Bill C-11 (the Digital Charter Implementation Act) was introduced on November 17, 2020. It proposes the new Consumer Privacy Protection Act (“CPPA”) as a replacement for the existing Personal Information Protection and Electronic Documents Act (“PIPEDA”), the federal legislation regulating privacy in the private sector.
This is the eighth of a series of articles addressing specific issues raised by the proposed CPPA. This article discusses how the CPPA would treat requests made to organizations by individuals seeking to access their personal information.
Click here for a more general discussion of the changes that would be introduced by the Bill; scroll to the bottom for links to other posts in the CPPA: In Depth series.
Background: the right of access under PIPEDA
Under PIPEDA, individuals have the right to access and correct personal information about them in the custody or control of an organization subject to PIPEDA. This right of access is governed by Principle 9 of Schedule 1 to PIPEDA. Under the CPPA, the right of access would be incorporated into the legislation itself. The mechanisms for submitting and responding to an access request, as well as available exemptions, would also be included in the legislation itself. As in PIPEDA, the CPPA would require such requests be made in writing, and organizations would be required to provide access to the information requested unless the organization can provide justification for acting otherwise, or such access is prohibited.
The right of access
The right of access under the CPPA would be largely the same as that under PIPEDA. Upon the written request of an individual, an organization would be required inform the individual of whether it has personal information about the individual, how it uses that personal information, and whether it has disclosed that personal information (section 63(1)). The organization would also need to provide the names of the third parties, or the types of third parties, to which it has disclosed personal information (section 63(2)). Note that the language here is in the alternative – organizations that do not want to provide the names of third parties to which have disclosed an individual’s personal information can still satisfy this requirement by providing a description of the type of organization to which they provided the information.
New under the CPPA would be an access right specific to automated decision making. Under the CPPA, if an organization has used an “automated decision system” to make a “prediction, recommendation or decision about the individual”, and an individual makes a request, the organization would need to provide the individual with an explanation of the prediction, recommendation or decision, and an account of how the personal information used to make the prediction, recommendation or decision was obtained.
All of the above must be provided in “plain language”.
The access right in respect of automated decision systems is likely to cause the most concern. Given the breadth of the definition (“any technology that assists or replaces the judgement of human decision-makers”) it is likely that organizations will be unclear on what is or is not captured, and therefore to what requests for information they must provide an explanation and how the personal information was obtained.
Where requested, an organization would also be required to give the individual access to their information. As with PIPEDA, the CPPA would not require organizations to actually provide a copy of this information; in practice, however, most organizations do provide copies, at least for easily accessible, electronic copies.
Thirty day response time remains
There would be no changes to timelines under the CPPA. An organization would be required to respond to an access request within thirty days of receiving it. In certain circumstances, an organization would be entitled to extend the thirty-day time limit by sending a notice of extension to the individual within thirty days, setting out a new time limit and informing the individual of their right to make a complaint to the Office of the Privacy Commissioner of Canada (“OPC”). An organization would only be entitled to extend the time limit where:
- meeting the access request within the initial thirty-day time period would unreasonably interfere with the organization’s activities, or if the organization would require more time to undertake consultations necessary to respond to the request. In these circumstances, the organization would be entitled to extend the time limit by an additional thirty days.
- an organization requires additional time to convert the personal information into an alternative format (i.e. a format allowing an individual with a sensory disability to read or listen to the personal information).
As discussed below, organizations would be entitled to refuse access requests in certain circumstances. In these cases, organizations would be required to provide reasons for the refusal, and set out the individual’s recourse to make a complaint to the organization or to the OPC.
Charging a fee is permitted, but fee must be minimal
An organizations would be prohibited from responding to the individual’s request at a cost unless the organization had informed the individual of the approximate cost of responding to the request, the cost to the individual would be minimal, and the individual had advised the organization that the request was not being withdrawn.
Mandatory and discretionary exemptions to the right of access clarified
Unlike PIPEDA, the CPPA would more clearly define the circumstances under which an organization would be able to refuse an individual’s access request.
In certain cases, access is prohibited. An organization must refuse access if granting the request would “likely reveal personal information about another individual.” However, if the information about the other individual were severable from the information about the requester, the organization would be required to sever the information about the other individual and grant access to the remainder.
Note that under the CPPA, the severed information may qualify as having been de-identified under the CPPA’s definition of “de-identify”. As a result, the organization must, pursuant to section 74, “ensure that any technical and administrative measures applied to the information are proportionate to the purpose for which the information is de-identified and the sensitivity of the personal information.” For more on de-identification, see our de-identification blog post in this series.
Severance is likely to be straightforward where information appears in forms or emails or other structured formats. Blended information (e.g., aggregate data sets) poses more of a challenge and will in most cases be unable to be severed.
Refusal of requests continues to be permitted in narrow circumstances
Organizations would have the discretion to refuse access to information where:
- The information was protect by solicitor-client or litigation privilege;
- Granting access would reveal confidential commercial information;
- Granting access could reasonably be expected to threaten the life or security of another individual;
- The information was collected pursuant to the exception to knowledge and consent for the purposes of an investigation under s. 40(1) (in other words, where personal information was collected without the knowledge or consent of the individual for purposes related to investigating a breach of an agreement or a contravention of federal or provincial law. Organizations relying on this exemption must notify the OPC of this);
- The information was generated in the course of a formal dispute resolution process; or
- The information was created for the purpose of making a disclosure under the Public Servants Disclosure Protection Act or in the course of an investigation into a disclosure under that Act.
In the circumstances described at (b) and (c), the organization would be required to sever the information giving rise to the discretionary exemption and provide access to the remainder.
If the individual needed the information requested because an individual’s life, health, or security was threatened, none of the above exemptions would apply and organizations would be required to provide access to the information. Note, however, that the prohibition against disclosing the personal information of other individuals continues to apply in these circumstances.
Access to information subject to certain exceptions
Like PIPEDA, the CPPA would enable organization to disclose personal information to a government institution or part of a government institution without the knowledge or consent of the individual for the purposes of law enforcement, national security, defence, international affairs, or complying with a subpoena, warrant, or order.
Where an individual had made an access request for such information or for an account of such disclosures, the organization would have to notify the institution of the request. The institution would then be entitled to object to the organization’s compliance with the request on the basis that compliance would be deleterious to:
- national security, the defence of Canada or the conduct of international affairs;
- the detection, prevention or deterrence of money laundering or the financing of terrorist activities; or
- the enforcement of a federal or provincial law or law of a foreign jurisdiction, an investigation relating to the enforcement of any such law or the gathering of intelligence for the purpose of enforcing any such law.
The organization would then be required to refuse the request and notify the OPC, and would be prohibited from disclosing to the requester the fact that the organization had notified the government institution.
The right to amendment remains
As with PIPEDA, if an individual given access to their personal information is able to demonstrate that the information is not “accurate, up-to-date or complete”, the organization would be required to amend the information as required. After doing so, the organization would be required to transmit the amended information to any third party with access to it.
In the event that the organization and individual could not agree on the amendments, the organization would be required to record the disagreement, and if appropriate to do so, inform parties with access to the information that there was a disagreement.
Right to complain continues under the CPPA
An individual unhappy with the outcome of their request may complain to the organization itself, which is required under section 73(3) to investigate such complaint and “make any necessary changes to its policies, practices and procedures as a result of the investigation.”
Other posts in the CPPA: In Depth series:
Part 1: CPPA: An in-depth look at the “service provider” provisions in Canada’s proposed new privacy law
Part 2: CPPA: An in-depth look at the enforcement and penalty provisions in Canada’s proposed new privacy law
Part 3: CPPA: An in-depth look at the codes of practice and certification program provisions in Canada’s proposed new privacy law
Part 4: CPPA: An in-depth look at the de-identification provisions in Canada’s proposed new privacy law
Part 5: CPPA: An in-depth look at the data mobility provisions in Canada’s proposed new privacy law
Part 6: CPPA: An in-depth look at the disposal provisions in Canada’s proposed new privacy law
Part 7: CPPA: An in-depth look at the consent provisions in Canada’s proposed new privacy law
Part 8: CPPA: An in-depth look at the access request provisions in Canada’s proposed new privacy law
Part 9: CPPA: An in-depth look at the private right of action provisions in Canada’s proposed new privacy law
For more information about Denton’s data expertise and how we can help, please see our Transformative Technologies and Data Strategy page and our unique Dentons Data suite of data solutions for every business, including enterprise privacy audits, privacy program reviews and implementation, and training in respect of personal information. Subscribe and stay updated.