On June 16, 2022, the federal government attempted (for a second time) to modernize Canada’s private sector privacy laws. These laws protect the personal information of individuals as well as regulate the privacy practices of organizations.
The Digital Charter Implementation Act 2022 (also known as Bill C-27) will implement the Consumer Privacy Protection Act (CPPA) to replace the federal Personal Information Protection and Electronic Documents Act (PIPEDA). PIPEDA has regulated the use and disclosure of personal information by commercial organizations in the country since 2001.
Given it’s now over 20 years old, the general consensus is that this legislation needs a complete refresh. The first attempt to do this happened in 2019 with Bill C-11. However, the legislation died as a result of the federal election that took place in October of that year.
What does this new legislation mean for my businesses?
There are quite a few updates about the new legislation and you can see a complete and detailed text of the new bill on the Parliament of Canada website.
But for business owners, there are a few key areas you’ll want to be informed about that will likely have a direct impact on your organization.
Policy Management Program
This is likely the most significant update for businesses when it comes to the protection of personal information under the new bill.
Section 9 of the new CPPA explicitly states that an organization must implement and maintain a privacy management program, which “includes the policies, practices and procedures the organization has put in place to fulfill its obligations under this Act”.
Part of this program includes documenting consent, which involves recording and documenting the purposes for which an organization collects, uses or discloses any personal data.
[Read our blog: How a privacy officer can help your business]
For business owners, updating their privacy policy on their website is only part of this program (and you should certainly have that reviewed by a legal professional in light of this new legislation).
A privacy management program requires a more structured and holistic approach to privacy within an organization that includes:
(a) implementing policies and procedures to protect personal information;
(b) establishing procedures to receive and respond to complaints and inquiries;
(c) training staff and communicating to staff information about the organization’s policies and practices; and
(d) developing information to explain the organization’s policies and procedures.
If requested, organizations must provide the Privacy Commissioner with the policies, practices and procedures that are included in their privacy management program. The Privacy Commission can then provide guidance and make corrective recommendations.
New Enforcement Powers and Administrative Monetary Penalties
The new CPPA grants the Privacy Commissioner new enforcement powers. The Commissioner can investigate contraventions of the CPPA and issue compliance orders to organizations. The Privacy Commissioner can investigate and make penalty recommendations with respect to an organization’s failure to implement a privacy management program; transferring personal information to service providers without ensuring contractual protections; not obtaining valid consent when collecting, using or disclosing an individual’s personal information; and many other violations of the CPPA.
Bill C-27 also introduces the Personal Information and Data Tribunal Act, which sets up a new Tribunal to hold hearings related to financial penalties recommended by the Commissioner. The Tribunal can issue significant administrative monetary penalties (AMPs) for non-compliance with such orders, up to $10 million or 3% of an organization’s gross global revenue in the year preceding the penalty, whichever is higher.
These are much more severe penalties than under PIPEDA and give real teeth to this new legislation in terms of the financial consequences of breaching the act.
This newly bestowed power signals a move away from the traditional ombuds model of PIPEDA, with a focus on suggesting compliance and solving problems for individuals, towards a stricter, more enforcement-focused model with the CPPA.
The Canadian Radio-Television and Telecommunications Commission (CRTC) has also been recently granted AMP powers and has started issuing significant fines to organizations that breach telemarketing and CASL rules and regulations. In 2019, the CRTC imposed $260,000 in penalties on two Ontario businesses for violating the Unsolicited Telecommunication Rules.
It’s believed the Privacy Commissioner that oversees Bill C-27 could make similar examples of those violating the new CPPA rules.
Data Deletion and Portability
Under the new CPPA, consumers can ask an organization to delete the personal information they’ve collected about them, similar to Europe’s General Data Protection Regulation’s (GDPR) ‘right to be forgotten’. Individuals can also request an organization transfer their information to another organization, also referred to as ‘Data Portability.
Algorithmic Transparency
This new bill also gives individuals the right to require an organization to explain how an automated decision-making system made a prediction, recommendation or decision about the individual that could have a significant impact on them. These rights are related to The Artificial Intelligence and Data Act, part of Bill C-27 which are dependent on regulations that haven’t yet been released.
Anonymizing and De-Identifying Data
CPPA has also clarified rules around anonymizing and de-identifying data:
Anonymizing data means “to irreversibly and permanently modify personal information, in accordance with generally accepted best practices, to ensure that no individual can be identified from the information, whether directly or indirectly, by any means.” Essentially, this means there is no reasonable possibility of reidentifying an individual. Anonymized data cannot identify an individual or impact their privacy and therefore is not subject to the CPPA.
De-identifying data means “to modify personal information so that an individual cannot be directly identified from it, though a risk of the individual being identified remains.” Essentially, this means when organizations use data with the identifiers removed. De-identified data is regulated by the CPPA and generally bans attempts to re-identify it.
Staying compliant with new federal privacy regulations
If you’re not sure whether your organization’s policies are in-line with Bill C-27, including your privacy management program, we can help. Caravel is an alternative legal firm with over 70 qualified and experienced lawyers, including those who specialize in privacy law. Get in touch with our team today to find out more.