As professor Michael Giest of the University of Ottawa notes, Canadian privacy law may be on track for significant changes if Bill C-11, which if passed, will become the Consumer Privacy Protection Act (CPPA) and Personal Information and Data Protection Tribunal Act (PIDPT). The proposed legislation is a significant overhaul of the existing law that governs how the personal information of individuals can be used by the private sector.
The current approach under the Personal Information Protection and Electronic Documents Act (PIPEDA) relies on a model code that serves to guide how the private sector manages individuals’ personal data.
The PIPEDA approach relies on the Canadian Standards Association’s Model Code for the Protection of Personal Information as Schedule 1 to the law combined with rules for enforcement in the act itself is gone. Instead, the CPPA features the same principles, and others, directly within the law itself. issuing penalties for non-compliance.
Here are five ways the proposed law can affect individuals:
New Enforcement Regime
The legislation introduces a new tribunal with the power to impose fines and penalties. Organizations that breach the CPPA can be fined up to the greater $10,000,000 and 3% of the organization’s gross global revenue, and organizations that knowingly commit certain offences under the CPPA can face fines up to the greater of $25,000,000 and 5% of the organization’s gross global revenue. These fines and penalties can be imposed if the Privacy Commissioner recommends penalties to the Personal Information and Data Protection Tribunal (the “Tribunal”), which has the right to impose penalties. Other orders of the Commissioner can be appealed to the Tribunal.
Individuals have the right to bring a claim before the Tribunal, but in order to do so the organization must have been convicted of an offence under the CPPA or there must be a final determination by the Commissioner or the Tribunal that the organization breached its obligations under the CPPA. The individual can claim damages for loss or injury that the individual has suffered as a result of the offence or contravention.
Right to Access Personal Information in a Usable Format
Individuals will have the right to obtain their personal information in a usable format from an organization, the right of erasure from the organization’s databases, among other rights. In the case of data portability, the right will be subject to the applicability of a data mobility framework under the yet-to-be-published regulations.
The CPPA establishes requirements for consent with standards on what must be included in order to be valid, the need for express consent (or implied consent) and a prohibition on making consent a requirement for a product or service beyond what is strictly necessary. Deceptive practices to obtain consent with false or misleading information renders the consent invalid and individuals can withdraw their consent at any time. However, there are also exceptions to general consent, it is not required in the following circumstances:
- produced in the course of the individual’s employment
- prevent fraud
- witness statements
- disclosures to the organization’s lawyers
- journalistic, artistic or literary purposes
- a range of business activities including delivery of a product or service, due diligence, or system or network security
- transferring the information to another service provider (presumably to complete a service the individual has contracted for, but the bill is vague)
- de-identifying the personal information
- research and development if the data is de-identified
- proposed or completed business transactions
- statistical or scholarly study or research
- historical or archival importance.
- law enforcement
- if it is in the individual’s interest e.g. in an emergency and the individual cannot provide consent in a timely manner or in cases of potential financial abuse.
- socially beneficial purposes except where the data is de-identified and disclosed to a government institution, health care institution, post-secondary institution, library, or any other organization mandated to carry out socially beneficial purposes such as being related to health, the provision or improvement of public amenities or infrastructure, the protection of the environment or any other prescribed purpose.
Disclosure of the Use of AI in Decision Making
The CPPA introduces the concept of “automated decision systems”, which is “technology that assists or replaces the judgment of human decision-makers using techniques such as rule-based systems, regression analysis, predictive analytics, machine learning, deep learning and neural nets.” As part of the openness and transparency requirements.
According to the CPPA, organizations need to provide a “general account” of their “use of any automated decision system to make predictions, recommendations or decisions about individuals that could have significant impacts on them”. Individuals also have a right to an explanation of the prediction, recommendation or decision and of how the personal information that was used to make the prediction, recommendation or decision was obtained.
De-Identification of Personal Information
The CPPA prohibits an organization from using de-identified information alone or in combination with other information to identify an individual, except in order to conduct testing of the effectiveness of security safeguards that the organization has put in place to protect the information.
Further, an organization that de-identifies personal information must ensure that any technical and administrative measures applied to the information are proportionate to the purpose for which the information is de-identified and the sensitivity of the personal information.
These proposed changes mark a significant change in Canadian privacy law. We will need to monitor how things progress, as the bill makes its way through the legislative process.