Updating Canada's Privacy Framework

Nov 23 2020

On November 17, 2020, Bill C-11, The Digital Charter Implementation Act, was introduced in the House of Commons. Bill C-11 updates the federal privacy framework through a new statute, the Consumer Privacy Protection Act (“CPPA”). While the bill is only on its first reading and will likely undergo changes, there are several proposed sections that are worth noting including:

  • Consent Required. The CPPA maintains that organizations seeking to collect, use or disclose personal information must obtain an individual’s valid consent. In order for consent to be valid, at or before collecting personal information, an organization must provide an individual with the purposes, manner and consequences of personal information being collected, used or disclosed as well as the type of personal information and the identity of third parties to which personal information may be disclosed. Notably, any transfer of an individual’s data across borders must be disclosed. There are exceptions to the requirement for valid consent including for certain business activities defined with the CPPA.
  • Data Portability. The CPPA introduces the concept of data portability, allowing an individual to require disclosure of personal information from one organization to another. The mechanism for this data mobility is to be determined by regulations.
  • De-identification. The CPPA provides bases and exemptions to use individuals’ de-identified personal information without their knowledge or consent, including for example for an organization’s internal research and development purposes. Data de-identification and anonymization is a complex process which is difficult, and sometimes impossible, to perform properly. It is unclear whether the regulations in their final form will provide meaningful safeguards against the dissemination of improperly de-identified data. However, the CPPA seems to anticipate this difficulty, providing additional prohibitions against attempts to use de-identified data to reconstruct individuals’ personal information.
  • Artificial intelligence and machine learning. The CPPA requires that if an organization “has used an automated decision system to make a prediction, recommendation or decision about the individual, the organization must, on request by the individual, provide them with an explanation of the prediction, recommendation or decision and of how the personal information that was used to make the prediction, recommendation or decision was obtained.” This algorithmic transparency provision appears to be intended to grant individuals the right to know how algorithmic decisions affecting their interests (e.g. a loan application rejection or a social media account ban) were determined. It remains to be seen what type of “explanation” will satisfy this provision.
  • Disposal of Personal Information. Under the CPPA, an individual will be able to make a written request to an organization to dispose of its personal information. The CPPA also requires that if an organization receives such a request, said organization is required to inform any third party service provider to which it has transferred the personal information and obtain a confirmation of disposal.
  • Significant Penalties. In addition to granting order-making authority to the Privacy commissioner for the first time, the CPPA introduces a new tribunal, the Personal Information and Data Protection Tribunal. The Privacy Commissioner may recommend that a penalty be imposed on an organization for certain breaches under the CPPA including a maximum penalty of “the higher of $10,000,000 and 3% of the organization’s gross global revenue in its financial year before the one in which the penalty is imposed”. For certain serious offenses – breaches of disclosure rules, data retention requirements, identifying individuals whose personal information was de-identified, or sanctioning a whistleblower – the organization may be liable for a higher fine not exceeding the higher of $25,000,000 and 5% of the organization’s gross global revenue in its financial year before the one in which the organization is sentenced.  
  • Private Cause of Action. The CPPA introduces a private cause of action for damages for loss or injury (which must be proven) if the Commissioner or Tribunal has made a finding of an organization’s contravention of the CPPA.

Overall, the proposed legislation adopts many of the data protection and data portability principles of Europe’s General Data Protection Regulation (GDPR), including the principle that the regulation may be enforced against any entity worldwide, regardless of the extent of their business dealings in a specific jurisdiction. Once the CPPA has been finalized, companies potentially receiving personal information from individuals in both Europe and Canada may find it efficient to craft a single set of internal policies to enable compliance with both regulatory regimes.

The CPPA is intended to implement portions of Canada’s “Digital Charter”, an initiative outlined in mid-2019 by Canada’s Minister of Innovation, Science and Industry. The Digital Charter as currently conceived includes a number of broadly defined policy goals not addressed by Bill C-11; it is as-yet unclear when, whether, or in what form those other policies will be implemented.

Bill C-11 will go through the usual motions through parliament and will likely undergo revision. However, given that the bill is the first major revision to Canada’s federal privacy framework since the Personal Information Protection and Electronic Documents Act received Royal Assent on April 13, 2000, modernization is necessary. For more information or for questions on compliance with privacy legislation, please contact one of our privacy professionals.

Back to blog overview

Tags: Abbas Kassam, Bill C-11, Consumer Privacy Protection Act, CPPA, GDPR, Matthew Norwood, Privacy