Bill C-11 (the Digital Charter Implementation Act) was introduced on November 17, 2020. It proposes the new Consumer Privacy Protection Act (“CPPA”) as a replacement for the existing Personal Information Protection and Electronic Documents Act (“PIPEDA”), the federal legislation regulating the management of personal information in the private sector.
Click here for a more general discussion of the changes introduced by the Bill; scroll to the bottom for links to other posts in the CPPA: In Depth series.
Move away from permissive language to mandatory language
One of the key changes under Bill C-11 is the move away from principles-based PIPEDA (based on the OECD Principles, which found their way into a schedule to PIPEDA) to enacting actual language and obligations within the statute itself. While substantively very similar to the principles under Schedule 1 of PIPEDA, the provisions proposed in Bill C-11 will bring additional clarity about requirements for compliance, in part because much of the language of the Schedule in PIPEDA (“should”) would be replaced by clear requirements under the CPPA (“must”). For example, PIPEDA’s Principles on accountability and openness hold organizations accountable and require them to make public and readily available detailed information on their policies and practices for the management of personal information. Under the CPPA, these principles are more clearly articulated, with concrete obligations for compliance.
New emphasis on privacy management programs under the CPPA
While not spelled out under PIPEDA, the concept of a privacy management program as demonstration of accountability through appropriate policies and procedures that promote good practices has appeared in previous guidance from the Office of the Privacy Commissioner of Canada (“OPC”). OPC guidance reflects the OPC’s interpretation of PIPEDA, but is non-binding.
Whereas PIPEDA requires various standalone elements to address privacy concerns, the CPPA would speaks (in section 9) in terms of a comprehensive “privacy management program”. This program would have to include “policies, practices and procedures put in place to fulfil [the organization’s] obligations” under the CPPA. The CPPA would also set out what types of policies, practices and procedures would be required to demonstrate accountability for the protection of personal information. These policies, practices and procedures must those that address the protection of personal information as well as requests for information and complaints are received and dealt with. In addition, the CPPA would require that training and information be provided to the organization’s staff respecting its policies, practices and procedures, along with the development of materials to explain the organization’s policies and procedures put in place to fulfil its obligations under the CPPA.
The CPPA would also require that an organization’s privacy management program must be proportionate to the volume and sensitivity of the personal information that the organizations control. A similar obligation exists in PIPEDA, but is more narrowly framed in terms of the form of consent and the safeguards protecting personal information needing to be appropriate to the sensitivity of the information.
In a new provision under the CPPA (section 109(e)), the OPC would also, on request by an organization, have to “provide guidance on the organization’s privacy management program”.
Readily available information presented in plain language
PIPEDA’s Openness Principle requires organizations to make information about privacy policies and practices “readily available” to individuals. This requirement would be transposed into the CPPA, but would also create new standards for the type of information to be presented and the manner in which organizations must present such information to individuals.
Additional information required
The Openness and Transparency provisions in the CPPA would also include a restructuring and restatement of the obligations under Principle 4.8.2 of PIPEDA, mandating the type of additional information that an organization must make available in fulfilling its obligations of openness and transparency under the CPPA. In privacy policies under the CPPA, organizations would need to:
Describe the type of personal information being handled
- Provide a general account of how the organization uses personal information, and application of any consent exceptions
This is another nod to the current obligation under PIPEDA’s Principle 4.8.2(c). However, the CPPA would unpack the current obligation and introduce a further requirement to provide a general account of how the organization will apply exceptions to consent, should it choose to process personal information without the consent of the individual. The exceptions to the requirement for consent under the CPPA [discussed in more detail in our other post here] mirror current exceptions under PIPEDA, but the CPPA also introduces new broader ones, such as exceptions for certain enumerated business activities, for de-identifying personal information, for research and development within the organization (provided the information is first de-identified) and for socially beneficial purposes (if the information is first de-identified and the if the disclosure is to a government or health care institution).
- Provide a general account of the use of any automated decision system to make certain predictions, recommendations or decisions
- Provide information about international or interprovincial transfers or disclosure of personal information that may have reasonably foreseeable privacy implications
Personal information transferred to a different country becomes subject to that country’s laws. Considering the purpose of the CPPA, which recognizes the importance for the flow of personal information across borders and geographical boundaries in economic activity, it is no surprise that a transparency requirement about international transfers is included. Nevertheless, not every international transfer must be flagged in the policy. Information about international and interprovincial transfers must be provided only if there are “reasonably foreseeable privacy implications,” such as when the privacy and data protection legal framework in that foreign jurisdiction may impact the individual’s rights to privacy. This is in line with current guidance from the OPC to include in the policy information about storage or transfers to a foreign jurisdiction.
- Provide information about an individual’s right to disposal of or access to their personal information
The CPPA would introduce new privacy rights for individuals, and as a result, the transparency obligations include the requirement for organizations to provide enough information for individuals to know how to exercise their new rights under the CPPA. Among these new rights is the right to request the disposal of personal information. For further discussion of access rights, see our article here. For a further discussion of disposal rights and obligations, see our article here.
- Provide contact information
The organization must make public the business contact information of a designated individual within the organization to whom complaints or requests may be directed. This is the same requirement as found in PIPEDA.
The current regime makes the organization accountable to the individuals whose information the organization collects, uses or discloses. Under the CPPA, the OPC would have the power to challenge organizations and hold them accountable by requesting access to their privacy management program, which contains all of the policies, practices and procedures included in the organization’s privacy management program (section 10). For this reason, organizations may want to consider to have clear understanding of what is, and what is not, within the privacy management program, so as to avoid having to disclose peripheral information or materials if asked.
Under the CPPA, the OPC’s enforcement powers would \be expanded, allowing the OPC to issue findings of contraventions of the CPPA and issue compliance orders. A compliance order may be issued to make an organization take certain measures to comply with the CPPA or stop doing something that is in contravention of the CPPA. With the new privacy regime, the Privacy Commissioner would be able to make recommendations that a monetary penalties be imposed by the newly formed Tribunal.
For further information on penalties, orders and other enforcement provisions, see our previous post here.
Other posts in the CPPA: In Depth series:
For more information about Denton’s data expertise and how we can help, please see our Transformative Technologies and Data Strategy page and our unique Dentons Data suite of data solutions for every business, including enterprise privacy audits, privacy program reviews and implementation, and training in respect of personal information. Subscribe and stay updated. Subscribe and stay updated