OTTAWA, ON and TORONTO, ON–The COVID-19 pandemic has transformed how Canadians live, work, access information and connect with each other, making digital technology more important than ever.
In view of these trends, the federal government has introduced the proposed Digital Charter Implementation Act (DCIA) 2020, Bill C-11, which, if passed, would modernize the framework for the protection of personal information in the private sector. The proposed legislation is now open to public consultation.
Bill C-11 is an initial step toward a comprehensive reform of Canada’s privacy framework, it said. The government is also proposing to modernize the Privacy Act, which applies to the federal public sector and which the Privacy Commissioner of Canada also oversees.
“The COVID-19 pandemic has accelerated the digital transformation, which is changing how Canadians work, access information, access services and connect with their loved ones,” said Navdeep Bains, Minister of Innovation, Science, and Industry, in a prepared statement. “This transformation is making concerns about privacy, and how companies handle Canadians’ data, more important than ever. As Canadians increasingly rely on technology, we need a system where they know how their data is used and where they have control over how it is handled. For Canada to succeed, and for our companies to be able to innovate in this new reality, we need a system founded on trust with clear rules and enforcement. This legislation represents an important step towards achieving this goal.”
The DCIA has two parts:
Part 1 would create the Consumer Privacy Protection Act (CPPA) to protect the personal information of individuals while recognizing the need of organizations to collect, use or disclose personal information in the course of commercial activities. It would replace the part of the Personal Information Protection and Electronic Documents Act (PIPEDA) dealing with the collection, use and disclosure of personal information.
Part 2 would enact the Personal Information and Data Protection Tribunal Act, which establishes an administrative tribunal to hear appeals of certain decisions made by the Privacy Commissioner under the CPPA and to impose penalties for the contravention of certain provisions of that Act.
According to the Canadian Marketing Association (CMA) the CPPA would retain many of PIPEDA’s strengths. It is principles-based and technologically neutral. However, it contains several new provisions, among them:
–The Privacy Commissioner would have the ability to order an organization to comply with the Act or to order an organization to stop activities that violate it. The Privacy Commissioner also would be able to review, at any time, an organization’s privacy management policies, practices and procedures.
–Administrative monetary penalties could be imposed of up to the greater of 3 percent of global revenue, or $10 million, relating to any single investigation/decision by the Privacy Commissioner. These penalties would by imposed by the new Personal Information and Data Protection Tribunal, after reviewing recommendations of the Privacy Commissioner, or if a party appealed a decision by the Privacy Commissioner to not recommend a penalty. An expanded range of offences could result in fines of up to the greater of 5 percent of an organization’s gross global revenue or $25 million.
–C-11 would add a private right of action, where individuals may sue an organization for damages for loss or injury suffered, where the Privacy Commissioner, the Tribunal or a court has found the organization to be in contravention of the Act.
–Individuals would be able to ask an organization to transfer their personal information to another organization in the same sector or engaging in the same activity.
–Organizations that use artificial intelligence (AI) to make predictions, recommendation or decisions about people would have to explain on request how its algorithm made a decision about a person.
The bill proposes several new exemptions to consent for the collection, use or disclosure of personal information. However, it would impose stricter rules for uses and disclosures that are still subject to consent, including more detailed disclosures and a stronger expectation of express consent. At the same time the bill recognizes that organizations may de-identify personal information without the need for consent, as long as it could not be reasonably foreseen to be used to identify an individual.
The new bill does not conflict with provincial legislation. In Alberta, British Columbia and Quebec provincial private sector laws will continue to apply to intra-provincial activities in those provinces.
Here are the benefits the CMA sees with Bill C-11:
–Clarity in many important areas, including not requiring consent for certain business activities, or for de-identifying personal information for research and analytical purposes.
–The ability to rely to some extent on industry codes of conduct, potentially as a means of demonstrating due diligence during an investigation.
–Organizations will now have some appeal rights from Privacy Commissioner decisions.
But the legislation has a few downsides:
–Significant monetary penalties and fines.
–New data mobility right for consumers, which creates risks related to fraud, security and more, as well as an administrative burden to business.
–New algorithmic transparency provisions, which could be challenging to implement due to the complexity of these types of technologies and decisions.
“Our initial overall impression of the bill is positive,” said Sara Clodman, vice president, public affairs and thought leadership. “However, not all of the requirements and implications of the CPPA are clear. The CMA is studying the new bill in detail and we will participate in consultations, as we did leading up to the introduction of the bill, to ensure that the interests of marketers are considered.”