Bill C-11 was tabled as part of the Digital Charter Implementation Act, 2020 and had two component parts: the Consumer Privacy Protection Act (CPPA) and the Personal Information and Data Protection Tribunal Act (PIDPTA). It would have represented a big step forward in modernizing Canada’s privacy legislation. The bill died when a federal election was called for September 2021 before it could be passed. However, in 2022, work is being done on a new bill.
The following article looks at Bill C-11 and the CPPA and the implications for both Canadian citizens and businesses. It is for archival purposes only, and we will prepare a new article if new privacy legislation passes in Canada.
Read on to learn more about:
- What is Bill C-11 and the CPPA?
- Powers of the Privacy Commissioner under the CPPA
- A brief overview of PIPEDA
- Comparison of PIPEDA and the CPPA
- Changes to definitions of valid consent
- Consumer rights under the CPPA
- Responsibilities of businesses and foreign companies under the CPPA
- Appropriate purposes for data processing
- Penalties and enforcement
- Comparisons of the CPPA with the GDPR and CCPA
What is Bill C-11 and the CPPA?
The Digital Charter Implementation Act (Bill C-11) introduced new legislation for the collection, distribution, use and disclosure of personal information for commercial activity in Canada. This updated legislation would repeal parts of the Personal Information Protection and Electronic Documents Act (PIPEDA), which has been in place since 2000.
Under Bill C-11, the updated Consumer Privacy Protection Act (CPPA) has been proposed, with the aim of modernizing regulation of the commercial activities of Canadian private sector organizations and establishing more robust protections over the personal information of Canadian individuals. Of note is that the bill references “individuals”, and does not specify “citizens” or “residents” of Canada. PIPEDA uses the same language.
Powers of the Privacy Commissioner under the CPPA
The Privacy Commissioner would retain existing powers and receive additional ones relating to oversight and compliance. These include investigations and audits of business activities as they pertain to privacy protection. Additionally, it would initiate inquiries into alleged violations of the CPPA. Tribunals could be called under PIDPTA to hear appeals issued by the Commissioner and to administer penalties for violations as applicable under CPPA regulations.
Under the CPPA the Privacy Commissioner may:
- Request the production of records
- Enter private places to examine records
- Share relevant information with federal regulatory bodies
- Share information with provincial authorities and foreign states
A brief overview of PIPEDA
Before the introduction of the CPPA, PIPEDA required all private sector organizations across Canada that use personal information for commercial activity to obtain individuals’ consent prior to the collection, use and/or disclosure of their personal information. The CPPA adds more exceptions to circumstances when obtaining consent is required.
Requiring consent before data collection is commonly referred to as an opt-in model, such as is used by the General Data Protection Regulation (GDPR) in the EU and the General Data Protection Law (LGPD) in Brazil. The alternative model for consent is opt-out. Under that model companies do not have to get consumers’ consent before data collection, rather only if the data is to be shared or sold. This model has been adopted in the United States, to date in California with the California Consumer Privacy Act (CCPA) and its successor, the California Privacy Rights Act (CPRA).
Categories of personal information could include:
- Ethnic background
- Blood type
- Identification numbers
- Personal opinions, comments, or evaluations
- Social status
- Disciplinary actions
- Employee files
- Credit and/or loan records
- Medical records
- Records of dispute
- Commercial intentions
- Professional intentions
Under PIPEDA, individuals retained full right to access and challenge the accuracy of any information about them held by an organization. Personal information could only be used for the express purpose(s) for which it was collected and any ulterior or additional usage would require additional consent from the individual.
Generally, PIPEDA did not apply to:
- Personal information held by the federal government under the Privacy Act
- Business contact information
- Individuals’ collection of personal information for personal purposes
- Collection of personal information for journalistic, artistic or literary use
- Provincial or territorial governments and their agents
- Not-for-profit organizations and charities
- Political parties and associations
- Universities, schools, hospitals and municipalities
Comparison of PIPEDA and the CPPA
The scope of who is protected under PIPEDA and the CPPA does not change, and both laws explicitly reference the protection of individuals and federal employees or applicants. Individuals would receive private right of action (the ability to sue companies for violations) under the CPPA, which they did not have under PIPEDA. The CPPA does strengthen consent requirements to ensure it is explicit and informed, though also has more exceptions to when consent is required. The CPPA also has more detailed requirements for organizations to explain data collection purposes and use, and how individuals can contact organizations with questions or requests.
No further restrictions have been added on transferring data outside of Canada, but under the CPPA individuals have new rights for data mobility/portability, with companies required to provide necessary safeguards. Individuals do not have the ability to opt out of automated decision-making using their personal data under the federal CPPA (as under provincial Quebec law), but they would receive the right to receive an explanation about that usage.
Companies have more accountability obligations under the CPPA regarding identifying purposes for data processing, notifications in the event of a breach, and implementing and maintaining a privacy management program, which includes deletion of data upon request. While under PIPEDA companies could only retain data as long as needed to fulfil the specific communicated purpose, under the CPPA individuals can make requests at any time to have their data deleted as soon as is reasonably feasible, and be notified when it’s done (with some exceptions).
Under the CPPA the Commissioner has expanded powers of enforcement. Companies will have to perform privacy assessments in circumstances other than after a breach. If there is a breach, the CPPA is more specific about how quickly notifications about it must be made, and the potential penalties if that’s not done. The CPPA only notes that notification must be done as soon as is “feasible”, however, and not within a more specific time frame like within 72 hours as required by the GDPR. Additional recordkeeping about breaches is also a new requirement. Fines that can be levied for upheld violations can be substantially higher than under PIPEDA. The previous maximum fine was CA $100,000 per violation, but fines are now more in line with those under other international privacy laws. For most violations, the maximum fine is CA $10 million or 3 percent of global annual revenue for many fines, but for particularly severe violations it’s CA $25 million or 5 percent of global annual revenue.
Changes to definitions of valid consent
While both PIPEDA and the updated CPPA legislation require companies to obtain valid consent before collecting, using, and/or disclosing any individual’s personal information, there are some notable differences between the two legal frameworks.
Building on PIPEDA, the CPPA introduces a range of additional exceptions to the standard requirements for consent:
- Organizations may transfer an individual’s personal information to a service provider without consent if necessary for delivery of a product or service that the individual has requested
- Organizations may use an individual’s personal information to de-identify the information (learn more in Data Anonymization: The What, Why, and How of Data Anonymization)
- Organizations may use an individual’s personal information for internal research and/or development, provided that the information is de-identified prior to use
- Organizations may disclose an individual’s personal information to any government, healthcare, post-secondary educational institution, or library, provided that the information is first de-identified, and provided that it is for the benefit of public amenities, infrastructure, environment, or other prescribed purpose.
Under the CPPA companies must obtain valid consent before collecting, using, and/or disclosing any individual’s personal information. For consent to be considered valid, organizations must provide individuals with the following information in “plain language”:
(a) The type of personal information to be collected, used, or disclosed
(b) The intended data collection method to be used
(c) The purpose for data collection, use and/or disclosure
(d) A list of “reasonably foreseeable” consequences of the collection, use and/or disclosure
(e) The names of any third parties or types of third parties to which the information may be disclosed
Under the CPPA companies cannot require an individual’s consent to the collection, use, or disclosure of their personal data as a condition for the supply of the product or service in question. Furthermore, any consent obtained via deceptive means will be considered necessarily invalid.
The only conditions under which an organization may collect and/or use an individual’s personal information with consent are:
(a) To deliver products or services requested by the individual from the organization
(b) To carry out due diligence as part of organizational risk prevention
(c) To support the organization’s system, network security or the safety of a product or service
(d) In cases where it is impractical to obtain individual consent for lack of a direct relationship
Consumer rights under the CPPA
Canadians have established rights under PIPEDA when it comes to the use of their personal information, and there are some changes and expansions under the CPPA. Individuals would now be able to withdraw previously granted consent and opt out of information sharing at any time. In order to do so, individuals would need to provide reasonable notice to the organization in question, after which the organization must inform the individual about cessation of collection or disclosure of their personal information.
Under the CPPA, individuals would have “private right of action”, which enables them to sue organizations under certain circumstances if privacy violations are upheld by the Privacy Commissioner after investigation. Individuals can claim damages for loss (financial or otherwise) and/or injury suffered as a result of the violation. The offending organization may also be subject to administrative fines levied by the Privacy Commissioner.
Individuals have the right to access their personal information, and request amendments to it if it is incorrect or outdated. Organizations that receive such requests are then legally required to respond within 30 days of receipt. Any inaccurate, outdated, or incomplete information must be amended to the individual’s satisfaction. Individuals can also request the deletion or transfer of their information to another organization at any time (data portability) and the company has to ensure that necessary safeguards for the data remain in place for that process.
Responsibilities of businesses and foreign companies under the CPPA
In addition to protecting the rights of public individuals, PIPEDA includes federal employees and applicants (though not private sector individuals in their capacity as workers), and this continues under the CPPA. Organizations also need to be clearer and more detailed under the CPPA with regards to requesting consent for data processing, ensuring it is informed and explicit, and that proof of consent can be provided.
Companies would not be any more restricted from transferring data outside of Canada under the CPPA, though they do have to enable user data to be deleted or transferred elsewhere upon request, and to appropriately safeguard the data at all points. They would also be less restricted in how long they can keep data than under PIPEDA, which stipulated data could only be kept for as long as needed to fulfill the purpose for which it was collected. Organizations do not have to enable users to opt out of automated decision-making that’s done using their data, but they do have to be able to provide an explanation about that usage and how it’s done, upon request.
In the event of a breach, companies would have more accountability obligations under the CPPA, especially regarding notifications and sending them as quickly as possible, as well as recordkeeping related to any breaches. Organizations would also need to implement and maintain a privacy management program and perform privacy assessments, as a matter of regular operations and not just when there was a breach.
With the private right of action that individuals would receive under the CPPA, companies would either have to prove that a breach did not occur if accused of a violation and sued for it, or reasonably disprove that damages or injury occurred. As we have seen with lawsuits to date resulting from the CCPA in California, it has been difficult to achieve that. Under the CPPA companies would also be at risk of far higher penalties than under PIPEDA if a violation is upheld.
Appropriate purposes for data processing
Under the CPPA, Section 12(2), organizations may only collect, use or disclose personal information in “appropriate” circumstances, relating to:
(a) the sensitivity of the personal information;
(b) whether the purposes represent legitimate business needs of the organization;
(c) the effectiveness of the collection, use or disclosure in meeting the organization’s legitimate business needs;
(d) whether there are less intrusive means of achieving those purposes at a comparable cost and with comparable benefits; and
(e) whether the individual’s loss of privacy is proportionate to the benefits in light of any measures, technical or otherwise, implemented by the organization to mitigate the impacts of the loss of privacy on the individual.
Potential contraventions of the CPPA by businesses, separate from violations themselves, which are punishable by fine, include:
- Re-identifying personal information that has been de-identified
- Contravening any order issued by the Privacy Commissioner following an enquiry
- Obstructing the investigation of a complaint or the conduct of an audit
Penalties and enforcement
Noncompliance penalties under the CPPA would be significant. Most fines would be up to 3 percent of a company’s total global revenue for the previous year, or CA $10 million (whichever is higher). For the highest tier offences, fines could be up to 4 percent of a company’s total global revenue for the previous year, or CA $25 million (whichever is higher). These thresholds are higher than those established by the GDPR, and the 5 percent number matches China’s Personal Information Protection Law (PIPL). This is a big step up from noncompliance fines under PIPEDA, which could levy a maximum CA $100,000 fine per violation under the Digital Privacy Act.
Under the updated measures, accused violators would be subject to a personal information and data protection tribunal, which will be responsible for hearing any appeals and determining the extent of the penalties due. The Commissioner will be ultimately responsible for performing necessary audits, issuing binding orders, recommending penalties and monitoring enforcement practices. The Commissioner cannot order fines itself, but can approve recommended penalties.
Comparisons of the CPPA with the GDPR and CCPA
PIPEDA has been law in Canada since 2000, but it is not known if or when Bill C-10 may be passed. The GDPR has been enforced in the European Union since 2018, and in the US, California had the first state-level American privacy law come into effect in 2020 with the CCPA. That will be partially replaced and expanded in 2023 with the CPRA. There is no federal US privacy law at this time, but to date Virginia [Consumer Data Protection Act (CDPA)] and Colorado [Colorado Privacy Act (CPA)] have also passed state-level privacy laws.
Until the CPPA is passed (or if it isn’t), PIPEDA will remain in force in Canada, which also has privacy laws in place at the provincial/territorial level. The GDPR and CCPA are extra-territorial, applicable to organizations that may not be headquartered or have a physical presence in the region covered by the law. The CPPA does not address extra-territoriality.
The GDPR covers employees broadly, not just federal ones, as the CPPA would. The CCPA is the only one of the laws with thresholds for which companies are subject to it, relating to annual gross revenue, the number of individuals whose data is processed annually, or the percentage of revenue generated from the sale of personal information. The CPPA and GDPR also require that companies have parties responsible for compliance, while the CCPA does not, though it does note the company’s responsibility for compliance and data protection.
All three laws require contractual agreements to be made with third parties that would receive and process personal information, with some exceptions. Data subjects must be notified before their data is accessed by any new or additional third parties, or if the purpose of processing communicated changes.
All three laws differ with regards to transferring data out of the country/region. The CPPA does not have restrictions on it, the GDPR requires “adequacy agreements” with all countries or regions to which data would be transferred, and the CCPA has provisions in the instance of mergers or acquisitions. It requires that consumers be able to opt out if how their data is to be used changes from the circumstances under which it was collected, which could include transfers and third parties to whom it would be sent.
The CPPA and GDPR provide individuals with rights to data portability, but the CCPA does not. Under the California law companies only have to provide various kinds of information about the data collected to the data subject. The CPPA and GDPR address use of data for automated decision-making, but the CCPA does not. The closest it gets is the right to non-discrimination. Neither the CPPA nor GDPR explicitly enable individuals to opt out of automated decision-making, but the GDPR does enable individuals to require the decisions that have a legal effect to be made by a human. The CPPA requires a company to clearly explain what data is being used and how in the automated decision-making upon request.
All three laws outline requirements for user consent, with some exceptions, and all three laws provide rights to erasure of data, also with some exceptions. The CCPA is the only one of the laws that does not require user consent before data collection, only before sale or sharing of it. The GDPR outlines six legal bases for processing personal data, of which consent is only one. Canada’s Privacy Commissioner already has published guidelines for obtaining meaningful consent, which would make sense to maintain, update, or expand if the CPPA is passed.
All three laws also have transparency requirements, so notifications and relevant information for individuals must be clear and detailed with regards to the request being made or information provided. The CCPA explicitly requires websites to have a clearly displayed “Do Not Sell My Personal Information” link.
All three laws have requirements for organizations to have privacy management programs, including maintained systems, assessments, etc. The GDPR particularly notes that this is required in higher-risk situations. Whereas the CPPA notes that privacy-related systems and operations need to be maintained generally, not just if there’s a breach. The CCPA relies on California law’s general breach notification statutes for how such events must be handled, but the CPPA and GDPR go into greater detail, particularly regarding reporting, notifications, and recordkeeping.
All three laws provide individuals with private right of action against companies. The CPPA requires the Privacy Commissioner and Tribunal’s involvement, and the CCPA is the only one of the laws with floor and ceiling amounts regarding damages. The CPPA would substantially increase potential penalties for violations over what they were under PIPEDA, with these amounts more in line with fines under the GDPR, and based on the company’s annual revenue. The CCPA outlines a monetary range per violation, per user, which may look less substantial initially, but US $2,500 to US $7,500 times millions of users could be a lot of money, especially since there isn’t an upper limit set for fines.
Under the GDPR, each region has its own enforcement authorities (typically country-based), whereas in Canada it’s handled federally by the Privacy Commissioner and Tribunal. With the CCPA being a state-level law, enforcement falls to the California Attorney General. Under the CCPA’s partial replacement, the CPRA, a new enforcement agency will be in place, the California Privacy Protection Agency (confusingly, also CPPA).
If and when passed into law, CPPA regulations will replace the previous 20-year-old PIPEDA legal framework. While both frameworks are designed to support the information privacy rights of individuals, the CPPA brings about some marked changes. Significant among them is the increased power granted to the Privacy Commissioner and the addition of substantially higher financial penalties for organizations proven to be in violation of CPPA regulations.
Consumers would gain greater freedom to request access to their personal data and/or request the removal of their personal information from company databases. Organizations would also be granted broadened parameters under which information can be legally used without consent. While there are notable differences in scope and details between the CPPA, the EU’s GDPR, and California’s CCPA/CPRA, the CPPA would bring Canadian regulations in line with those and other global privacy regulations, such as Brazil’s LGPD, South Africa’s POPIA, and China’s PIPL for an increasingly digital world.
Do you have questions about how changes to Canadian privacy law could affect your business? Talk to an expert today!