The proposed new privacy law includes order-making powers, penalties and a new tribunal
On June 26, 2022, the Industry Minister François Philippe Champagne finally tabled in the House of Commons Bill C-27, called the “Digital Charter Implementation Act, 2022”. This is the long-awaited privacy bill that is slated to replace the Personal Information Protection and Electronic Documents Act, which has regulated the collection, use and disclosure of personal information in the course of commercial activity in Canada since 2001
The bill is very similar to Bill C-11, which was tabled in 2019 as the Digital Charter Implementation Act, 2019, and which languished in Parliament until the federal government called the last election.
The Bill creates three new laws. The first is the Consumer Privacy Protection Act (“CPPA”), which is the main privacy law. The second is the Personal Information and Data Protection Tribunal Act and the third is the Artificial Intelligence and Data Act.
The CPPA is in a completely different structure than PIPEDA. PIPEDA included a schedule taken from the Canadian Standards Association Model Code for the Protection of Personal Information and generally required regulated organizations to follow the Code. Similar to the Personal Information Protection Acts of British Columbia and Alberta, the substance of the Code has largely been translated to statutory language in the Bill itself.
The most significant difference is what many privacy advocates have been calling for: the Privacy Commissioner is no longer an ombudsman. The law includes order-making powers and significant penalties. The Bill also creates a new tribunal called the Personal Information and Data Protection Tribunal, which replaces the current role of the Federal Court under PIPEDA with greater powers.
PIPEDA applies to the collection, use and disclosure of personal information in the course of commercial activity and to federally-regulated workplaces. That will not change in the CPPA, but a new section 6(2) says that the new Act specifically applies to personal information that is collected, used or disclosed interprovincially or internationally. This provision is not expressly limited to commercial activity, so there’s an argument that could be made that it would apply to non-commercial or employee personal information that crosses borders.
The CPPA has an interesting approach to anonymous and de-identified data. It officially creates these two categories. It defines anonymize as:
“to irreversibly and permanently modify personal information, in accordance with generally accepted best practices, to ensure that no individual can be identified from the information, whether directly or indirectly, by any means.”
Anonymous information is carved out of the CPPA’s purview. But de-identified data remains in-scope. To de-identify data means “means to modify personal information so that an individual cannot be directly identified from it, though a risk of the individual being identified remains.”
In a number of areas, the CPPA provides more detail about what is required to comply with general principles that are already in PIPEDA. For example, additional detail and needs to be applied with respect to a company’s “privacy management program”. And all the supporting documentation for an organization’s privacy management program must be provided to the Privacy Commissioner on Request.
With respect to consent, organizations expressly have to record and document the purposes for which any personal information is collected, used or disclosed. This was implied in the CSA Model Code, but is now expressly spelled out in the Act. Section 15 of the CPPA lays out in detail what is required for consent to be valid. It requires not only identifying the purposes but also communicating in plain language how information will be collected, the reasonably foreseeable consequences of is use, what types of information and to whom the information may be disclosed.
One significant change compared to is the circumstances under which an organization can collect and use personal information without consent. Section 18 of the CPPA allows collection and use without consent for certain business activities, where it would reasonably be expected to provide the service, for security purposes, for safety or other prescribed activities. Notably, this exception cannot be used where the personal information is to be collected or used to influence the individual’s behaviour or decisions. There is also a “legitimate interest” exception, which requires an organization to document any possible adverse effects on the individual, mitigate them and finally weigh whether the legitimate interest outweighs any adverse effects. It’s unclear how “adverse effects” would be measured.
Like PIPEDA, an individual can withdraw consent subject to similar limitations that were in PIPEDA. But what’s changed is that an individual can require that their information be disposed of. Notably, disposal includes deletion and rendering it anonymous.
The most notable changes are with respect to the role of the Privacy Commissioner. The Commissioner is no longer an ombudsman with a focus on nudging companies to compliance and solving problems for individuals. The CPPA and Tribunal Act veer strongly towards enforcement.
As with PIPEDA, enforcement starts with a complaint by an individual or the commissioner can initiate it on his own accord. After the investigation, the matter can be referred to an inquiry.
Inquiries have more procedural protections for fairness and due process than under the existing ad hoc investigation system. For example, each party is guaranteed a right to be heard and to be represented by counsel. At the end of the inquiry, the Commissioner can issue orders for measures to comply with the Act or to stop doing something that is in contravention of the Act. The Commissioner can continue to name and shame violators, but penalties are left to the new Privacy and Data Protection Tribunal.
The legislation creates a new specialized tribunal which hears cases under the CCPA. Compared to C-11, the new bill requires that at least three of the tribunal members have expertise in privacy.
Its role is to determine whether any penalties recommended by the Privacy Commissioner are appropriate. It also hears appeals of the Commissioner’s findings, appeals of interim or final orders of the Commissioner and a decision by the Commissioner not to recommend that any penalties be levied.
Currently, under PIPEDA, complainants and the Commissioner can seek a hearing in the federal court after the commissioner has issued his finding. That hearing is “de novo”, so that the court gets to make its own findings of fact and determinations of law, based on the submissions of the parties. The tribunal, in contrast, has a standard of review that is “correctness” for questions of law and “palpable and overriding error” for questions of fact or questions of mixed law and fact. These decisions are subject to limited judicial review before the Federal Court.
Possible penalties are huge. The maximum administrative monetary penalty that the tribunal can impose in one case is the higher of $10,000,000 and 3% of the organization’s gross global revenue in its financial year before the one in which the penalty is imposed. The Act also provides for quasi-criminal prosecutions, which can get even higher.
The Crown prosecutor can decide whether to proceed as an indictable offence with a fine not exceeding the higher of $25,000,000 and 5% of the organization’s gross global revenue or a summary offence with a fine not exceeding the higher of $20,000,000 and 4% of the organization’s gross global revenue. If it’s a prosecution, then the usual rules of criminal procedure and fairness apply, like the presumption of innocence and proof beyond a reasonable doubt.
Within a week of being tabled in Parliament, the House rose for the summer break. When Parliament resumes in September, it’s impossible to predict whether the Bill will be fast-tracked or whether it will languish like Bill C-11 in 2019. It is also hard to predict whether the government will be amenable to suggested amendments at the Committee stage.