Bill C-11 (the Digital Charter Implementation Act) was introduced on November 17, 2020, proposing the new Consumer Privacy Protection Act (“CPPA”) as a replacement for the existing Personal Information Protection and Electronic Documents Act (“PIPEDA”), the federal legislation regulating privacy in the private sector.
This is the sixth of a series of articles addressing specific issues raised by the proposed CPPA. This article addresses the CPPA’s new requirement to dispose of personal information when that information is no longer required, or upon request to do so.
Click here for a more general discussion of the changes introduced by the Bill; scroll to the bottom for links to other posts in the CPPA: In Depth series.
Expanded obligations to dispose of personal information
There is not explicit requirement in PIPEDA to delete or destroy personal information. Principle 5 (in Schedule 1 to PIPEDA)
PIPEDA does impose limits on the retention of personal information. For instance, organizations are required to retain personal information “that has been used to make a decision about an individual … long enough to allow the individual access to the information after the decision has been made. In addition, PIPEDA says that “[p]ersonal information shall be retained only as long as necessary for the fulfilment of [the purposes for which it was collected].”
Principle 5 does state that organizations “should” destroy, delete or anonymize personal information that is no longer necessary to fulfil the purposes for which it was collected, but does not go so far as to make destruction a clear obligation.
The approach taken by the CPPA would solidify these existing principles into an obligation, and add a further obligation to dispose of personal information on request.
Personal information must be disposed of after its lifecycle
Section 53 of the CPPA addresses the disposal of personal information at the end of its lifecycle. It expressly prohibits retaining personal information for any period of time beyond what is necessary to “fulfil the purposes for which the information was collected, used or disclosed” or otherwise comply with legal requirements including “reasonable” contract terms. It also clearly requires organizations to dispose of personal information “as soon as feasible” after the end of that time period.
As under PIPEDA, section 54 of the CPPA requires organizations to retain personal information used to make a decision about an individual “for a sufficient period of time to permit the individual to make a request for access”. There is no information on what length of time is considered “sufficient” but typically is at least as long as required to exhaust all avenues of appeal or review.
Personal information must be disposed of on request
The more substantial change is that, pursuant to section 55 of the CPPA, organizations will be required to dispose of an individual’s personal information if the individual requests it. There is no time limit on this request and so information currently being used for an identified purpose can be the subject of a disposal request.
The only exceptions to the obligation to dispose of information on request are where another individual’s personal information is not severable and would also be disposed of, or where other requirements under federal or provincial law or “reasonable” contract terms prevent the organization from disposing of information. Where an organization refuses a request for disposal, it must inform the individual in writing, provide reasons for the refusal, and explain the further steps that the individual can take.
The severability exemption will be of note to organizations using aggregate data sets or training machine learning algorithms, as this type of data is unlikely to be severable in any commercially reasonable way. With respect to the disposal exemption for “reasonable” contract terms, organizations would be well advised to consider reviewing existing terms for such reasonableness if they anticipate potentially relying on them to refuse disposal requests. See more on this point below.
Managing disposal requirements
From a procedural perspective, this new obligation to dispose of personal information on request will require organizations to bring together the policies and procedures that allowed them to respond to requests for disclosure or correction of personal information with the policies and procedures for disposal of information at the end of its lifecycle.
In particular, organizations will need to track two points in time: the time after which personal information is no longer needed for its purposes, as well as the last time personal information was used to make a decision about an individual. Organizations will also need to set procedures to ensure that the personal information is disposed of “as soon as feasible” after the later of those two points in time, and ensure documentation of same.
Although these requirements do impose a new burden on organizations, they also reduce the risk when a data breach occurs. When an organization does not dispose of personal information that is at the end of its lifecycle, it also effectively creates a larger trove of personal information for potential loss or theft. Conversely, regular disposal of personal information limits what can be taken in the case of a breach.
Anonymization is not disposal
PIPEDA permitted organizations to erase, destroy or anonymize personal information at the end of its lifecycle. The CPPA, however, appears to preclude anonymization as a means of disposal.
Under the CPPA, the “disposal” of personal information is defined as “the permanent and irreversible deletion of personal information”. There is no provision for anonymization, as there was in PIPEDA.
The CPPA does permit the “de-identification” of personal information, but this does not qualify as disposal. Because the definition of de-identification includes the “creat[ion] of information from personal information”, the anonymization of personal information can only ever create de-identified information, which is still subject to the CPPA, and still subject to disposal requirements.
General issues surrounding anonymized versus “de-identified” information are discussed in a separate article.
Given the high threshold for disposal (“permanent and irreversible deletion”) and the ever changing nature of technology, organizations will need to regularly review their policies and procedures to ensure that their deletion strategies are effective. Further, absent any grandfathering of existing data sets, organizations that have relied until now on anonymization as a form of destruction will need to update their policies and procedures to ensure “permanent and irreversible” deletion. If grandfathering is to be permitted, then organizations may wish to anonymize critical data sets prior to the coming into the force of the CPPA, as after that date, these data sets would only be de-identified information, which is still subject to the CPPA, with no avenue to remove it from the CPPA’s purview.
As noted, the CPPA appears to continue to view “de-identified” personal information as personal information. As a result, the disposal provisions would also apply to de-identified personal information. This could create substantial risk for organizations relying on de-identified personal information.
What are “reasonable” contract terms?
The CPPA adds a further new wrinkle to the disposal requirements: an organization need not dispose of information if “reasonable” contract terms prohibit its disposal. This exception applies to both the obligation to dispose of personal information at the end of its lifecycle and the obligation to dispose on request.
Because it is new, it is not clear from the current wording of the CPPA what contractual terms will be “reasonable” and provide the basis for the exception. Some inferences can nonetheless be drawn from the proposed legislation as a whole.
Section 5 of the CPPA sets out the overarching purpose of the act: to balance “the right of privacy of individuals with respect to their personal information” and “the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances”. To be reasonable, contract terms should therefore also seek to balance these two factors. Organizations should also consider limiting the contract terms to situations that “a reasonable person would consider appropriate in the circumstances”.
Impacts on privacy policies
The CPPA includes some substantial changes to the requirements for privacy policies, which are discussed in a separate article. In relation to the right to request disposal, organizations must include information in their privacy policies regarding how individuals can make that request. This information must be “readily available” and be written in “plain language”.
Disposal requirements for service providers
The changes in service providers’ obligations generally under the CPPA are discussed in a separate article.
Under section 55(3) of the CPPA, an organization that receives a request for disposal must, in addition to disposing of the personal information in its possession, inform any service provider of the request and ensure that the service provider also disposes of the personal information.
It is implicit in this term that organizations will have a record of what and whose personal information they have transferred to service providers. Organizations that do not already track this will therefore be required to perform and update data mapping.
Section 55(3) implies that service providers will dispose of the personal information, but does not expressly require them to do so. Instead, it leaves the obligation on the organization which received the request to “obtain a confirmation from the service provider that the information has been disposed of.”
As a result, it would be prudent for organizations using service providers to include contract terms requiring the service providers to track disposal requests and dispose of personal information promptly and in accordance with the CPPA. Such terms may also assist with the due diligence defense to an administrative monetary penalty, which will be discussed further below.
Is this the “right to be forgotten”?
The likely impetus for the new disposal requirements in the CPPA is the “right to be forgotten” that has developed in the European Union and is now set out in s. 17 of the GDPR. As Innovation, Science and Economic Development Canada put it in their Fact Sheet on the CPPA:
Disposal of personal information and withdrawal of consent: The accessibility of information online makes it hard for individuals to control their online identity. The legislation would allow individuals to request that organizations dispose of personal information and, in most cases, permit individuals to withdraw consent for the use of their information.
This is similar reasoning to that underpinning the right to be forgotten.
However, the disposal requirements in the CPPA remain much narrower than the EU’s “right to be forgotten”. In particular, there is no mention in the CPPA of de-indexing from search engines. Given the ongoing reference by the Privacy Commissioner of Canada to the Federal Court on that issue, the exclusion is likely deliberate. The obligations are instead limited to deletion of personal information by an organization that has collected the information.
The decision to limit deletion in this way in the CPPA is also different from the approach currently being taken in Quebec. Its Bill 64, which sets out substantial amendments to the current Quebec privacy legislation, explicitly adds a right to de-indexing (section 28.1).
The consequences of failure to dispose of personal information are serious
The CPPA generally sets much higher administrative monetary penalties, or fines, than PIPEDA. Another article has covered this topic in detail. These provisions are applicable to violations of the right to disposal.
For the purpose of this post, the key point is that an organization that does not dispose of information at the end of its lifecycle under section 53 or after a request under section 55 may be subject to administrative monetary penalties of up to the higher of $10 million or 3% of its gross global revenue in the previous financial year.
However, this administrative monetary penalty cannot be imposed if the organization “establishes that it exercised due diligence to prevent the contravention” (section 94(3)). The due diligence defence is yet another reason for organizations to have robust privacy policies and practices.
Other posts in the CPPA: In Depth series:
Further parts in the series are pending.
For more information about Denton’s data expertise and how we can help, please see our Transformative Technologies and Data Strategy page and our unique Dentons Data suite of data solutions for every business, including enterprise privacy audits, privacy program reviews and implementation, and training in respect of personal information. Subscribe and stay updated.