On November 17, 2020, the Federal Government of Canada introduced Bill C-11, which includes the Consumer Privacy Protection Act (CPPA), and the Personal Information and Data Protection Tribunal Act (PIDPTA). If adopted, these would introduce substantial changes to the Canadian privacy landscape, repealing the personal information related provisions of the current Federal private sector privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA), and replacing it with a new privacy and data legal framework.
The government framed its purpose and underlying goal in introducing the new legislation as to strike a balance between protecting consumer's personal information, and allowing industry and innovation. To accomplish this balance, there are a number of additional protections for consumers, such as enhanced consent requirements, limitations on the use of deidentified information, and algorithmic transparency. However, the CPPA would also introduce multiple exceptions to the need for consent, which may provide industry actors room for flexibility. To further balance protection and industry, CPPA provisions would clarify the service providers' responsibilities and introduce further procedural fairness by establishing a Personal Information and Data Protection Tribunal (Tribunal) to which affected actors may appeal the Office of the Privacy Commissioner of Canada (OPC) decisions. Further discussion on PIDPTA, the proposed Tribunal and enhanced enforcement mechanisms will follow in a subsequent article.
The CPPA will retain core elements of the PIPEDA, in particular, in stating that its purpose is to balance the privacy rights of individuals with the needs of organizations to collect, use, and disclose personal information, in a manner that a "reasonable person would consider appropriate in the circumstances". The Act describes us as living in "an era in which data is constantly flowing across borders and geographical boundaries and significant economic activity relies on the analysis, circulation and exchange of personal information". The stated purpose of the Act will be a core interpretive provision, which we would expect the OPC, and ultimately the Tribunal, to consider in interpreting the CPPA requirements.
Strengthening consent, but not without exceptions
If adopted as written, under the CPPA, an organization must obtain the valid consent of the individual prior to collecting, using, or disclosing personal information. The CPPA will codify that the default requirement is express consent, unless the organization is able to establish that implied consent is appropriate in the circumstances. For implied consent to be appropriate, one must consider the reasonable expectations of the individual, and the sensitivity of the personal information to be processed.
The CPPA recasts the situations in which an organization may collect, use, or disclose personal information without consent, where its activities fall under one of the exceptions in sections 18 to 52.
Of notable interest are the exceptions in the proposed section 18 business interests, section 19 service providers and section 39 socially beneficial purposes.
(a) Business Interests
Under the business interest exception, an organization can gather or use personal information without the individual's knowledge or consent if a reasonable person would expect such a collection or use and the information relates to one of the following activities:
- an activity necessary to provide or deliver a product or service that the individual has requested from the organization;
- an activity that is carried out in the exercise of due diligence to prevent or reduce the organization's commercial risk;
- an activity that is necessary for the organization's information, system or network security;
- an activity that is necessary for the safety of a product or service that the organization provides or delivers;
- an activity in the course of which obtaining the individual's consent would be impracticable because the organization does not have a direct relationship with the individual; and
- any other prescribed activity.
Critically, these exceptions do not apply where the personal information is collected or used to influence an individual's behaviour or decisions. Thus, use of personal information for advertising and profiling purposes remains subject to the consent requirement. Separately, many of the exceptions are qualified by "necessity". Organizations relying on these would need to carefully consider what information is truly "necessary" for their recorded purposes, as opposed to that information which is merely "reasonable" or "helpful".
(b) Service Providers
The CPPA clarifies the role of service providers, specifically stating that an organization may transfer personal information to a service provider without the knowledge or consent of the individual. Further, service providers are specifically required to comply with the security provisions of the CPPA, but are not responsible for compliance with the provisions pertaining to consent, provided they are strictly acting as a service provider. Should the service provider process the information for any purpose other than that for which it was provided the information, it would be subject to the full requirements of the CPPA. Organizations would be required to ensure that personal information is provided substantially the same level of protection in the hands of their service providers.
An open question regarding service providers is whether processing personal information to generate deidentified information (which is now explicitly subject to the CPPA) will be considered information "use" by the service provider. If so, would that bring it outside the scope of the service provider exemption and therefore require consent for the original transfer? This may have dramatic and unintended consequences for use of service providers who routinely include the right to deidentify and use information for development purposes within their contracts.
(c) Socially Beneficial Purpose
The other noteworthy exception is that an organization may disclose information without the individual's consent or knowledge if the information is deidentified and the disclosure is made to a government, health care, library, education, or other institute for a socially beneficial purpose.
However, as with most rules, there is an exception to the consent exceptions. Under section 52, an organization cannot collect people's electronic address through a computer program without knowledge or consent. This continues the existing limitation on the use of "address harvesting software" to collect email addresses without the knowledge of their owners.
As with the PIPEDA, another aspect of consent is the ability to revoke it. This Bill expands the rights of the individual with respect to their own personal information. An individual can request her personal information that an organization controls and can also ask for the organization to delete that information (the PIPEDA contained a right of withdrawal, but not deletion, which can be difficult for organizations to implement in practice). The CPPA proposes a right of data mobility allowing individuals to direct one organization to transfer their personal information to another. Additionally, subject to certain limitations, the individual can withdraw her consent.
Limited uses for deidentified information
Interestingly, and concerningly, the CPPA would limit how organizations may use deidentified information without explicit consent. First, the CPPA resolves a common debate in privacy laws as to whether the "use" of personal information to generate deidentified information is itself a "use" that requires consent of the individual, by providing organizations with the right to deidentify personal information without consent. However, the CPPA then appears to make "deidentified" data subject to the requirements of the Act, which is implicit in the fact that the CPPA appears to assume that, absent an exception, the use and disclosure of deidentified data requires consent. This is implicit in the fact that the CPPA proposes certain "exceptions" that would allow for use and disclosure of deidentified data without consent of the individual. These include an exception to consent for the use of deidentified data for internal research purposes or for a prospective or completed business transaction (notably, the PIPEDA allows for use of identifiable data in this context, so the exception for proposed business transactions under the CPPA is more narrow).
Second, there is also an exception to consent for disclosure of deidentified data, but it is very narrowly confined and essentially only permits disclosure to certain public bodies for socially beneficial purposes. Again, this raises the question of whether consent is required for other uses of deidentified information, rather than such information simply not constituting personal information. This appears to conflict with the very definitional structure of the CPPA if the information is truly deidentified such that it does not "identify an individual" and could not "in reasonably foreseeable circumstances, alone or in combination with other information, (be used) to identify an individual" what privacy rights are truly being protected? The CPPA does not address whether the law accepts that personal information can be "anonymized" and therefore taken out of the scope of the law, and does not address the uses or disclosure of "aggregated" data. The CPPA would also implement a proportionality measure that further limits any deidentified information use. Any technical or administrative measures applied to deidentify the data must be proportionate to the data's sensitivity and the organization's purpose in collecting the data.
Finally, the CPPA would prohibit an organization from using deidentified information to attempt to identify an individual. Oddly, as drafted, this provision does not contemplate certain cases where the reidentification may be necessary or done with consent, and does not clarify how to obtain consent, without first identifying the individual. For example, reidentification may be necessary for the research. Further, if consent is truly required to process deidentified data for purposes other than those stated in the CPPA as exempt from such a requirement, how could an individual withdraw consent, without associating the individual making the request with the deidentified data? Those who breach this prohibition risk being subject to the maximum penalty of 5% of global revenue, or $25 million, whichever is more.
Bill C-11 introduces new measures to shine light on algorithms that collect and use information to make certain predictions, recommendations, or decisions. Under the proposed section 62, organizations must explain to consumers, in plain language, their policies and practices when it comes to fulfilling their obligations under the Act, including with respect to "automated decision systems".
In order to comply with the Bill, organizations must provide:
- a description of the type of personal information under the organization's control;
- a general account of how the organization uses personal information, including how it applies the consent exceptions outlined in the Act;
- a general account of the organization's use of any automated decision systems to make predictions, recommendations, or decisions about individuals, that could have significant impacts on them;
- information on whether or not the organization discloses the data internationally or inter-provincially or disclosures that may have reasonably foreseeable privacy implications;
- a description of how individuals may request the organization to access or dispose of their personal information; and
- the business contact information of the individual to whom complaints or requests for information may be made.
On request of an individual, organizations would need to provide an explanation of their use of any automated decision system to use personal information to make a prediction, recommendation or decision, and an explanation of the prediction, recommendation or decision.
Next Steps and Further Considerations
There has been no movement on Bill C-11 in the House of Commons since the initial debate at Second Reading on November 24, 2020. There will likely be much more debate and potentially some alterations as the Bill makes its way through Committee, Third Reading in the House of Commons and considerations in the Senate. However, it is clear that dramatic changes are coming to the privacy landscape in Canada.
Notably, Quebec has recently proposed a substantial overhaul of its privacy legislation in the form of its Bill 64. Currently, the requirements under Quebec Bill 64 are not equivalent to the Federal Bill C-11, which may pose compliance challenges for national organizations should both Bills be adopted in the form proposed. Similar to the PIPEDA, the CPPA contemplates orders in council exempting organizations subject to "substantially similar" provincial privacy legislation from the application of the CPPA in respect of their activities within that province. Currently, the privacy legislation in Alberta and British Columbia has been declared "substantially similar" to the PIPEDA; however, it remains unclear if they will be likewise deemed "substantially similar" to the CPPA, particularly given the extent to which the CPPA differs from the PIPEDA.
If Bill C-11 passes, then it will come into force on a day set by the Governor in Council.
Article provided by: Wendy Wagner (Gowling WLG, Canada)
Dr. Tobias Höllwarth (Managing Director INPLP)