Canada’s Privacy Overhaul: Deep Dive into the Key Topics of Data Subject Rights, Consent, De-identification, the Tribunal / Litigation and Data Governance
On February 24, 2021, McCarthy Tétrault LLP hosted the first session in its two-part series Canada’s Privacy Overhaul: Deep Dive into Key Topics. This article is about our first session. Both sessions are available for viewing online:
- Part One of Canada’s Privacy Overhaul: Deep Dive into Key Topics
- Part Two of Canada’s Privacy Overhaul: Deep Dive into Key Topics
As a result of ongoing developments in technology, how and why organizations collect, use and disclose personal information has grown increasingly complex. In response, the Government of Canada introduced Bill C-11, or the Digital Charter Implementation Act, 2020 (the “Act”), on November 17, 2020. If the Act comes into force, it would replace the privacy component of the Personal Information Protection and Electronic Documents Act (“PIPEDA”) with the Consumer Privacy Protection Act (“CPPA”) and the Personal Information and Data Protection Tribunal Act (“PIPDT”).
During our session, we covered five topics relating to the Act:
- New data subject rights, presented by Jade Buchanan;
- Consent and consent exceptions, presented by Dan Glover;
- New de-identification provisions, presented by Barry Sookman;
- The Personal Information and Data Protection Tribunal (the “Tribunal”), litigation, and the private right of action, presented by Karine Joizil and Gillian Kerr; and
- New data governance and policies, presented by Susan Wortzman.
New Data Subject Rights
Data subject rights are often set out in their own categories under privacy and data protection legislation. For example, the European Union’s General Data Protection Regulation (“GDPR”) dedicates an entire chapter to data subject rights. PIPEDA, which uses the term “individual” instead of “data subject”, requires organizations to respect two main data subject rights (subject to certain limitations in PIPEDA): (1) the right to access their personal information; and (2) the right to correct or complete their personal information. The CPPA, as currently drafted, introduces new data subject rights. Two new rights of particular significance are: (1) the right of disposal (which is similar to the GDPR right of erasure); and (2) the right of data mobility (which is similar to the GDPR right of data portability).
The Right of Disposal
Generally, an individual under the CPPA will have a right to have their data deleted by the controlling organization. This right is subject to several exceptions, namely where:
- retention is required by law;
- disposal would delete the personal information of another individual; or
- disposal is prevented by “the reasonable terms of a contract”.
The CPPA’s exceptions to the right of disposal — particularly with respect to “reasonable terms of a contract” — lack specificity and will require further elaboration. To contrast, the exceptions to the data subject’s right of disposal under the GDPR expressly states that the right does not apply to processing necessary for “exercising the right of freedom of expression and information”, which notably is not an exception for the right of disposal under the CPPA. The lack of an exception for free expression makes the right of disposal vulnerable to a challenge that the right of disposal violates some of the freedoms under the Charter. The GDPR also includes an exception for processing required “for the establishment, exercise or defence of legal claims”, which is not included in the CPPA.
The Right of Data Portability / Mobility
The right of portability is also a concept from the GDPR that has been included in the CPPA with a new name: the right of “data mobility”. The right of data mobility would allow users to get their data from a controlling organization in a usable format and move it over to another organization. Legislators have not enshrined obligations regarding data mobility in the CPPA itself, but have deferred to “a data mobility framework provided under the regulations”, which have not yet been introduced.
Consent and Consent Exceptions
Where We Are Now
Consent has been described as the cornerstone of PIPEDA. However, in a world of increasingly complex data flows, the role of consent has changed considerably in the years since PIPEDA came into force. In many instances, repetitive consent requests have led to “consent fatigue”. At the same time, the consent requirements have contributed to an increasing emphasis on transparency and data minimization, which has been a meaningful privacy “win” for individuals.
Obtaining consent has also become increasingly complex due to doubts caused by conflicting interpretations as to when implied consent is permissible. While the Supreme Court of Canada in Trang found that in certain circumstances, consent could be implied for even financial information despite its presumptive sensitivity, the meaningful consent guidelines seem to diminish the role of implied consent. The Office of the Privacy Commissioner of Canada (the “OPC”) and the provincial privacy commissioners have been applying the guidelines with increasing vigour.
The joint investigation into Clearview AI reinforced the fact that the OPC and the provincial commissioners favour reading down exceptions to consent on the basis that privacy is a “quasi-constitutional” right as opposed to a balance of competing interests. You can read our more detailed analysis of the Clearview AI finding here.
Similarly, the findings of the OPC and the Alberta and BC commissioners in an investigation into Cadillac Fairview verge toward an impractical approach by requiring express consent for a momentary collection of data in a public setting, followed by anonymization. The emphasis on express consent may render reasonable uses of data impossible despite the incorporation of reasonable safeguards and a lack of plausible harm to individuals.
Where We Are Going
The CPPA attempts to address some of the concerns regarding the role of consent in modern privacy legislation. It enlarges and clarifies the PIPEDA consent provisions and creates a modernized list of exceptions to the consent principle.
Like Section 5(3) of PIPEDA, Section 12 of the CPPA requires that collection, use and disclosure of personal information be “only for purposes that a reasonable person would consider appropriate in the circumstances.” Expanding on this requirement, Section 13 of CPPA introduces new factors that an organization needs to take into account when assessing whether or not a purpose for collecting, using and disclosing personal information is appropriate, including the sensitivity of the personal information and “whether there are less intrusive means of achieving those purposes at a comparable cost and with comparable benefits”. With respect to the validity of an individual’s consent, Section 15 of the CPPA imposes certain requirements and obligations on organizations, including to describe, in plain language, the purposes for which the organization will collect, use and disclose personal information, and being responsible for justifying the rationales for the organization’s reliance on implied consent.
Some of the new and notable exceptions to the consent provisions include exceptions for business activities, transfers to service providers, research and development, and de-identification. While each exception may need further elaboration, the strengthening of PIPEDA’s consent regime in the CPPA reinforces the need for organizations to be thoughtful in their collection of both personal information and the corresponding required consent.
For more information, see our article Consent Standards under the Proposed Consumer Privacy Protection Act.
The De-Identification Provisions
“De-identification” is a general term that includes privacy and security processes that render personal information as either “anonymized” or “pseudonymized”. “Pseudonymization” is a method that removes or replaces direct identifiers from a data set leaving in place data that could be used to indirectly identify a person by using other data. This data is generally still subject to privacy laws. “Anonymization” is a stronger form of de-identification which (depending on the formulation) makes re-identification impossible, reasonably unlikely or not reasonably expected.
PIPEDA does not deal expressly with de-identification. That changes with the CPPA, which introduces new de-identification provisions that seem to be intended to promote a balance between innovation and the reasonable expectations of users. While clarification regarding de-identification is welcome, there is significant ambiguity surrounding whether de-identified data will be subject to the CPPA.
Is De-identified Data Subject to Privacy Laws?
Presently, PIPEDA defines personal information as “information about an identifiable individual”. Thus, when information is “not about” an individual that can be identified, it is not personal information. Where data is anonymized, it is not subject to either federal or provincial privacy legislation. This is consistent with both the GDPR and the California Consumer Privacy Act. The definition of “de-identified” in the CPPA suggests it refers to anonymized information:
de-identify means to modify personal information — or create information from personal information — by using technical processes to ensure that the information does not identify an individual or could not be used in reasonably foreseeable circumstances, alone or in combination with other information, to identify an individual.
There are seven provisions in the CPPA that deal with de-identified information. Some reinforce the interpretation that de-identified information remains outside the confines of privacy legislation in Canada. Such provisions include the definition of “de-identify”, the de-identification exception to consent in Section 20 and the prohibition on re-identifying de-identified data under Section 75. This approach would be consistent with how PIPEDA has been interpreted (i.e., that anonymized information is outside of its scope).
However, other provisions suggest there has been a movement away from PIPEDA and that the drafters intend the CPPA to regulate even anonymized information. Such provisions include certain exceptions to the consent requirement, as well as the new standard for de-identification in Section 74. These provisions do not work particularly well if anonymized information is supposed to be outside of the CPPA. The ambiguities in the CPPA present certain challenges, especially given the potential increased penalties that organizations may face.
For more information, see our article: CPPA: Identifying the Inscrutable Meaning and Policy Behind the De-Identifying Provisions.
The Tribunal, Litigation, and the Private Right of Action
Compliance with the CPPA
Two bodies will be responsible for compliance with the CPPA: the OPC and the Tribunal. The OPC will have increased power under the CPPA. Unlike under PIPEDA, the OPC will be a prosecutor and adjudicator, not just an investigator. If, in the course of an investigation, the OPC finds that an organization has committed, is about to commit or will likely commit an act or omission that does not comply with the CPPA, the OPC can enter into a compliance agreement with the organization. Once an investigation is complete, the OPC can make an order “that is reasonably necessary to ensure compliance”. The OPC can also make a recommendation for a penalty to the Tribunal.
The Tribunal will consist of three to six members appointed by the Governor in Council. Only one member must have a history in information and privacy law, and no other member is required to have a legal or judicial background. The Tribunal can hear appeals from findings and orders made by the OPC, and the findings of the Tribunal will be final. The Tribunal also has the ability to impose significant administrative monetary penalties—up to $10,000,000 or up to 3% of the organization’s gross annual revenue. Organizations that knowingly commit certain offences under the CPPA can face fines up to the greater of $25,000,000 and 5% of the organization’s gross global revenue, but that requires prosecution in a court of law as an offence (i.e., it is not in the Tribunal’s jurisdiction).
In the event the Tribunal replaces the findings of the OPC, the standard of review is correctness for questions of law and palpable and overriding error for questions of fact and questions of mixed fact and law.
Private Right of Action
Section 106 of the CPPA creates a private right of action under which parties can apply to a court to seek damages against an organization for alleged breaches of the CPPA. When contrasted with PIPEDA, the new private right of action seems to restrict the scope of claims that could be brought before the court, while expanding the scope of plaintiffs who are able to bring such claims.
Under PIPEDA, anyone who goes through the OPC’s investigative process can bring a private right of action to a court, regardless of what the OPC finds. However, under the CPPA, a claim can only be brought if the OPC or the Tribunal has found that there was a breach of the CPPA or if the organization is convicted of an offence.
However, the CPPA appears to change who is able to bring claims once the above threshold is met. While PIPEDA limits claimants to complainants, the CPPA states that an individual who is “affected by” an organization’s breach of the CPPA can bring a private right of action at either the Federal Court or provincial superior courts.
While it has not been considered by a court of law, there is a very strong argument that a breach of PIPEDA could not found the basis for a class action because only complainants can initiate a claim. As proposed, the CPPA may potentially enable class actions because an entire class of individuals could, in theory, fit within the scope of individuals who are “affected by an act or omission by an organization that constitutes a contravention of” the CPPA.
For more information, see our article: The CPPA’s Privacy Law Enforcement Regime.
New Data Governance and Policies
The CPPA would mandate a privacy management program under Section 9(1), including requiring policies, practices and procedures that address the following:
- Protection of personal information;
- Access requests and complaint procedures;
- Training and internal information relating to policies, practices and procedures; and
- Development of external materials to explain the organization’s policies and procedures.
Under the CPPA, each organization must take into account the volume and sensitivity of the personal information under its control and as such, the more information an organization has, the more stringent the requirements (Section 9(2)).
The CPPA also includes:
- new record-keeping obligations requiring companies to document the purposes for which personal information is collected, used or disclosed and to continually update if new purposes arise (Sections 12(3) and (4));
- the obligation to keep records of a disagreement with regard to the amendment of personal information (Section 71(3)); and
- PIPEDA’s requirement to track security breaches involving personal information even if the breach did not meet a reporting or notice threshold (Section 60).
Tips for complying with the CPPA from a data governance perspective include:
- implementing an information governance strategy that includes the development of a privacy management program, as knowing your data is critical - you need to know how personal information is identified and stored and who has access to it;
- developing clear policies and procedures to manage the lifecycle of information from creation to storage or disposition;
- creating a data map that tracks where the information is stored;
- leveraging technology solutions to assist with the implementation of the policies; and
- training employees to manage and control personal information.
For more information, see our article: CPPA – How Companies Will Need to Manage Their Information.