Back to the drawing board again: Canada’s second attempt at privacy legislation revamp

computer and phone

Data Protection, Privacy and Security Alert

By:

On June 16, 2022, Canada’s Innovation Minister François-Philippe Champagne presented Bill C-27, the Digital Charter Implementation Act, 2022 (the “DCIA”) for first reading.

Bill C-27 is the second attempt to reform privacy laws in Canada as one of the ten principles of “Canada’s Digital Charter”, following Bill C-11 in 2020, which expired due to the 2021 Canadian election. The proposed bill is intended to modernize and strengthen privacy protections for consumers and provide clear rules for private-sector organizations.  This article explores the differences between 2020’s Bill C-11 and the current Bill C-27, as well as what the new bill means for Canada’s privacy landscape.

Structure

Like Bill C-11, Bill C-27 will replace the federal Personal Information Protection and Electronic Documents Act (“PIPEDA”) by splitting its contents into several Acts, leaving the “electronic documents” part in the existing legislation and renaming it the Electronic Documents Act (though, frustratingly, doing little, in spite of a recent pandemic, to update digital records and signature laws). The DCIA enacts the Consumer Privacy Protection Act (the “CPPA”) with some fresh updates to reflect changing realities in the private sector, and establishes a new Personal Information and Data Protection Tribunal (the “Tribunal”) under the Personal Information and Data Protection Tribunal Act (the “Tribunal Act”).

Additionally, the 2022 DCIA includes a new Artificial Intelligence and Data Act (“AIDA”), a novel piece of legislation that creates rules around the deployment of AI technologies, including establishing an AI and Data Commissioner, assessing and mitigating the risks of harm and bias, and outlining criminal offences and penalties relating to the use of AI technologies. We explore the AIDA in more detail here, but a brief summary will follow.

Consumer Privacy Protection Act

The CPPA includes expanded powers for the Office of the Privacy Commissioner of Canada, an ‎expansion of an individual’s right to informed consent, and rights for consumers on data portability, ‎transparency in automated decision systems, and de-identification and disposal rights.‎

Consent

Consent remains a major feature of the CPPA’s privacy regime. Under the CPPA, subject to numerous ‎exceptions, an organization must obtain an individual’s consent at or before the time of collection, use or ‎disclosure of the individual’s personal information. ‎

Bill C-27 expands on what constitutes valid consent, adding a definition of “plain language”. An ‎individual’s consent is valid only if the organization provides prescribed information in plain language ‎‎“that an individual to whom the organization’s activities are directed would reasonably be expected to ‎understand.”‎

An individual can revoke their consent by reasonable notice, and upon receiving that notice, the ‎organization must, “as soon as feasible”, stop collecting, using or disclosing their personal information.‎

Bill C-27 updates and expands on Bill C-11’s many exceptions regarding consent, stating that an ‎organization may collect personal information without the individual’s knowledge or consent to:‎

  • provide them with a product or service they have requested;‎
  • perform activities necessary to the organization’s information, system or network security; and
  • perform activities necessary for the safety of a product or services the organization delivers.‎

After many complaints from privacy regulators about Bill C-11’s heavy focus on consent, Bill C-27 has ‎added a General Data Protection Regulation - like “legitimate interest” exception that allows the collection ‎or use of personal information without consent.  Under that provision, the organization must have “a ‎legitimate interest that outweighs any potential adverse effect on the individual resulting from the ‎collection or use”, but only where:‎

  • a reasonable person would expect the collection or use for such an activity; and
  • the personal information is not collected or used for the purpose of influencing the individual’s ‎behaviour or decisions. ‎

If an organization uses this exception, it must identify potential adverse effects before collection, take ‎reasonable measures to reduce those adverse effects, and record how it has met these conditions in ‎writing and provide it to the Commissioner on request.‎

Interestingly, and perhaps a result of that “legitimate interest” addition, Bill C-27 removes some specific ‎exceptions in Bill C-11 for the use of personal information without consent in relation to certain business ‎activities:‎

  • for the exercise of due diligence to prevent or reduce commercial risk; and
  • and where obtaining the individual’s consent would be impracticable because the organization ‎does not have a direct relationship with the individual. ‎

Bill C-27’s CPPA keeps and elaborates upon many of the other consent exceptions from Bill C-11, ‎including those for public interest purposes, internal research, or prospective business transactions if the ‎information is de-identified. It adds that information used for prospective business transactions need not ‎be de-identified if doing so would undermine the objectives for carrying out the transaction, and the ‎organization has taken into account the risk of harm to the individual that could result from use of the ‎information.‎

As a whole, Bill C-27’s consent rules can be read as a restatement and tightening of the changes ‎proposed in Bill C-11, again likely as a direct response to criticisms of Bill C-11.‎

Protection of minors

One big change in Bill C-27 is that it identifies the protection of minors as a key issue not addressed in ‎the previous iteration of the CPPA, and specifically denotes the personal information of minors as ‎‎“sensitive information”. Bill C-27 also provides that the rights and recourses available under the CPPA are ‎available to a minor who wishes to exercise them personally and is capable of doing so, and that ‎otherwise those rights can be exercised by a minor’s parent, guardian or tutor. ‎

Using the information of a minor is a limiting factor on exceptions to the obligation to dispose of ‎information at an individual’s request.  Essentially, organizations cannot rely on the exception that they ‎may keep an individual’s information despite an individual’s requests to dispose of it for the purposes of ‎providing ongoing products or services if that person is a minor. ‎

Powers of the Office of the Privacy Commissioner of Canada

The Commissioner will continue to oversee compliance with privacy law, and as with Bill C-11, will now ‎have the power to issue orders, request information, carry out investigations, approve certification ‎programs, and make recommendations for administrative monetary penalties ( “AMPs”) to the Tribunal up ‎to 5% of annual gross global revenue of a company or $25 million for  serious offences.‎

Bill C-27 makes the permissive language in Bill C-11 mandatory by stating that the Commissioner “must” ‎make rules respecting the conduct of an inquiry that leads to a recommendation of an AMP, including ‎rules of evidence. Bill C-27 also expands on the scope of the provisions that the Commissioner can ‎recommend a penalty to the Tribunal, by adding penalties for failure to develop Privacy Management ‎Programs, failure to keep proper records, and failure to use information for “appropriate purposes” as ‎defined in the CPPA.‎

De-identification and disposal rights

De-identified information is information that does not directly identify an individual. Like Bill C-11, Bill C-‎‎27 sets out the ways that an organization can use an individual’s personal information without their ‎knowledge or consent to de-identify the information, if the information is de-identified before it is used ‎or disclosed, and it is:‎

  • used for an organization’s internal research, analysis and development purposes;‎
  • used and disclosed for prospective business transactions (as long as other requirements are ‎met); or
  • disclosed to a prescribed entity, such as a government institution, for a socially beneficial ‎purpose.

Bill C-27 expands on situations where de-identified information can be used to identify individuals, ‎whether alone or in ‎combination with other information, and allows for de-identified information to be ‎made identifiable by organizations to conduct testing of:‎

  • the effectiveness of an organization’s de-identification processes;‎
  • the fairness and accuracy of models, processes and systems ‎that were developed using ‎information that has been de-identified and in any other prescribed circumstances; and ‎
  • as was the case in Bill C-11, the effectiveness of security safeguards that an organization has ‎put in place. ‎

Additionally, Bill C-27 allows for de-identified information to be made identifiable by organizations to ‎comply with any requirements under the CPPA or under federal or provincial law or any other prescribed ‎situations. The Commissioner may authorize an organization to use de-identified information to identify ‎an individual if, in the Commissioner’s opinion, it is clearly in the individual’s interests.‎

Consistent with current PIPEDA, organizations must not retain personal information for longer than ‎necessary. However, Bill C-27 adds that an organization must take into account the information’s ‎sensitivity when considering the period of retention and disposal. Bill C-11 had described “disposing” of ‎information as permanently and irreversibly deleting personal information, but Bill C-27 expands on this ‎by adding an option of “anonymizing” personal information as another way of meeting disposal ‎requirements (“anonymize” is defined as “irreversibly and permanently” modifying personal information to ‎ensure that no individual can be directly or indirectly identified from it -- which is different from merely ‎de-identifying it, in that “de-identified” information still brings the risk of re-identification). Bill C-27 also ‎expands on the reasons an organization may refuse a request to dispose of personal information, which ‎now include the following reasons:‎

  • if disposing of the information would result in the disposal of personal information ‎about another ‎individual and the information is not severable;‎
  • if there are other requirements of the CPPA, of federal or provincial law or of the ‎reasonable ‎terms of a contract that prevent it from disposing of the information;‎
  • ‎if the information is necessary for the organization to establish a legal defence or ‎exercise other ‎legal remedies;‎
  • if the information is not in relation to a minor and the disposal of the information ‎would have an ‎undue adverse impact on the accuracy or integrity of information ‎that is necessary to the ‎ongoing provision of a product or service to the individual in ‎question;‎
  • ‎if the request to dispose it is vexatious or made in bad faith; or
  • ‎if the information is not in relation to a minor and is scheduled to be disposed of in ‎accordance ‎with the organization’s information retention policy, and the ‎organization informs the individual of ‎the remaining period for which it will retain the ‎information.‎

Provincial legislation

PIPEDA does not apply to provincial organizations, classes of organizations, and activities or classes of activities, about which a province has enacted “substantially similar” legislation to PIPEDA. To date, three provinces (British Columbia, Alberta, and Quebec) have enacted general private-sector privacy legislation that has been deemed “substantially similar” to PIPEDA, and several provinces have enacted “substantially similar” personal health information legislation.

The CPPA contains a similar framework that lets the Governor in Council to designate provincial legislation as “substantially similar” to the CPPA. It remains to be seen whether the current PIPEDA designations will continue to apply, or whether new CPPA designations will be required. Québec recently overhauled its private-sector privacy law (learn more in our Québec privacy legislation article) , but given the significant differences between PIPEDA and the CPPA, it may be that British Columbia and Alberta will have to amend their respective Personal Information Protection Acts to align with the CPPA.

Personal information and Data Protection Tribunal Act

The Tribunal Act authorizes the Tribunal to impose AMPs and review the Commissioner’s decisions on appeal. Bill C-27 largely keeps in place Bill C-11’s proposed structures, with three to six members having jurisdiction in respect to all appeals under the CPPA. However, Bill C-27 expands the minimum number of members required to have experience in the field of information and privacy law from one to three.

Further, Bill C-27 expands on the Tribunal’s power, specifically giving them the powers of a superior court of record with respect to examination of witnesses, production of documents, enforcement of decisions, and all other matters necessary for the exercise of its jurisdiction. A decision of the Tribunal may be made an order of the Federal Court or any superior court, enforceable in the same manner.

Artificial Intelligence and Data Act

AIDA sets out new rules and requirements that organizations must follow to ensure the responsible ‎development and deployment of artificial intelligence. It requires organizations to document the risks and ‎mitigation measures of high-impact systems, as well as document compliance with the safeguards. It also requires organizations to publish a plain-language explanation of how an AI system is used, ‎the type of content being generated, and the mitigation measures imposed to combat risk.‎

Notably, section 27 of the legislation allows the Minister to publish information about ‎contraventions (except for confidential business information) if it is in the public interest. AIDA also ‎provides for the Minister to designate an Artificial Intelligence and Data Commissioner with the power to ‎assist the Minister in its enforcement responsibilities, such as ordering third-party audits of organizations’ ‎activities.‎

Failure to comply with certain AIDA provisions is a criminal offence, and can result in fines of ‎up to $25 million or 5% of an organization’s annual gross global revenues, whichever is greater. These ‎penalties may apply where the use of an artificial intelligence system is likely to cause physical or ‎psychological damage, property damage, or economic loss—whether through recklessness, knowledge ‎without lawful excuse, or an intent to defraud. ‎ For more information about AIDA, please read our article here.

Conclusion

Without any election looming on the horizon, and having addressed some of Bill C-11’s shortfalls, we expect that the privacy law overhaul in Canada contemplated by the Bill C-27 will pass, likely this year or early next.  Please stay tuned for more updates from DLA Piper’s Privacy, Data Protection, and Access to Information team as new information about these new laws are made available to the public.

 

This article provides only general information about legal issues and developments, and is not intended to provide specific legal advice. Please see our disclaimer for more details.