An Introduction to Canada's New Privacy Law

Jul. 27

Canada's privacy landscape is on the move. Going under names such as the Consumer Privacy Protection Act (CPPA) and Bill C-11, there is wide anticipation and speculation into what impacts this law will have on businesses throughout the country and around the world. In this article we're going to be taking a quick look into Canadian privacy and what to expect with Canada's new privacy law.

Canada's Current Privacy Law

Canada is one of the few countries to adopt a comprehensive data/personal information protection model. Private sector organizations are governed by a federal legislation called the Personal Information Protection and Electronic Documents Act (PIPEDA). It regulates how private sector organizations collect, use or disclose personal information in the course of their commercial activities. In addition, it also contains various provisions to facilitate the use of electronic documents (any electronic media content). At the provincial level, PIPEDA has similar counterparts (namely BC PIPA, Alberta PIPA, the Quebec Act, Ontario PHIPA among others) – private organizations do not have to comply with PIPEDA if they are subject to these provincial laws or otherwise comply with them.

Introducing CPPA / Bill C-11

On November 17, 2020, the Canadian legislators in the House of Commons presented Bill C-11 to introduce the Digital Charter implementation Act. For the sake of brevity, the Digital Charter is a set of (10) principles that aim to strike a balance between transparency of use of Personal Information and Digital innovation/expansion of businesses. But is that all? Probably not. It would be worth mentioning here that PIPEDA was introduced in the year 2000, a time when it was considered one of the forerunners in the global data protection landscape. In 2002, PIPEDA was found adequate by the European Union in terms of data protection when compared to its data protection laws. This adequacy allowed Canadian companies a global leverage, giving them unrestricted data passage with EU companies.

However, the enforcement of EU’s GDPR in 2018 and CJEU’s (Court of Justice of the European Union) landmark judgment of Schrems II in 2020 has raised the “adequacy-bar” to the next level, initiating the review of adequacy provisions worldwide. Therefore, this can be considered another trigger that led to the inception of Bill C-11. Consequently, the three stanchions of bill C-11 are consumer control, responsible innovation and a strong enforcement & oversight mechanism. If passed as a law, it will replace the existing private sector legislation PIPEDA with two new legislations, The Consumer Privacy Protection Act - CPPA (not to be confused with California’s CCPA) and the Personal Information and Data Protection Tribunal Act. Some of the key features under each driving force are described below.

Greater Control and More Transparency

Meaningful Consent: Bill C-11 takes a very practical approach to consent. It would mandate organizations to get ‘meaningful consent’ from consumers by providing them specific information in plain simple language (moving away from lengthy and cumbersome agreements), enabling them to understand the context better and make informed choices about the use of their personal information. To that effect, it also introduces a new exception to consent, allowing the collection and the use of information for reasonably foreseeable standard business activities (thus preventing redundancies and complex consent agreements).

Right to Delete information: One of the most powerful additions under Bill C-11 is the right to delete information. This would enable Canadians to prevent organizations from using their personal information and to delete it permanently if desired. For example, any Canadian could simply demand that a social media company delete their profile or any piece of personal information held with the company, permanently.

Data Mobility and Interoperability: To further its data control objectives, the bill introduces the right to transfer personal data. This would enable individuals to exercise even more control over their information by allowing them to direct organizations to transfer their information to another organization/entity in a very secure manner. The same would be achieved by enabling regulations that establish frameworks for secure transfer and data portability.

Algorithmic Transparency: Bill C-11 also improves transparency around the use of automated decision-making systems such as algorithms and AI technologies that are becoming more pervasive in the digital economy. It mandates the organizations to be transparent about their usage of automated systems in order to derive conclusions, predictions or make specific decisions about someone. Furthermore, it also gives individuals the right to an explanation of a prediction or decision made by the system.

Strong Impetus on Responsible Innovation

Codes of practice and certification systems: The bill enables organizations to apply to the federal Privacy Commissioner to outline codes of practice and certifications, thereby establishing general requirements congruent to their sector or activities. This would make compliance more attainable and predictable for businesses.

Deidentified Information: Bill C-11 defines clear guidelines for organizations to use de-identified information (information in which identifiers are obscured or removed) without consent in certain scenarios (undefined under PIPEDA and left to the interpretation of the Privacy Commissioner). This provision would allow, especially for ,small businesses to leverage the power of data to further their digital innovation goals without infringing upon the privacy of Canadians.

Data for Good: Bill C-11 introduces another exception to “consent requirement” in specific scenarios wherein deidentified information of an individual can be disclosed to certain Canadian government bodies, post-secondary educational institutions, healthcare institutions, public libraries or an organization mandated by law for socially beneficial purposes (purposes related to the improvement of public services, infrastructure, health or environment).

Strong Enforcement

Sanctions: Under PIPEDA, the Office of the Privacy Commissioner (OPC) can conduct an investigation (in case of a complaint of a violation of PIPEDA-specific rights by an individual) against an organization and issue a report that details findings and recommendations. However, the recommendations thereto are non-binding on the organizations, leaving the OPC with only one way forward; that is, applying to federal court for an enforcement order. In contrast, Bill C-11 introduces well-defined sanctions which are amongst the toughest in the world.

First, if the Commissioner considers that it is reasonably necessary to ensure compliance, the Commissioner may order the organization to:

take measures to comply with the law;
cease any action that contravenes the law;
comply with a compliance agreement it has entered into; and
make public any measures taken or contemplated to correct the program it has put in place to fulfil its legal obligations.

Second, the Commissioner will have the power to recommend administrative monetary penalties (AMPs) up to $10,000,000 or 3% of global revenues whichever is higher for less serious offences. For serious criminal offences, the penalties may go up to $25,000,000 or 5% of global revenues whichever is higher. It is interesting to note here that to date, the maximum fine that can be imposed under PIPEDA is $100,000 for failure to meet breach notification requirements.

Procedural Fairness: Bill C-11 also introduces the Personal Information and Data Protection Tribunal. The Tribunal will not only levy penalties if and when warranted but also have appellate jurisdiction in respect to an entity affected by the decision of the OPC. The Tribunal has been introduced in the bill with a dual purpose. First, to place checks and balances on the new powers of the Commissioner, ensuring procedural fairness & operational transparency. Second, to enable individuals and organizations to have better access to justice through a less cumbersome appeal process.

When To Expect The New Law

The Bill is expected to be tabled for debate and voting in the House of Commons in Fall 2021, following which experts may be summoned for their input. Once passed in the House of Commons, it will need to go through a similar review and approval cycle in the Senate. Seeing the steps involved and a potential election on the horizon, it may appear a bridge too far. However, considering the exponential growth in data-driven technologies around the world including Canada, the fine-tuning of the Canadian privacy landscape is definitely on the horizon. Canadian organizations will be well served by paying attention to this space and by being prepared to pivot in response to these new privacy requirements.

Guilda Rostama

Guilda Rostama is a GDPR specialist. As a fully-qualified French lawyer, Guilda has a PhD in law, and holds the Master of Law and Internet Technology from Paris Sorbonne, as well as the LLB of the University of Sheffield, United Kingdom, and the CIPP/C. Before moving to Canada in 2021, Guilda was a senior legal counsel in the Economic Affairs department in the CNIL (the French Data Protection authority) for more than four years. During her tenure in the CNIL, she was actively involved in building recommendations and guidelines for organizations implementing the GDPR. She was also the leader of the Social Media Expert subgroup in the European Data Protection Board (EDPB).