Bill C-11 (the Digital Charter Implementation Act) was introduced on November 17, 2020, proposing the new Consumer Privacy Protection Act (CPPA) as a replacement for the existing Personal Information Protection and Electronic Documents Act (PIPEDA), the federal legislation regulating privacy in the private sector.
This is the first of a series of articles addressing specific issues raised by the proposed CPPA. This article addresses how the proposed CPPA would affect businesses that use service providers to process personal information, as well as those businesses acting as service providers.
Click here for a more general discussion of the changes introduced by the Bill; scroll to the bottom for links to other posts in the CPPA: In Depth series.
The CPPA would clarify the nature of the service provider relationship
PIPEDA does not define “service provider” nor does it define what constitutes a “service provider” relationship. PIPEDA’s locus of control is on the organization that is responsible for information in its possession or control, which includes “information that has been transferred to a third party for processing.” PIPEDA attempts to ensure the safety of personal information transferred to service providers by requiring a transferring organization to use contractual or other means to ensure the transferred information receives protection that is “comparable” to that which it provides. In addition, the service provider is only permitted to use the transferred personal information for the same purpose as that identified by the transferring organization at the time of collection.
Under the proposed CPPA, any organization providing services for or “on behalf of another organization to assist the organization in fulfilling its purposes” would be considered a “service provider”. Personal information is deemed to be “under the control” of the organization “that decides to collect it and that determining the purposes for its collection, use or disclosure”. This is true of whether the information is collected, used or disclosed by the organization itself or by a service provider. This clarifies a problem that arose in PIPEDA where either highly integrated entities or entities working in partnership across a data supply chain (e.g., franchise or dealership business models) were mutually involved in multiple steps, leading to confusion about who was responsible for what.
Under the proposed new language of CPPA, the question of whether a service provider relationship exists would be answered with reference to which organization ultimately makes decisions about personal information. This new language adopts the conceptual basis of controller/processor found in the GDPR.
CPPA definitions of controller/service provider may disrupt existing contractual risk shifting
Businesses with an established business model may, under the CPPA, find that the accountability for personal information has been turned on its head. For instance, in a franchise-type model where personal information was collected at the franchise level, and then provided to the central franchisor, accountability under PIPEDA may well be with the franchisee; under the CPPA, if it is the franchisor determining what is collected and how it is to be used, the franchisor may be the accountable entity, despite the actual collection occurring at the franchise level. This has implications beyond the statute – it may well disrupt existing contractual obligations in respect of breach reporting and notification, limitations of liability and indemnification provisions.
The CPPA contains a carve out from Part I for service providers, and the broader obligations under that Part would not apply to those organizations acting within the definition of service provider. However, the CPPA would provide that were a service provider to collect, use or disclose information transferred to it for any purpose other than that for which the information was transferred, it would incur all of the same obligations as any other principal organization. Businesses should be aware that any processing of personal information outside the scope of an agreement with a principal organization would likely result in the CPPA applying to them in its entirety. Under the CPPA, organizations acting as service providers will need to be very careful about how the scope of their processing activities is defined in their service contracts with principal organizations. Service providers will also need to be careful about putting in place controls to ensure that the received information is processed only within the scope agreed to.
Neither knowledge nor consent required to transfer to a service provider
The CPPA would permit organizations to “transfer an individual’s personal information to a service provider without their knowledge or consent.” This was an area of confusion under PIPEDA, and the subject of numerous OPC findings. As recently as August, the OPC in a Finding on this point noted that “[o]rganizations transferring personal information to third-party processors should communicate clearly about this transfer to both current and potential customers.” Under CPPA, it appears this would not be necessary as the language of the CPPA requires neither knowledge nor consent. However, s. 62(2)(d) of CPPA would nonetheless require that an organization make readily available information about whether it international or interprovincial transfers or disclosures if such transfers or disclosures would have “reasonably foreseeable privacy implications”.
Note that under Quebec’s Bill 64, which would substantially revise that province’s private sector privacy law, a transfer by an organization that is “necessary for carrying out a mandate or performing a contract of enterprise or for services” is permitted without consent (s. 18.3). Bill 64 is silent on whether knowledge is required.
The scope of what constitutes a “service provider” would be broadened
In addition to a contractor or subcontractor, the CPPA would define a service provider to include a parent corporation, subsidiary, or affiliate providing services for or on behalf of another organization. Businesses should be aware that the processing of personal information by a related company on its behalf (as opposed to a vendor or contractor) could amount to a service provider relationship.
This has positives and negatives. On the one hand, some parent organizations may be surprised to find that, by virtue of providing back end systems and support, they may now be “service providers”, and have some of the obligations that accompany that status (e.g., the obligation to notify the transferring organization of a breach of security safeguards).
On the other hand, the explicit rejection by the CPPA of the need for knowledge or consent for transfers to service providers is likely to make intracompany transfers of such information easier.
“Comparable” versus “substantially the same” – threshold for protection higher?
Like PIPEDA, the CPPA would require an organization transferring personal information to a service provider to ensure, by contractual measures or otherwise, that the transferred information is protected in the hands of the service provider. The PIPEDA requirement is that such measures provide “a comparable level of protection”; the CPPA would require that such measures provide “substantially the same protection”. Is this a distinction without a difference? Arguably. Equally arguable is that the CPPA standard is higher because it requires substantially the same protection, where the PIPEDA standard only requires that there be a comparable level of protection (instead, of say, comparable protection).
New obligations on both service provider and controller regarding disposal
If an organization were to dispose of personal information in response to an individual’s request to do so (itself a new right under the CPPA), the organization is required, “as soon as feasible”, to inform any service provider to which it has transferred the information of the request, and obtain confirmation from the service provider that the information had been disposed of. Implicit in this obligation is that the organization know to what entities it has transferred the personal information at issue, which means organizations will need to have performed (and continually update) data mapping.
As they do under PIPEDA, businesses would need to continue implementing robust contractual protections over information transferred to service providers for processing. Under CPPA, businesses will likely want to include a requirement for service providers to track and record information disposal requests. From the perspective of service providers, they will likely want to ensure they have appropriate logging and documentation in place to provide evidence of compliance.
Service providers would be required to notify controllers about any breach affecting any personal information
Unlike PIPEDA, the CPPA would require service providers to, as soon as feasible, notify the controlling organization if “any breach of security safeguards has occurred that involves personal information”.
This language casts the net very broadly, requiring service providers to notify controlling organizations of “any” breach, not just a breach which creates “a real risk of significant harm”, which is the reporting and notification threshold for breaches affecting the controlling organization. Note, too, that the breach at the service provider need not involve the controlling organization’s information – any breach, affecting any personal information held by the service provider, would appear to trigger the obligation. This means that, for instance, a payroll processor with 200 customers that had an employee misdirect an email to Person B containing the personal information of Person A would be required to notify all 200 of its customers of the incident.
The controlling organization would still have the gating mechanism of deciding whether such incident posed a “real risk of significant harm” and presumably report/notify on that basis. However, in the scenario provided above, the notifications from the service provider would only be relevant to one organization (the one having the information under its “control” as that is the one that has the reporting obligation to the OPC/notification obligation to affected individuals). Query the utility of having 199 other organizations receive notices from a service provider. Furthermore, requiring this creates a risk of secondary breach, in the event the service provider inadvertently includes identifiable information in its 200 notifications.
Note that under Quebec’s Bill 64, a similar obligation (s. 18.3(2)) would be triggered where the service provider becomes aware of “any violation or attempted violation by any person of any obligation concerning the confidentiality of the information communicated.” There is similarly no “real risk of significant harm” threshold and the Bill 64 provision includes not just violations, but attempted violations. Bill 64 also requires that the service provider permit the controller to conduct any verification relating to confidentiality requirements.
Other posts in the CPPA: In Depth series:
Further parts in the series are pending.
For more information about Denton’s data expertise and how we can help, please see our Transformative Technologies and Data Strategy page and our unique Dentons Data suite of data solutions for every business, including enterprise privacy audits, privacy program reviews and implementation, and training in respect of personal information.