Times are changing with respect to laws governing the protection of personal information and privacy. Indeed, having no other choice but to adapt and ride the wave, the federal government, after protracted consultations and several proposals and reports in recent years, tabled on November 17 Bill C-11, the Digital Charter Implementation Act, 2020 (hereinafter the Bill).
This initiative follows recent major projects in the digital industry. First, in Europe, which adopted the General Data Protection Regulation (GDPR), in California, that adopted the California Consumer Privacy Act of 2018, and closer to home, the tabling of Bill 64 by the Government of Quebec.
This article is intended as a brief overview of the Bill and sets out some important impacts on private companies operating in Canada.
This federal law, the Personal Information Protection and Electronic Documents Act (PIPEDA), dates from 2000 and has undergone a few changes since it came into force, including significant ones in 2015 and more recently in 2018 (the latter relating to the oversight of the security breach framework). At present, in 2020, that is no longer sufficient considering existing new conditions. Indeed, given the major strides in the digital industry, redesigning PIPEDA was needed.
The federal government therefore had to meet its goals and strike the right balance between protecting the privacy of Canadians and their critical role in a modern global data-driven economy.
The Bill was therefore eagerly anticipated: it clarifies certain concepts; it grants increased protections to individuals and imposes new obligations on organizations.
The Bill is based on well-known basic principles, including transparency, security, accountability and validity of consent; principles that are all dear to Canadians. Regarding consent, a central element in data collection, new rules are suggested to better regulate it, in particular its content, form and the opportune time to obtain it, while introducing as well certain exceptions to the latter. The Bill requires organizations to communicate their intentions in plain language.
Part 1 of the Bill enacts the Consumer Privacy Protection Act, the latter having the main consequence of repealing Part 1 of PIPEDA, while Part 2 of the Bill enacts the Personal Information and Data Protection Tribunal Act, which establishes a new administrative tribunal for the protection of personal information and data (the Tribunal). This new Tribunal will notably have the power to impose penalties to offenders.
Finally, it is expected that the Bill, once in force, will coexist with provincial laws on the protection of privacy, in particular protections granting specific rights and obligations in certain areas, for example concerning medical and financial data.
Perhaps one of the most significant changes is certainly the granting of increased powers to the authorities to better protect individuals and their personal information. At this time, the Office of the Privacy Commissioner of Canada (the Commissioner) does not have the power to issue orders or recommend financial penalties.
The Bill, however, grants new powers to the Commissioner, including the power to order an organization to take action to comply with the law or halt practices that infringe on the law. Also, according to the Bill, the Tribunal may impose penalties and fines on the recommendation of the Commissioner and will rule on appeal against the latter's orders.
With respect to financial penalties, the Bill proposes administrative penalties of up to 3% of overall revenue (up to a maximum of 10 million dollars) to organizations breaching the law, particularly with regard to infringements of the provisions relating to consent, collection, use, retention, and removal of personal information and certain security provisions.
These penalties will be imposed by the Tribunal on the recommendation of the Commissioner. For more serious offenses (non-collaboration or refusal to proceed with legitimate requests made under the law, obstruction of an investigation or request from the Privacy Commissioner, serious infringement in the event of a breach of security, etc.), the provisions of the Bill provide for imposing sanctions of up to 25 million dollars and 5% of the organization's worldwide gross annual income, whichever is higher. However, organizations may invoke a due diligence defence.
Although the Bill is slightly different in this sense, it looks back on the penalties granted under the GDPR and those provided for in Bill 64.
The Bill also introduces a private right of actions and, therefore, the possibility for individuals to take legal action before the courts. However, how this right can be exercised remains to be assessed.
New rights are granted by the Bill, giving Canadians greater control over their data; these new rights, for some, draw heavily on European legislation.
First, the project incorporates the right to data portability that would allow an individual to request an organization to transfer their personal data to another organization.
Next, a right to request correction of information held and a right of withdrawal are introduced, the latter right allowing individuals to request an organization to remove all personal information it has collected about them.
Also, like in Quebec, the Bill reflects the new realities of artificial intelligence and proposes to frame the decisions taken using automated systems, in particular by giving individuals the possibility of asking an organization to explain predictions or decisions made by these systems.
The Bill departs somewhat from PIPEDA and requires a higher level of protection from an organization that transfers data to service providers. Indeed, if an organization wishes to transfer personal information to a service provider, it must ensure, by contract or otherwise, that the service provider provides essentially the same protection of personal information that the organization is required to provide under the Bill.
This means that service providers could now be required to provide security guarantees, including notifying the organization when a breach of security measures occurs.
In this regard, privacy policies must be easily accessible and include a description of interprovincial and international transfers of personal information and the consequences of these transfers on the privacy of individuals. It is expected that most current privacy policies will need to be reviewed.
Finally, other changes deserve to be contemplated, i.e., the obligation to appoint an internal legal compliance officer, in other words, a privacy protection officer. The latter will, in particular, ensure the implementation of a personal information protection management program, which must be established to suit the volume and sensitivity of the data managed by the organization.
Since the Bill is still in its infancy, it may be amended before reaching its final form, especially since it comes at the time of other important provincial reforms, which may influence legislators on both sides of the aisle.
However, it is not too early for organizations to begin questioning their current practices and ponder their review.
It will be important for companies in coming months to strongly commit to protect the confidentiality of customer and user data, and to educate employees in this regard. This is even more important for companies operating digitally and that handle a large amount of personal information.
We therefore advise companies to roll out an action plan aimed at improving current practices and measures and to correct any shortcomings. Obviously, this plan will have to be revised in light of the applicable laws that will be adopted, but it is better to prepare for it, because as unclear as the result may be, it is certain that there will be changes in measures to protect the consumers’ privacy.
Feel free to call us at your earliest convenience to discuss these issues before it is too late!