Bill C-11 (the Digital Charter Implementation Act) was introduced on November 17, 2020, proposing the new Consumer Privacy Protection Act (“CPPA”) as a replacement for the existing Personal Information Protection and Electronic Documents Act (“PIPEDA”), the federal legislation regulating privacy in the private sector.
This is the third of a series of articles addressing specific issues raised by the proposed CPPA. This article addresses the CPPA’s new Codes of Conduct and Certification Program.
Click here for a more general discussion of the changes introduced by the Bill; scroll to the bottom for links to other posts in the CPPA: In Depth series.
A new form of privacy self-regulation
Certification is a way for an organization to demonstrate compliance with legislative requirements. Certification scheme criteria are generally approved by an independent certification body, and may be general or specific. Once an accredited certification body has assessed and approved an organisation, it will typically issue an approval or certificate of some sort, relevant to that scheme.
Sections 76 and 77 of the CPPA will bring in new provisions to enable the creation of third-party “codes of practice” and “certification programs” as a means to encourage new sectoral privacy protection self-regulation. The Office of the Privacy Commissioner of Canada (“OPC”) would act as an approval body for entities operating a certification program. The language of the proposed CPPA suggests that participation in these schemes is voluntary (though it is conceivable that licensing bodies could make participation in such a scheme a condition or licensing, or a membership-based organization could make participation a condition of membership).
Organizations may be familiar with this type of self-regulation program as there is a similar concept included in Articles 40 to 43 of the EU’s General Data Protection Regulations (“GDPR”). GDPR certification must be for a specific processing operation or set of operations that make up a product, process or service offered by your organisation. You should decide what product, process or service you offer that you want to have assessed and certified. For example, HR processing, online payments system, marketing services or customer management database.
What are codes of practice?
If passed, the CPPA would create a framework for entities to create third-party codes of practice and certification programs. An “entity” under sections 76 and 77 of the CPPA includes any type of organization (defined under the CPPA as an association, partnership, person or trade union), and is expanded to include organizations that are not subject to the CPPA, such as a not-for-profit organization (e.g., CSA), affiliations, or government institutions.
The entity may apply to the OPC for approval of a code of practice that provides for “substantially the same or greater protection” of personal information as some, or all, of the protections provided for by the CPPA. The language here provides some flexibility so that specific sectors may develop codes of practice that are tailored to the unique aspects of their sector/technologies common in their sector.
For example, an association of insurance providers could develop and submit a code of practice that provides an industry model on how insurance providers shall obtain consent for key data processing activities, including standard consent language, data sharing around background checks, and disclosure of data for the purposes of fraud.
Another example is Canada’s banking industry creating an association for the purposes of managing all of the data subject rights under the CPPA. The code of practice could establish a framework to allow banking customers to exercise their rights, including the new data mobility right, requiring one banking institution to transfer a customer’s personal information to another banking institution.
A technology-specific code of conduct could be developed by an umbrella organization having a membership focused on the development of artificial intelligence, and developing standards and processes to meet the requirements of algorithmic transparent proposed in the CPPA.
Once developed, the code of practice must be approved by the OPC. This is discretionary, and the OPC “may approve” the code of practice if it determines that the code meets certain criteria, which will be set out in upcoming regulations.
Similar to Article 40 of the GDPR, it is expected that the regulations will require a code of practice to contain mechanisms that will enable mandatory monitoring of compliance of the members to ensure compliance with the code of conduct.
What is the certification program?
An entity may apply to the OPC for approval of a certification program that includes:
- a code of practice;
- guidelines for interpreting and implementing the code of practice;
- a mechanism to certify compliance with the code of practice;
- a mechanism for the entity to audit compliance with the code of practice;
- disciplinary measures for non-compliance, including revocation of a certification; and
- any other requirements that may be provided for by regulation.
Similar to the certification program under the GDPR, it is likely that in order to establish a certification program, entities will be required to enter binding and enforceable commitments, via contractual or other legally binding instruments, outlining their obligations to one another, and to data subjects. Further, it is expected that the mechanisms for enforcing compliance and dispute resolution will require an independent body with expertise in privacy law. In the banking example given above, for instance, a mechanism such as an independent body would be in place to resolve disputes around access and mobility.
It is worth noting that under the GDPR, in effect for two and a half years now, no certification scheme has yet been registered.
This type of self-regulated model is not foreign to Canada. AdChoices is the self-regulatory program for online interest-based advertising helping to provide notice, transparency, and accountability from the advertising sector online to consumers. The Digital Advertising Alliance of Canada (DAAC) is the not-for-profit consortium of trade associations that is responsible for administering the AdChoices self-regulatory program in Canada.
AdChoices shares many of the components of a certification program: it calls for advertising companies to establish and enforce responsible privacy practices for interest-based advertising aimed to give consumers enhanced transparency and control. Participating companies must adhere to the AdChoices principles, which are enforced by accountability programs, including auditing for non-compliance.
Powers of the OPC
The CPPA would also give the OPC the power to “request” (not require) that an entity operating an approved certification program provide the OPC with information that relates to the program. The scope of this provision is unclear, and could potentially include the OPC requesting information to be used in an investigation of the organization. There is also a provision which empowers the OPC to “cooperate” with a certification entity for the purpose of the exercise of the OPC’s powers, duties and function – which clearly contemplates OPC investigations and inquiries. Interestingly, this latter provision is permissive in allowing the OPC to cooperate with entities, but does not place an onus on the entity to similarly “cooperate” (though this may well find its way into subsequent regulations – see section 122 which permits the Minister of Innovation, Science and Economic Development Canada (ISED) (“Minister”) to make regulations “respecting record-keeping and reporting obligations of an entity that operates an approved certification program, including obligations to provide reports to the Commissioner in respect of an approved certification program”.
Note, too, that the OPC is empowered to disclose information to the Commissioner of Competition that relates to an entity that operations an approved certification program, or an organization that is certified.
The OPC will also have the power to request amendments to the certification program, reject the proposed program, and revoke an approval of a certification program in certain circumstances.
Compliance with a certification program is not a “safe harbour”
It is important to note that an organization’s compliance with a code of practice or certification program will not relieve an organization of its obligations under the CPPA; nevertheless, there are some benefits.
First, a code of practice and certification program would allow organizations to come together and establish standards of data processing and privacy protections in a manner that is tailored for their industry, their customers, their unique technologies and practices, and their business needs.
Further, a program may mitigate some risk. For example, while the OPC has the power to recommend penalties for contraventions of CPPA; it is prohibited from making such a recommendation “if the Commissioner is of the opinion that, at the time of the contravention…the organization was in compliance with the requirements of an [approved] certification program”.
Similarly, while the OPC must investigate complaints, it may decline to do so if the complaint raises an issue in respect of which an approved certification program applies and the organization is certified under that program.
Consequently, a self-regulated certification program can allow an industry to establish its own privacy standards under the CPPA while alleviating the potential costs, resources and overall risk that would be incurred in dealing with the Commissioner.
However, because compliance with a certification program does not create a safe harbour, it maybe have limited appeal to organizations. If compliance with a certification program requires an assessment as well as a likely fee, whereas compliance with the CPPA can be done internally with limited cost, organizations may not see any benefit in participating in certification programs.
Furthermore, potential certification entities may have reservations about participating. Once an entity and its certification program are approved by the OPC, they are subject to certain aspects of the OPC’s powers to which they may not otherwise be subject. For instance, an unincorporated, not for profit industry group that does not handle personal information is likely not subject to PIPEDA. Once it becomes a certificating entity, the OPC has the right to request that it provide certain information, and the Minister may well make regulations pertaining to its obligation to provide reports to the OPC. If that same group still proposed to standards and processes for its membership, but did not apply to be a formal certification entity, these provisions of the CPPA would not apply to it.
Will it cost?
The CPPA is silent on the issue of the costs. In other certification schemes, the relevant certification body typically charges a fee to carry out an assessment of processing activity. Cost may vary with the size of the organisation and the scale and complexity of the processing operations they are assessing.
Regulations to come
There is much not yet known regarding the details of codes of practice and certification program. The regulations are expected to not online outline the criteria discussed in this article, but as well the process itself, including how to submit an application, the information that be submitted, as well when the Commissioner may revoke its approval of a certification program.
Other posts in the CPPA: In Depth series:
For more information about Denton’s data expertise and how we can help, please see our Transformative Technologies and Data Strategy page and our unique Dentons Data suite of data solutions for every business, including enterprise privacy audits, privacy program reviews and implementation, and training in respect of personal information. Subscribe and stay updated.