Privacy Legislation Overhaul: Canada Takes a Second Shot at the CPPA
This article is part of our Bill C-27 Business Insights Series: Navigating Canada’s Evolving Privacy Regime, written by McCarthy Tétrault’s multidisciplinary Cyber/Data team. This series brings you practical and integrative perspectives on Canada’s Bill C-27: Digital Charter Implementation Act, 2022 and how your organization can stay ahead of the curve.
View other blog posts in the series here.
In a second attempt at overhauling Canada’s federal privacy legislation, today Canada’s Minister of Innovation, Science and Industry François-Philippe Champagne introduced Bill C-27: Digital Charter Implementation Act, 2022 (“Bill C-27”). It aims to create three new pieces of legislation:
- The Consumer Privacy Protection Act (“CPPA”);
- The Personal Information and Data Protection Tribunal Act (“PIDPTA”); and
- The Artificial Intelligence and Data Act (“AIDA”).
CPPA and PIDPTA are updated versions of legislation which the Government introduced in November of 2020 (the “2020 Bill”) and which ultimately died when Parliament was dissolved for the 2021 Canadian federal election. AIDA is an entirely new piece of legislation. As a consequential amendment, the Personal Information Protection and Electronic Documents Act (“PIPEDA”) will become the Electronic Documents Act, losing the privacy provisions but retaining the provisions regarding electronic documents.
In this high-level overview, we discuss some of the similarities and differences between the 2020 Bill and Bill C-27. We will explore these and other topics in-depth in the coming weeks.
What Has Not Changed Since the 2020 Bill?
When the 2020 Bill was proposed, we published a series of posts explaining the key topics. We also did a two-part deep dive into key topics that you can view here and here. Below are some of the major changes from the 2020 Bill that are still featured in Bill C-27.
- A New Tribunal that Can Impose Significant Penalties and Fines – Organizations that violate CPPA can face administrative monetary penalties of up to the greater $10,000,000 and 3% of the organization’s gross global revenue, and organizations that knowingly commit certain offences under CPPA can face fines up to the greater of $25,000,000 and 5% of the organization’s gross global revenue. However, penalties will not be issued by the Privacy Commissioner of Canada (the “Commissioner”). The Commissioner will instead recommend penalties to the Personal Information and Data Protection Tribunal (the “Tribunal”), which has the right to impose penalties. Other orders of the Commissioner can be appealed to the Tribunal.
- Private Right of Action– CPPA contains a private right of action for individuals. Before an individual can make a claim, the organization must have been convicted of an offence under CPPA or there must be a final determination by the Commissioner or the Tribunal that the organization contravened CPPA. The individual can claim damages for loss or injury that the individual has suffered as a result of the offence or contravention. It appears that an organization could be subject to the maximum administrative monetary penalty and still face claims under the private right of action.
- Enhanced Consent – In order to obtain valid consent, an organization must provide certain information to the individual at or before the time of collection (or before the use or disclosure when seeking consent regarding personal information already in the organization’s custody). The information that organizations must provide includes the purpose(s) of the collection, use and disclosure, the “reasonably foreseeable consequences of the collection, use or disclosure”, the types of personal information involved, and the “names of any third parties or types of third parties to which the organization may disclose the personal information”. Valid consents must be in plain language that an ordinary individual would understand.
- New Grounds of Processing without Consent – Like the European Union’s General Data Protection Regulation (“GDPR”), the CPPA permits organizations to lawfully collect, use and disclose personal information without consent for other valid reasons, including as necessary to provide a product or service requested by an individual, as part of due diligence to prevent or manage commercial risk, for security and safety purposes, and where obtaining consent would be impracticable due to the lack of a direct relationship. However, organizations must only do so where a reasonable person would expect it and may not do so for the purpose of influencing the individual’s behavior or decisions. But note that Bill C-27 has also added “legitimate interest” as a basis for collecting or using personal information without consent, as discussed below.
- Enhanced Rights of Individuals– Individuals will have the right to data portability (the right to obtain their personal information in a useable format from certain organizations established by regulation), the right of disposal (the limited right to have their personal information deleted by an organization) and other new privacy rights, all subject to some prescribed limitations. In the case of data portability, the right will be subject to the applicability of a data mobility framework under yet-to-be-published regulations that specifies which organizations are obliged to offer data portability.
- Transparency Regarding Cross-Border Transfers– CPPA permits organizations to store and access personal information outside of Canada, but it does require that organizations make information available about “whether or not the organization carries out any international or interprovincial transfer or disclosure of personal information that may have reasonably foreseeable privacy implications”.
What Has Changed Since the 2020 Bill?
Some of the biggest changes since the 2020 Bill are summarized below.
- Powers for the Commissioner – The Commissioner will have the ability to recommend improvements to an organization’s privacy management program, in addition to the other powers included in the 2020 Bill that remain largely unchanged. As mentioned above, the enforcement regime appears to remain as it was in the 2020 Bill, including with respect to high fines.
- Legitimate Interest – Further aligning with the GDPR, CPPA contains a concept of “legitimate interest” that permits the collection and use of personal information without consent in limited circumstances and subject to certain requirements, including what appears to be a privacy impact assessment requirement prior to relying on this exception to the consent principle.
- AI Focus – While AI was a minor focus of the first CPPA in the context of rules around automated decision systems, it will now have its own legislation: the Artificial Intelligence and Data Act. AIDA applies to “artificial intelligence systems” with more profound requirements for “high-impact systems” (a term that is defined with reference to regulations that are not yet published). AIDA addresses the risks of harm (physical and psychological damage, damage to property and economic loss) and ”biased output”. It requires that organizations using high-impact systems adopt measures to identify, assess and mitigate the risks of harm or biased output, and also to monitor compliance with the mitigating measures. Contraventions of the key provisions of AIDA can lead to fines of up to $10 million or 3% of an organization’s annual gross global revenues, whichever is greater. Additionally, CPPA still includes provisions addressing automated decision systems (with some changes since the 2020 Bill).
- Protection of Minors – CPPA contains provisions that impose higher thresholds for the processing of personal information of minors (without defining “minor”), including deeming all personal information of minors to be sensitive information (though “sensitive information” is also not defined). Minors are also able to personally exercise their CPPA rights (so long as they are “capable of doing so”).
- Service Providers – Subtle changes to CPPA now call for organizations to ensure service providers provide an “equivalent” level of protection. The perception that this might be a stronger or less flexible standard could lead to issues in service provider negotiations in the future.
- Anonymization – We had critiqued the confusing provisions around de-identification in the 2020 Bill and the Government seems to have considered changes, including a new definition of “anonymize” and an altered definition of “de-identify”. The CPPA now specifically does not apply to personal information that has been anonymized.
What Organizations Should Do Now
- Stay Aware of Changes – We will be publishing posts explaining Bill C-27 in-depth and sharing updated about coming-into-force. Please consider subscribing using the information below.
- Prepare for the Changes – There is a substantial list of new obligations, including with respect to privacy notices, policies and procedures, record retention, and accommodating individual rights. Organizations should plan for a significant compliance effort, though that effort may be less significant for organizations that already comply with other high standards, such as the GDPR or Quebec’s Bill 64.
- Prepare for Consultations – Organizations should be considering the impact the legislation will have on them and, if appropriate, the value of advocating for improvements and clarifications.
- An Evolving Digital Privacy Landscape—Comparing the Federal Bill C-27’s CPPA to Quebec’s Bill 64
- The End No Longer Justifies the Means: Bill C-27’s new Constraints on Processing Personal Information
- A Canadian Perspective on Regulating Dark Patterns
- The Dawn of AI Law: The Canadian Government Introduces Legislation to Regulate Artificial Intelligence in Canada
- Bill C-27 and Managing Information: Legitimate Interest, AI and Other Implications for Data Governance
- CPPA: problems and criticisms – anonymization and pseudonymization of personal information
CPPA Bill C-27