclosure of their information. The organization must inform the individual of the consequences of this withdrawal. It must then cease collecting, using or disclosing the information as soon as possible (s. 17), provided that (a) disposal of this information does not result in the disposal of personal information about another individual and the information is not severable; and (b) there are no reasonable legal requirements or contractual restrictions that prevent it from doing so. The organization must also inform any service provider to which it has transferred the information of the individual’s request as soon as possible and confirm with the supplier that the information has been disposed of (s. 55).
b. Right to be informed of an automated processing operation
The Bill adds specific provisions on the use of “automated decision systems.” An “automated decision system” is defined as “a technology that assists or replaces the judgment of human decision-makers using techniques such as rule-based systems, regression analysis, predictive analytics, machine learning, deep learning, and neural nets” (s. 2). Thus, in addition to the requirement above to make available, in plain language, a general account of the organization’s use of automated decision systems (s. 62(2)), the organization will be required to provide, upon request, an explanation of the prediction, recommendation or decision resulting from the use of an “automated decision system” and the source of the personal information used to make the prediction, recommendation or decision (s. 63(3)). Unlike Bill 64, C-11 provides only for the right to be informed and not for the right to make submissions for review of the decision.
c. Right to mobility of personal information
C-11 incorporates the notion of “mobility of personal information”. For example, an organization will be required to disclose, as soon as possible, personal information it has collected from an individual to an organization designated by the individual if both organizations are subject to a prescribed “data mobility framework” (s. 72). The Bill does not define what is meant by a “data mobility framework.” It does, however, provide for the enactment of regulations specifying, among other things: (a) the safeguards that organizations must put in place to permit the secure disclosure of personal information in this context; (b) the parameters for the technical means for ensuring interoperability in the disclosure and collection of that information; and (c) the organizations subject to such a framework. C-11’s “mobility of personal information” therefore appears to be more limited than what is provided for in Bill 64 since it will only be applicable between organizations subject to a data mobility framework.
4. Enforcement measures
a. New Commissioner’s powers: inquiries and orders
Under PIPEDA, any individual could file a complaint with the Commissioner against an organization that contravened its obligations. The Commissioner could also initiate such a complaint (s. 11). It was also responsible for investigating complaints (s. 12) and could attempt to resolve the dispute (s. 12.1(2)) or negotiate compliance agreements (s. 17.1). These powers remain unchanged under C-11 (ss. 82, 83, 84 and 88).
However, the Bill introduces new powers for the Commissioner. Thus, the Commissioner will now be able to conduct an inquiry into a complaint (s. 88) or if it has reason to believe that the terms of a compliance agreement have been breached (s. 89). At the end of this inquiry, the Commissioner must render a reasoned decision (s. 92(1)). If the Commissioner considers that it is reasonably necessary to ensure compliance, the Commissioner may order the organization to:
- take measures to comply with the law;
- cease any action that contravenes the law;
- comply with a compliance agreement it has entered into; and
- make public any measures taken or contemplated to correct the program it has put in place to fulfil its legal obligations (s. 92(2)).
With respect to penalties, the federal legislator chose to take a different route from the Quebec legislator under Bill 64, which gives the Commission d’accès à l’information the power to impose penalties directly. Under C-11, if the Commissioner believes that certain provisions of the law have been contravened (as discussed in more detail below in the section on penalties), the Commissioner may recommend that a penalty be imposed on the organization by the new Personal Information and Data Protection Tribunal. However, it will not be able to recommend the imposition of a penalty if, at the time of the contravention, the organization was complying with the requirements of an approved certification program (s. 93(3)).
The Commissioner’s decision may be appealed to the Personal Information and Data Protection Tribunal by the complainant or the affected organization within 30 days (s. 100(1)).
b. Personal Information and Data Protection Tribunal
The Bill proposes to establish the Personal Information and Data Protection Tribunal (the “Tribunal”) (s. 4 PIDPTA). The Tribunal will have jurisdiction in respect of any appeal by a complainant or an organization affected by a decision of the Commissioner, as well as the imposition of the penalties set out in the legislation (s. 5 PIDPTA).
The Tribunal will be composed of three to six members, at least one of whom will have experience in the field of information and privacy law (s. 6 PIDPTA). The Tribunal will not be bound by any legal or technical rules of evidence in hearings. It must deal with matters as informally and expeditiously as the circumstances and considerations of fairness and natural justice permit (s. 15(1) PIDPTA). As a general rule, Tribunal hearings will be held in public (s. 15(4) PIDPTA), and the decisions must be publicly available (s. 18(1) PIDPTA).
c. Substantial penalties
Like the GDPR and Bill 64, C-11 provides for substantial penalties for contraventions of the law. These are divided into two categories:
- For the least serious offences, a maximum penalty of up to 3% of the organization’s gross global revenue in its previous financial year or $10 million, whichever is higher (s. 94).
These penalties apply to contraventions of the following provisions:
- limitation of collection (s. 13);
- use for new purposes (s. 14(1));
- consent for a good and service (s. 15(5));
- consent obtained by deception (s. 16);
- period for retention and disposal (s. 53);
- request for disposal (s . 55(1) and (3));
- security safeguards (s. 57(1)); and
- reporting and notification of security breaches (s. 58(1) and (3)).
It should also be noted that the organization may benefit from a due diligence defence, as the Bill provides that no penalty may be imposed if the organization establishes that it took reasonable precautions to prevent the contravention (s. 94(3)).
- For the most serious offences, a maximum penalty of up to 5% of the organization’s gross global revenue in its previous financial year or $25 million, whichever is higher (s. 125).
It will be an offence for an organization to knowingly contravene an order issued by the Commissioner, to obstruct the Commissioner in the course of an audit, investigation or examination of a complaint, or to knowingly contravene the following obligations or prohibitions:
- obligation to report breaches of security safeguards (s. 58);
- obligation to keep and retain a record of every breach of security safeguards (s. 60(1));
- obligation to retain personal information covered by an access request until all avenues of recourse have been exhausted (s. 69);
- prohibition against using de-identified information to identify an individual (s. 75);
- prohibited reprisals against an employee (s. 124).
d. Private right of action
Another new feature of this Bill is the introduction of a private right of action. An individual will be able to bring an action against an organization for damages for loss or injury suffered if:
- the Commissioner or the Tribunal already made a finding that the organization has contravened its statutory obligations (s. 106(1));
- the organization has been convicted of an offence (s. 106(2)).
An action for damages will be barred after two years following the day on which the individual becomes aware of the Commissioner’s or Tribunal’s finding or conviction (s. 106(3)). This action may be brought in the Federal Court or the superior court of a province (s. 106(4)).
Unlike Bill 64, C-11 does not provide for the award of punitive damages and proof of injury will be required.
5. Conclusion
Once a leader in the protection of personal information, Canada has been largely overtaken by other jurisdictions that have adapted more quickly to the exponential technological changes of recent decades. It has become more than necessary to modernize the relevant legal regime to bring it into this new era.
If passed, Bill C-11 will be the most significant reform of federal privacy laws since the passage of PIPEDA. Based on our preliminary analysis, it is a step in the right direction to ensure compliance with the provisions of the GDPR and facilitate cross-border transfers of personal information. In some respects, however, C-11 does not go as far as the GDPR, or even Bill 64. Over time, this could pose challenges for Quebec and Canadian businesses to achieve compliance and could hurt their competitiveness.
Currently, no date has been set for C-11 to come into force. Key stakeholders will likely have an opportunity to comment on the impact of the current provisions of the Bill, so a revised version is likely to be tabled in 2021. That said, the federal government is announcing its intentions. For this reason, companies should start looking at their current practices to identify potential gaps that might affect compliance down the road.
1 S. 5, Bill C-11.