December 7th, 2020

The Canadian government has proposed the most significant changes to Canadian privacy law since the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada's federal private-sector privacy law, came into force in April, 2000.

The changes are set out in the new Bill C-11, which proposes the enactment of two new statutes: the Consumer Privacy Protection Act (CPPA), and the Personal Information and Data Protection Tribunal Act (PIDPTA). If these new laws are passed, the privacy provisions of PIPEDA will be replaced and a new Personal Information and Data Protection Tribunal (Tribunal) will be established. These laws will apply to a wide range of entities that collect, use and disclose personal information in the course of commercial activities inside Canada or across the borders of Canada or its provinces.

Bill C-11 will have to successfully pass through a long legislative process before becoming law.. Subject organizations should be aware of it now, however, to start preparing for the changes it may bring. The following summarizes the key changes that will be made to Canadian privacy law if the CPPA and PIDPTA are enacted.

Enforcement

The CPPA will grant the Office of the Privacy Commissioner of Canada (OPC) new powers to make orders regarding CPPA non-compliance. The OPC will also receive new powers to make recommendations to the Tribunal that it impose fines on an organization, up to the greater of $10,000,000 or 3% of the organization’s global gross revenues for the previous fiscal year, where the organization has violated the CPPA’s key provisions. The most egregious CPPA violations will constitute offences punishable, upon prosecution, with a fine up to $25,000,000 or 5% of the organization’s global gross revenues.

The CPPA will also introduce a new private right of action whereby an individual may bring a claim against an organization for damages for loss or injury suffered as a result of the organization's contravention of the CPPA, provided the Tribunal determined the organization contravened the CPPA, or the OPC found the organization contravened the CPPA and the finding may no longer be appealed.

Consent

Consent to collect, use or disclose personal information will remain at the core of Canada's privacy law. New exceptions to the consent requirement will be established such that organizations will be permitted to collect or use personal information without the individual's consent:

• to provide the individual a requested product or service;
• to exercise due diligence or reduce the organization's commercial risk;
• to carry out an activity that is necessary for the organization's information system or network security;
• to carry out an activity that is necessary for the safety of a product or service that the organization provides or delivers; or
• to carry out an activity where obtaining the individual's consent would be impracticable because the organization does not have a direct relationship with the individual.

These exceptions will not apply where the personal information is collected or used to influence an individual's behaviour or decisions. Further, as is currently the law under PIPEDA, an organization will not be permitted to collect a person's electronic address through a computer program without their knowledge or consent.

New Individual Rights

In addition to the private right of action described above, the CPPA will grant individuals a number of rights they do not currently have under PIPEDA. These include rights to:

• be informed of automated decision-making;
• require organizations to delete personal information about the individual that was collected from them; and
• direct an organization to transfer the individual's personal information to another organization under limited circumstances.

Automated Decision-Making

The CPPA will require organizations to make information readily available to individuals that explains the organization's use of automated decision systems to make predictions, recommendations or decisions about them that could have significant impacts on them.

Privacy Management Programs

The CPPA will require each organization to implement a “privacy management program” that includes the policies, practices, and procedures the organization implements to fulfil its CPPA obligations. These policies will have to address the organization's:

• protection of personal information;
• handling of inquiries and complaints;
• training of staff on policies and procedures; and
• development of materials to explain the policies and procedures.

When developing its privacy management program, each organization will be required to consider the volume and sensitivity of the personal information under its control. The CPPA will also require each organization to give the OPC access to its policies and procedures upon request.

Business Transactions

If passed as currently proposed, the CPPA may create problems for business mergers and acquisitions. Unlike the broad exception under section 7.2(1) of PIPEDA, the CPPA will permit organizations to use and disclose an individual’s personal information without the individual's knowledge or consent for purposes of a proposed business transaction only if the information has been de-identified. This may be problematic for purchasing businesses where value is placed on specific human resource assets. It is unclear how this requirement will work along with the new consent exception for due diligence purposes outlined above.

Codes of Practice and Certification Programs

The CPPA will enable organizations to create “codes of practice” and “certification programs” for approval by the OPC. The OPC may approve these codes and programs only if they provide the same, or greater, level of protection as the CPPA requires. Compliance with such a code or program will not relieve the organization from its obligations under the CPPA.

Peter Murphy is a partner at Shibley Righton LLP in Toronto.