An Evolving Digital Privacy Landscape—Comparing the Federal Bill C-27’s CPPA to Quebec’s Bill 64

October 3, 2022

This article is part of our Bill C-27 Business Insights Series: Navigating Canada’s Evolving Privacy Regime, written by McCarthy Tétrault’s multidisciplinary Cyber/Data team. This series brings you practical and integrative perspectives on Canada’s Bill C-27: Digital Charter Implementation Act, 2022 and how your organization can stay ahead of the curve.

View other blog posts in the series here.

Introduction

The Act to modernize legislative provisions as regards the protection of personal information[1] (“Bill 64”) received royal assent on September 22, 2021, introducing amendments to the privacy regime and the framework governing the use and collection of personal information (“PI”) by public and private sector privacy laws in Quebec. Meanwhile, on June 16, 2022, the federal government introduced three new acts under Bill C-27, An Act to enact the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Act and to make consequential and related amendments to other Acts (or Digital Charter Implementation Act, 2022) (“Bill C-27”).[2] Part 1 of Bill C-27 enacts the Consumer Privacy Protection Act (“CPPA”),[3] which is the federal government’s latest attempt to modernize the current federal private sector privacy law and a federal equivalent to Bill 64. Bill C-27’s CPPA is the second attempt at reforming federal privacy law in Canada. It shares much of its substance with the Liberal government’s first attempt, Bill C-11, which was introduced in Parliament in November 2020. Bill C-11 died on the order paper when the 2021 general election was called. We compared C-11 to C-27 in a previous post, which can be viewed here.

The federal CPPA shares many similarities with the amendments introduced by Quebec’s Bill 64 (We refer to the as amended Quebec private-sector privacy law as Bill 64 throughout this article for simplicity). Both laws look to overhaul and modernize privacy laws to strengthen protections for consumers and create steep penalties for the misuse of PI by businesses. However, there are also significant differences in the scope of each regime and the type of activities covered.

In this high-level overview, we discuss some of the key similarities and differences between the two laws. We note, however, that the CPPA is likely to undergo changes as it makes its way through the legislative process, including industry consultation.

Scope and application

Both Bill 64 and the CPPA have a broad scope and apply to businesses and other organizations that collect and use PI.

Bill 64 applies to PI that is collected, held, used or communicated to third parties within the context of an enterprise.[4] The CPPA has a similarly broad scope, with its provisions applying to virtually any private-sector organization that collects, uses, or discloses PI (but, because of the federal division of powers, only applies to employees and job applicants of a federal work, undertaking or business).[5] The CPPA has a provision that will allow the federal government to make an order that will exempt the legislation’s applicability to organizations that exist within provinces that have substantially similar legislation.[6]

Additionally, both regimes clearly exclude anonymized data.

Governance and Operations

Governance Framework

Bill 64 requires enterprises to implement governance policies and practices which ensure the protection of PI.[7] In particular, these policies and practices must:

provide a framework for the retention and destruction of PI;
define the roles and responsibilities of the members of its personnel throughout the life cycle of PI;
provide a process for dealing with complaints regarding the protection of PI;
be proportionate to the nature and scope of the enterprise’s activities; and be approved by the person in charge of the protection of PI.[8]

Bill 64 further requires enterprises to publish detailed information about those policies and practices on their website or by any other means.[9]

Similarly, the CPPA requires every organization to implement a privacy management program (“PMP”) to comply with its obligations.[10] In particular, the PMP must address and ensure:

the protection of PI;
how requests for information and complaints are received and dealt with;
the training and information provided to the organization’s staff respecting its policies, practices and procedures; and
the development of materials to explain the organization’s policies and procedures. [11]

The CPPA requires the organization to provide the Privacy Commissioner of Canada (“Commissioner”) access to the policies, practices and procedures that are included in its PMP,[12] and the Commissioner may provide guidance or corrective measures to the PMP after reviewing it.[13]

Privacy Impact Assessments

There are two different privacy impact assessment (“PIA”) requirements under Bill 64. First, Bill 64 requires enterprises to conduct a PIA for any project to acquire, develop, or overhaul an information system or electronic service delivery system involving PI.[14] Second, Bill 64 creates a requirement for conducting a PIA before information can be disclosed outside of Quebec, which applies to both inter-provincial and foreign disclosures.[15] No equivalent provision on PIAs is found under the CPPA. However, the CPPA requires organizations to conduct a legitimate interest assessment (“LIA”) before collecting or using an individual’s PI based on the legitimate interest exception to consent,[16] which we’ve further discussed below in the Consent section.

Privacy Officer

Bill 64 designates by default the “person exercising the highest authority” within an enterprise to be responsible for the compliance with privacy requirements, although this person may delegate all or part of that function in writing to any person.[17] Unlike Bill 64, the CPPA provides the choice directly to the organization to designate one or more individuals responsible for the compliance with privacy requirements.[18]

Privacy Breaches

Both regimes require enterprises to notify the relevant privacy commissioner in the event of a serious privacy breach.[19] Enterprises must also inform any affected individuals,[20] unless doing so would impede an investigation or is otherwise not permitted by law. If the notification to the affected individual is required, the CPPA provides for a further mandatory notification to any other organization that can reduce the risk of injury or mitigate the injury resulting from the incident.[21] Unlike the CPPA, the notification to any third party is not strictly required under Bill 64.[22] We invite you to read our earlier article for further details on confidentiality incident reporting and record-keeping obligations under Bill 64.

Basis for Collection

Transparency Obligations

Under Bill 64, a person must be informed upon collection of their PI, or upon request, of the purpose and means of collection, rights associated with their PI, the name of the third person for whom the PI is collected (if applicable), the names or categories of third persons to whom the PI must be communicated, and the possibility that the PI will be communicated outside of Quebec; furthermore, upon request, the individual must be informed of the PI collected, the categories of persons who will have access to the PI within the enterprise, the retention period of the PI and the contact information of the person in charge of the protection of PI.[23]

Under the CPPA, an individual’s consent is valid only if the following information was disclosed upon or before the collection of their PI:

the purposes for the collection, use or disclosure of PI;
the manner in which PI is to be collected, used or disclosed;
any reasonably foreseeable consequences of the collection, use or disclosure of PI;
the specific type of PI that is to be collected, used or disclosed; and
the names of any third parties or types of third parties to which the organization may disclose PI.[24]

The disclosure of any reasonably foreseeable consequences of the collection, use or disclosure of PI[25] introduced by the CPPA is particularly onerous, as it requires organizations to predict and put into writing such information, which can be difficult to assess. No equivalent requirement is found in Bill 64.

Bill 64 requires that any necessary disclosures be provided in clear and simple language, regardless of the means used to collect PI.[26] Similarly, the CPPA requires that such information must be disclosed in plain language that an individual to whom the organization’s activities are directed would reasonably be expected to understand.[27]

Consent

Consent remains the cornerstone basis for the collection, use and disclosure of PI under both regimes. Bill 64 provides that unless the individual concerned gives their consent, PI may not be used for any new purpose, except if the new purpose has a direct and relevant connection to the original purpose, and only in the following circumstances:

if PI is used for purposes consistent with the purposes for which it was collected;
if PI is clearly used for the benefit of the person concerned;
if its use is necessary for the purpose of preventing and detecting fraud or of assessing and improving protection and security measures;
if its use is necessary for the purpose of providing or delivering a product or providing a service requested by the person concerned; or
if its use is necessary for study or research purposes or for the production of statistics and if the information is de-identified.[28]

Moreover, Bill 64 requires that sensitive PI, which is information that has a high level of reasonable expectation of privacy such as medical information, must always be obtained and used with express consent.[29]

Unlike Bill 64, express consent is the default under the CPPA.[30] Implied consent may be appropriate after evaluating the “reasonable expectations of the individual” and the “sensitivity” of the PI,[31] although these two concepts remain undefined under the CPPA. Further, the CPPA introduced the concept of a legitimate interest exception to the consent requirement, which would allow an organization to collect, use or disclose an individual’s PI without their knowledge or consent if:

the collection or use is made for the purpose of an activity in which the organization has a legitimate interest that outweighs any potential adverse effect on the individual resulting from that collection or use;
a reasonable person would expect the collection or use for such an activity; and
the PI is not collected or used for the purpose of influencing the individual’s behavior or decisions.[32]

Moreover, prior to the collection or use of such PI under the legitimate interest exception, the organization must proceed to a LIA in order to:

identify any potential adverse effect on the individual that is likely to result from the collection or use;
identify and take reasonable measures to reduce the likelihood that the effects will occur or to mitigate or eliminate them; and
comply with any prescribed requirements.[33]

Note that the concept of legitimate interest is not an alternate basis for collection of PI like with the EU General Data Protection Regulation (GDPR). Rather, legitimate interest is positioned as an exception to consent under the CPPA.

Both Bill 64 and the CPPA allow for the transfer of PI to third parties without consent if the communication of PI is necessary to conclude a commercial transaction and the third party agrees to only use the PI for its intended purpose and take adequate steps to safeguard it.[34]

Rights Based Requests

Right of Access and Rectification

Both regimes provide individuals with the right to request whether an organization holds any PI concerning them,[35] how their PI has been used, whether it has been disclosed to any third parties[36], and to receive a copy of the PI concerning them that is held by the organization. Under both regimes, individuals have the right to have any inaccurate PI corrected in the records of the organization.[37] If a request for access or rectification of inaccurate information is refused, both Bill 64 and the CPPA require that the organization provide reasons and the provisions on which the refusal is based.[38] However, under the CPPA, the right of access is expressly subject to certain exceptions and prohibitions.[39]

Right to be Informed of Automated Decisions

Bill 64 provides that an individual has the right to be informed of instances where their PI is used to render a decision based exclusively on an automated process, and allows the individual to submit observations on such a process to the enterprise who is in a position to review the decision.[40] Unlike Bill 64, the CPPA does not give an individual the right to submit such observations, but the CPPA does grant an individual the right to be informed of the use of an automated decision system to make a prediction, recommendation or decision about the individual that could have a significant impact on them.[41] Separate from the CPPA, Bill C-27 also introduce an entirely new law which aims to regulate the development and use of AI in Canada, the Artificial Intelligence and Data Act, as addressed in our previous article.

Right of De-Indexation and Right of Disposal

Bill 64 and the CPPA have different approaches to an individual’s right to have their PI deleted/removed. Under Bill 64, upon an individual’s request, organizations are not required to delete an individual’s PI upon request, but are required to cease disseminating information, or to de-index or re-index any hyperlink attached to a name if the dissemination of that information contravenes the law or a court order.[42] An individual may also require cessation of dissemination, or require such de-indexing or re-indexing, where the following conditions are met:

the dissemination of the information causes the individual serious injury in relation to the individual’s reputation or privacy; and
the injury is clearly greater than the interest of the public or free expression; and the cessation of the dissemination, re-indexation or de-indexation does not exceed what is necessary for preventing the perpetuation of injury.[43]

The CPPA does not provide for a right of de-indexation. However, the CPPA allows individuals to request that organizations dispose of their PI.[44] Organizations must comply as soon as feasible if the information was collected, used or disclosed in contravention of the CPPA, the individual has withdrawn their consent, in whole or in part, or the information is no longer necessary for the continued provision of a product or service requested by the individual.[45] Organizations can refuse a request to dispose of PI under limited circumstances, such as when the law or a contract prohibits it, or if the request is vexatious.[46]

Consequences for non-Compliance

Both Bill 64 and the CPPA have steep penalties for non-compliance. Non-compliance under Bill 64 can result in an administrative monetary penalty of up to $10,000,000 or, if greater, 2% of worldwide turnover for the preceding fiscal year for the business.[47] Non-compliance with Bill 64 can result in an offence, punishable upon prosecution, and a fine of up to $25,000,000 or the amount equal to 4% of worldwide sales for the last fiscal year for the business.[48]

Non-compliance under the CPPA can result in an administrative monetary penalty of $10,000,000 or, if greater, 3% of worldwide turnover for the preceding fiscal year for the organization.[49] In addition, non-compliance with the CPPA can result in an offence punishable upon prosecution, and a fine of up to $25,000,000 or 5% or the organization’s gross global revenue for the preceding financial year.[50]

Under Bill 64, the Commission de l’accès à l’information (« CI »), may directly impose administrative monetary penalties upon enterprises in cases of non-compliance,[51] subject to review by the CAI’s oversight division upon request in writing by the allegedly contravening person/enterprise.[52]

Unlike under Bill 64, the Commissioner cannot directly impose penalties for non-compliance under the CPPA, and instead must decide whether to recommend that a penalty be imposed on the organization by the Personal Information and Data Protection Tribunal (“Tribunal”).[53] The Tribunal would then decide whether or not to impose a penalty. The Tribunal’s decision is final and binding, with no right of appeal, and is subject only to a judicial review under the Federal Courts Act.[54]

The CPPA grants individuals who have had their privacy rights violated a private right of action against an organization to bring a claim for the loss or injury suffered due to a contravention.[55] In contrast, Bill 64 only provides an individual with the potential to receive punitive damages of not less than $1,000 where the infringement is intentional or results from a gross fault and caused an injury.[56]

Conclusion

While Bill 64 is now law and will come into force in Québec on a rolling basis until September 22, 2024, Bill C-27’s CPPA has just begun its legislative journey and is likely to undergo changes before it becomes law. However, understanding the differences and similarities between the two regimes is important for businesses who wish to stay abreast of the rapidly evolving landscape of privacy law in Canada, and who wish to adjust their practices now as part of a larger, forward-looking, compliance update.

To learn more about how our Cyber/Data Group can help you navigate the privacy and data landscape, please contact national co-leaders Charles Morgan and Daniel Glover.

[1]Act Respecting the Protection of Personal Information in the Private Sector, CQRL, c P-39.1.

[2]An Act to enact the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Act and to make consequential and related amendments to other Acts.

[3]Consumer Privacy Protection Act.

[4] Bill 64, s. 1.

[5] CPPA, s. 6.

[6] Bill C -27,122 (2) (b)

[7] Bill 64, s. 3.2.

[8] Bill 64, s. 3.2.

[9] Bill 64, s. 3.2.

[10] CPPA, s. 9(1).

[11] CPPA, s. 9(1).

[12] CPPA, s. 10(1).

[13] CPPA, s. 10(2).

[14] Bill 64, s. 3.3.

[15] Bill 64, s. 17.

[16] CPPA, s. 18 (3) (4) and (5).

[17] Bill 64, s. 3.1.

[18] CPPA, s. 8.

[19] Bill 64, s. 3.5 and CPPA s. 58 (1).

[20] Bill 64, s. 3.5 and CPPA s. 58 (3).

[21] CPPA s. 59(1).

[22] Bill 64, s. 3.5.

[23] Bill 64, s. 8.

[24] CPPA, s. 15(3).

[25] CPPA, s. 15(3)(c).

[26] Bill 64, s. 8.

[27] CPPA, s. 15(4).

[28] Bill 64, s. 12.

[29] Bill 64, s. 12 (2)

[30] CPPA, s. 15(5).

[31] CPPA, s. 15(5).

[32] CPPA, s. 18(3).

[33] CPPA, s. 18(4).

[34] Bill 64, s. 18.4 and CPPA, s. 22.

[35] Bill 64, s. 8, 27 and CPPA s. 63 (1).

[36] Bill 64, s. 8 and CPPA, s. 63 (2).

[37] Bill 64, s. 28 and CPPA, 71 (1).

[38] Bill 64, s. 34 and CPPA, s. 67 (3).

[39] CPPA, s. 70 (1), (6) and (7).

[40] Bill 64, s. 12.1.

[41] CPPA, s. 63(3).

[42] Bill 64, s. 28.1.

[43] Bill 64, s. 28.1.

[44] CPPA, s. 55.

[45] CPPA, s. 17 (2) and 53 (1).

[46] CPPA, s. 55(2).

[47] Bill 64, s. 90.12.

[48] Bill 64, s. 91.

[49] CPPA, s. 95 (4).

[50] CPPA, s. 128 (a).

[51] Bill 64, s. 90.1.

[52] Bill 64, s. 90.6.

[53] CPPA, s. 94.

[54] CPPA, s. 21.

[55] CPPA, s. 127.

[56] Bill 64, s. 93.1.