On November 7, 2020, Canada’s government introduced Bill C-11, which is composed of two statutes: the Consumer Privacy Protection Act (CPPA) and the Personal Information and Data Protection Tribunal Act (PIDPTA).
The CPPA will replace Canada’s existing privacy statute, the Personal Information Protection and Electronic Documents Act (PIPEDA), while PIDPTA will create a new tribunal to enforce CPPA and impose penalties on violators.
While some aspects of Bill C-11, which is currently moving through the legislative process, may change on its road to receiving royal assent, it is slated to be one of the strictest data protection laws in all of the G-7 (Canada, France, Germany, Italy, Japan, the UK, and the US).
Bill C-11: What’s New?
The proposed CPPA will bring with it some key changes to Canadian data protection laws. Specifically, it will increase the data privacy rights of individuals, the obligations of controllers and processors of data, the powers of enforcement, and the penalties.
Individual Rights and Definitions
The Right of Data Mobility: The CPPA will enhance data subject rights for individuals by allowing Canadians to have clearer and more manageable access to their personal data. Taking the EU’s General Data Protection Regulation (GDPR)’s data portability right one step further, the new law will introduce a right of mobility to personal information. This will allow an individual to request their information be transferred from the organization that collected it to another organization of the individual’s choosing, provided that both organizations qualify under the data mobility framework. The exact qualifications of that framework will be laid out in the final draft of the CPPA.
The Right of Erasure: Canadian consumers will also have the right of erasure, meaning that individuals will be able to request that an organization delete all of the personal data that pertains to them. Organizations will have to comply with an individual’s demand to exercise these rights within a time frame to be determined.
Meaningful Consent: Meaningful consent is the cornerstone of the CPPA and can only be considered valid if the following information is provided in plain language:
- The purpose of the collection, use, or disclosure of information
- The way the information is to be collected, used, or disclosed
- Any reasonably foreseeable consequences of such collection, use, or disclosure
- The specific type of information that is to be collected, used, or disclosed
- The names of any third parties or types of third parties to which the organization may disclose the personal information
Plain Language: The purpose of emphasizing the use of plain language is to ensure that individuals fully understand what they are consenting to. The validity of consent is also contingent on showing that the consent was either explicit or that it was implied based on the circumstances. While acceptable circumstances for implied consent are to be determined, merely having to prove that consent was given means that organizations must be prepared to create new internal documentation procedures — or evaluate existing ones.
The CPPA will also increase transparency around the use of automated decision-making systems by giving individuals the right to an explanation for any predictions, recommendations, or decisions those systems make.
Obligations of Organizations
Privacy Policies, Procedures, and Reporting to the OPC: The CPPA increases the obligations of controllers and processors of data, requiring organizations to implement privacy management programs that maintain data protection and privacy policies and procedures. These procedures must be accessible to the Office of the Privacy Commissioner of Canada (OPC) upon request. These programs must include the receipt and handling of individual rights requests, staff training, and any supporting policies and documentation that explain how the law is implemented across the organization.
The CPPA will also allow organizations to gain approval from the OPC for codes of practice and certification programs that establish rules for how the CPPA applies to certain activities, sectors, or business models. This will help organizations understand their obligations under the CPPA and better demonstrate effective compliance.
Service Providers: Under the CPPA, specific obligations will be imposed on service providers who receive transferred personal information. Service providers are defined as any organization which “provides services for or on behalf of another organization to assist the organization in fulfilling its purposes,” and which includes subsidiary or affiliate corporations and contractors.
When an organization transfers personal information to a service provider, the service provider will be required — through contract or otherwise — to provide substantially the same protection as the organization that collected it. Unless the service provider collects, uses, or discloses transferred information for any purpose other than that which the personal information was transferred, the service provider will be exempt from most of the CPPA’s obligations, except requirements related to security and data breach notification.
De-identification: The CPPA will allow organizations to use personal information for certain purposes without the data subject’s knowledge or consent, provided they de-identify the information. Acceptable circumstances may include internal research and development or within the context of prospective business transactions, for example.
Any technical and administrative measures that a business applies to the information must be proportionate to the purpose for which the information is de-identified and the sensitivity of the personal information. Organizations will also be prohibited from using de-identified information in combination with other data that could re-identify an individual.
In addition to providing these individual rights and company requirements, Bill C-11 will:
- create a second enforcement body in the form of a special tribunal through PIDPTA
- increase penalties for CPPA violations
- empower individuals with a new private right of action
PIDPTA: Currently, Canada’s enforcement of data protection laws rests with the OPC, but through PIDPTA, enforcement will be divided between the OPC and a new tribunal. Under the CPPA, the OPC will gain the power to launch an official inquiry — and is responsible for rendering a decision in order to close the inquiry. The OPC will also be able to recommend monetary penalties to the new tribunal.
OPC decisions will be open to legal challenge. Individuals will be able to appeal a finding, order, or decision made through the new tribunal — and the tribunal can determine whether to impose a penalty. It may choose to undertake the OPC’s recommendation or to impose its own decision.
Increased Penalties: The CPPA will also allow for higher fines on infractions than is currently available under PIPEDA. Some administrative penalties would carry penalties of 3% of an organization’s global revenues (as opposed to GDPR’s 2%), or CA$ 10,000,000 — whichever is greater. The most serious offenses could carry up to 5% of an organization’s global revenues (as opposed to GDPR’s 4%), or CA$ 25,000,000 — whichever is greater.
Private Right of Action: The CPPA will introduce a new private right of action that allows individuals to bring a claim for damages suffered as a result of an organization’s violation. Before a claim for damages can be filed, the right of action requires that the organization either:
- be found to have actually contravened the CPPA or
- be fined for a violation that falls under certain sections of the CPPA
The private right of action carries a two-year statute of limitations.
Parallel Provincial Privacy Reform
In addition to Bill C-11, organizations must be aware of provincial privacy reforms. Quebec introduced Bill 64 in June 2020 with the intention of modernizing its current privacy laws. If passed, Bill 64 will increase obligations for both public and private organizations regarding how they hold and protect their customers’ personal information.
British Columbia is in the early stages of reforming its Personal Information Protection Act after conducting a review in 2020 that highlighted the legislation’s failure to keep pace with national and international privacy trends.
Also in 2020, Ontario began considering improvements to its privacy framework and found its legislation lacking. Organizations can expect new legislative proposals in British Columbia and Ontario in the near future.
What Organizations Need to Do to Prepare
While Bill C-11 is making its way through the legislative process in Canada, organizations should monitor the proposed legislation’s development and consider how it will impact their business.
Organizations that are already compliant with GDPR and Brazil’s General Personal Data Protection Law (“LGPD”) will be in better standing for CPPA compliance, but will still need to take additional steps to uphold the Canadian law’s unique provisions. BigID’s data intelligence platform enables organizations to discover, identify, map, and gain full visibility into all of their personal, sensitive, and regulated data across policies — and throughout their entire data landscape. Companies can fulfill their CPPA compliance obligations, operationalize privacy across the organization, automate data rights requests, and ultimately protect their customers’ data at scale.
Check out BigID in action to see how we help businesses address upcoming requirements for CPPA compliance — and build a proactive privacy program for current and new regulations.