Federal Privacy Regulation 2.0: Now with Bite and Bark
This week, the Canadian Federal Minister of Innovation, Science and Industry introduced for first reading in Parliament Bill C-11, An Act to enact the Consumer Privacy Protection Act and the Personal Information and Data Protection Tribunal Act and to make consequential and related amendments to other Acts (the “Bill”). Unlike the current federal private sector privacy regime, the Bill includes real teeth, so there will be important consequences for non-compliance. Also, the Bill includes new and potentially onerous regulatory requirements.
If passed into law, the Bill would: (a) amend and replace the Personal Information Protection and Electronic Documents Act (“PIPEDA”) with a new Consumer Privacy Protection Act (“CPPA”), and (b) enact the Personal Information and Data Protection Tribunal Act, including the establishment of a new Information and Data Protection Tribunal (the “Tribunal”) that will be empowered to hear appeals of decisions of the Privacy Commissioner of Canada (“Commissioner”) and impose penalties under the CPPA.
The CPPA’s Bite
The CPPA, like PIPEDA, generally permits organizations to use, collect and disclose personal information of an individual, on a limited basis, where the individual provides valid consent. Most of its core provisions mirror PIPEDA, as currently interpreted in guidance issued by the Commissioner and many best practices. However, in a radically different approach to PIPEDA’s ombudsman model, where the Commissioner has no power to make binding orders, the CPPA empowers the Commissioner to order an organization to:
(a) take measures to comply with the CPPA;
(b) stop doing something that contravenes the CPPA;
(c) comply with the terms of a compliance agreement that has been entered into by the organization; or
(d) make public measures taken or proposed to be taken to correct the policies, practices or procedures the organization has put in place to fulfil its obligations under the CPPA.
The cost and disruption to an organization of implementing such orders may be considerable. While an appeal to the Tribunal from such orders is available, the legislated standard of review is such that in many instances the Commissioner will have the last word on compliance measures to be taken by an organization.
Also, if an organization has contravened certain of the key requirements of the CPPA, the Commissioner may recommend that the Tribunal impose a financial penalty on the organization. This penalty is capped at “the higher of $10,000,000 and 3% of the organization’s gross global revenue in its financial year before the one in which the penalty is imposed”. In addition, for the most serious offences, the Bill proposes “the strongest fines among G7 privacy laws – with fines of up to 5% of revenue or $25 million, whichever is greater”1 upon prosecution. The CPPA also creates a private right of action against non-compliant organizations, making CPPA-based class actions possible, but that right is circumscribed.
These “teeth” change the risk management profile of privacy matters falling within the scope of the CPPA and likely how many organizations will deal with Canadian privacy issues.
The New Regulatory Bark
The CPPA contains a requirement that every organization that collects, uses or discloses personal information about individuals in the course of its commercial activities must establish a “privacy management program” that includes the organization’s policies, practices and procedures implemented to fulfil its obligations under the CPPA. The program must have regard to the volume and sensitivity of the personal information under the organization’s control. Alone, this would not be a major development as many organizations that deal with voluminous or sensitive personal information already have such a program.
What is new is that the CPPA grants the Commissioner the power to access and, effectively, regulate an organization’s privacy management program. The scope of the Commissioner’s mandate to proactively investigate privacy management programs, in the absence of a consumer complaint, is not constrained by the CPPA. When combined with the Commissioner’s order-making power, this regime creates a potentially onerous regulatory exercise for many organizations. An organization will need to document how exactly it will comply with the CPPA, knowing that the Commissioner can, at any time, access that documentation and order the organization to fix anything the Commissioner finds is out of compliance. The Tribunal’s power to impose a penalty does not extend to a privacy management program alone not being compliant, but the Commissioner’s investigation into the program may reveal other contraventions that do attract penalties (for example, failure to protect personal information through proportionate physical, organizational and technological safeguards).
Another CPPA regulatory “bark” is the added requirement that personal information may be shared between parties negotiating a transaction for the purposes of due diligence only if that information is de-identified before it is used or disclosed and remains so until the transaction is completed. In certain transactions, this may be an important change from current practices, whereby data is usually simply protected under a non-disclosure agreement that contains the elements required under statute.
The CPPA also provides individuals with at least three completely new privacy rights under Canadian law:
- a right of algorithmic transparency, whereby individuals whose personal information is subject to an automated decision system (such as predictive analytics and machine learning) may require the organization to provide an explanation of the automated decision and how the personal information was obtained;
- a right of disposal, whereby individuals may request an organization dispose of all information it has collected from the individual; and
- a right to data mobility, whereby individuals would have the right to direct the transfer of their personal information from one organization to another.
Next Steps
The Bill still has to go through the legislative process. We expect it to be the subject of consultation, Parliamentary committee analysis and, perhaps, alteration before being passed into law. For this reason, we have focussed in this Update on only a small number of aspects of the proposed CPPA. However, there are a multitude of changes being proposed for Canada’s privacy law regime, some of which may be important for particular industries and businesses. With privacy-related legislative efforts underway in Quebec, Ontario, British Columbia and now federally, this is a subject to watch in the months ahead.
The authors would like to thank Emma Baumann, Articling Student-at-Law, for her assistance in preparing this Update.
1 Innovation, Science and Economic Development Canada, News Release: New proposed law to better protect Canadians’ privacy and increase their control over their data and personal information, November 17, 2020.
Authors
Insights
-
Dispute Resolution
Force Majeure and COVID-19 – Appeal Decision in Niagara Falls Shopping Centre Inc. v. LAF Canada Company
Although it has been three years since the COVID-19 pandemic hit Canada with full force in March 2020, the courts continue to address the fallout. In November 2022, we published a case update about a… -
Capital Markets
2023 Annual Reporting and Proxy Season – Key Areas of Focus
Reporting issuers in Canada are subject to governance standards and continuous disclosure obligations under securities laws and stock exchange rules.From time to time, securities regulators, including… -
Dispute Resolution
Climate Change Suits Against the Government: The Limits of Court Action
In recent years, governments in Canada have been sued in various ways in respect of climate change. Invariably, the government will seek to have the claim dismissed because it is not “justiciable… -
Dispute Resolution
Force Majeure and COVID-19 – Porter Airlines v. Nieuport Aviation Trial Decision
The COVID-19 pandemic presented businesses with unprecedented challenges. It was inevitable that litigation would follow, and that the courts would be required to interpret familiar contract terms in… -
Privacy and Data Protection
B.C. Court Rules Facebook Liable for Privacy Violations in Class Action
Another chapter in the now decade-long saga of Douez v. Facebook was penned earlier this month as a British Columbia Court found Facebook liable for providing advertisers access to users… -
Dispute Resolution
Neutral Diversity in Ontario
Arbitrators and mediators (“Neutrals”) hired in Ontario do not generally reflect the gender or racial diversity of the demographics of the province or the legal profession. Through this report the…
Featured Work
-
Construction and Infrastructure
HB Construction Co. v. Potash Corp. of Saskatchewan Inc. et al
Goodmans LLP acted for HB Construction Co. in respect of the construction of a mine in New Brunswick. The litigation relates to a claim in respect of the installation of mechanical and electrical… -
Mergers and Acquisitions
McCain Capital Partners Acquisition of Forest City Fire Protection
Goodmans LLP acted for McCain Capital Partners in connection with its acquisition of Forest City Fire Protection. Forest City Fire Protection will now unite with Classic Fire Protection (another… -
Restructuring
Cirque du Soleil Restructuring
Goodmans LLP acted for the Ad Hoc Committee of Lenders of Cirque du Soleil Entertainment Group in connection with the successful closing of a sale transaction and its emergence from creditor… -
Mergers and Acquisitions
Harvest One Completes Acquisition of Delvira
Goodmans LLP represented Delivra Corp. in connection with its arrangement transaction with Harvest One Cannabis Inc., pursuant to which Harvest One acquired all of the issued and outstanding shares of… -
Mergers and Acquisitions
Newmont and Goldcorp Combine to Create World's Leading Gold Company
Goodmans LLP acted for Newmont Mining Corporation (NYSE: NEM) (Newmont or the Company) in connection with its agreement to acquire all of the outstanding common shares of Goldcorp Inc. (NYSE: GG, TSX… -
Restructuring
Algoma Steel Completes Restructuring Transaction and Emerges from CCAA Protection
Algoma sought and obtained CCAA protection on November 9, 2015 and carried out a sale and investment solicitation process to identify sale and/or investment opportunities in respect of its business…
News & Events
-
- 01:00 PM Corporate Governance and Stakeholder Litigation
Goodmans ePresents: The Future of Corporate Governance in Canada: Practical Insights
If you are on a board of directors, or advise one, please join us for a practical discussion on meeting new and evolving governance challenges in Canada.On April 18th, we will welcome Rahul Bhardwaj… -
Banking and Financial Services
The Canadian Legal Lexpert Directory 2023 Continues to Recognize Goodmans
We are proud to announce we have once again been recognized in The Canadian Legal Lexpert Directory 2023.85 Goodmans lawyers have been recognized as top-tier in their fields and leaders across… -
Dispute Resolution
Goodmans Partners Recognized in the Lexpert Special Edition: Litigation 2022
We are delighted to announce the Lexpert Special Edition: Litigation 2022 once again features Goodmans partners among Canada's experts in litigation.Congratulations to our 13 featured partners:Andrew…