PROCESSING...

Anti-Money Laundering
Consulting Services & Strategies

0 Items - Total: $0.00 CAD

Changes to PIPEDA, Canada’s Private-Sector Privacy Law

Background

On November 17, 2020, Bill C-11, the Digital Charter Implementation Act, 2020 was introduced. If passed, the proposed Act would repeal part 1 of the Personal Information Protection and Electronic Documents Act (PIPEDA) and a new Consumer Privacy Protection Act (CPPA) would regulate the way in which personal information is collected, used and disclosed by private sector organizations in the course of their commercial activity.

The bill would also create an administrative tribunal to hear appeals of decisions made by the Privacy Commissioner of Canada and impose penalties. Currently, such appeals are heard in federal court.

As technology continues to evolve, the proposed Act is meant to protect Canadians by creating and enhancing current obligations, including:

  • Increasing control and transparency when Canadians’ personal information is handled by companies;
  • Giving Canadians the freedom to move their personal information from one organization to another;
  • Ensuring that Canadians have the ability to request that their personal information be destroyed;
  • Providing the Privacy Commissioner with broad order-making powers, including the ability to force an organization to comply; and
  • Fines of up to 5% of revenue or $25 million.

What Will Change?

The proposed Act brings about many changes. Highlighted below are what we feel are some of the most significant:

Privacy Program: Organizations would be required to maintain a privacy management program setting out policies and procedures the organization takes to protect and deal with personal information. The Office of the Privacy Commissioner (OPC) could request these procedures at any time.

Consent: The Act adopts elements of the OPCGuidelines for obtaining meaningful consent, creating transparency requirements.

Exceptions: The Act defines a list of “business activities” for which an organization can process personal information without consent.

Transfers to Service Providers: The Act would establish that consent is not required to transfer personal information to a service provider.

Automated Decision-MakingIf an organization uses an “automated decision system”, under the Act, they must ensure how a prediction, recommendation or decision about a person is made is documented.

Data Mobility: The Act would allow that on the request of an individual, an organization must, as soon as feasible, disclose the personal information it has on file of the individual to another organization if those organizations are subject to a “data mobility framework”.

Disposal of PI: The Act would provide individuals with an explicit right to request the deletion of their personal information.

Revised OPC powers: The OPC would have the authority to issue enforcement orders and recommend penalties. Currently, the OPC only has the power to recommend measures after an investigation.

Private Right of Action: The Act would allow individuals to sue companies within two years following a regulatory investigation. The individual would have to prove loss in order to recover damages.

Codes of practice and certification: The Act would allow for the creation of codes of practice and certification programs to facilitate compliance with the Act, which would be subject to approval by the OPC.

What Do We Do?

For now, we wait but plan for changes to your privacy program in the years ahead. If the bill is passed, the draft legislation will be open for a comment period in which you are encouraged to submit comments. The OPC released a statement on November 19, 2020 related to the bill. Our guess is we will see amendments based on the OPCs statement.

We’re Here To Help

If you have questions related to this or privacy legislation in general, please contact us.

Meaningful Consent

Meaningful Consent

The Office of the Privacy Commissioner of Canada’s Guidelines for obtaining meaningful consent became effective on January 1, 2019. The new guideline builds on examining the current state of consent in Canada (see Background section below), and is meant to assist businesses in distinguishing between those things an organization “must do” to obtain meaningful consent, and those things an organization “should do” related to consent.

The guideline is comprised of seven guiding principles for obtaining meaningful consent. These are:

  1. Emphasize key elements (What personal information is being collected, with whom personal information is being shared, for what purposes personal information is collected, used or disclosed and risk of harm and other consequences);
  2. Allow individuals to control the level of detail they get and when;
  3. Provide individuals with clear options to say ‘yes’ or ‘no’;
  4. Be innovative and creative;
  5. Consider the consumer’s perspective;
  6. Make consent a dynamic and ongoing process; and
  7. Be accountable: Stand ready to demonstrate compliance.

Consent – Must Dos

The new guideline lists out the following things an organization must do in order to meet their obligations related to consent:

  1. Make privacy information readily available in complete form, while giving emphasis or bringing attention to the four key elements (What personal information is being collected, with sufficient precision for individuals to meaningfully understand what they are consenting to, with what parties personal information is being shared, for what purposes personal information is being collected, used or disclosed, in sufficient detail for individuals to meaningfully understand what they are consenting to and risks of harm and other consequences).
  1. Provide information in manageable and easily-accessible ways.
  2. Make available to individuals a clear and easily accessible choice for any collection, use or disclosure that is not necessary to provide the product or service.
  3. Consider the perspective of your consumers, to ensure consent processes are user-friendly and generally understandable.
  4. Obtain consent when making significant changes to privacy practices, including use of data for new purposes or disclosures to new third parties.
  5. Only collect, use or disclose personal information for purposes that a reasonable person would consider appropriate, under the circumstances.
  6. Allow individuals to withdraw consent (subject to legal or contractual restrictions).

There are also requirements related to the form of consent and consent for children under the age of 13. 

Background

The new guideline builds on previous publications examining the current state of consent.

In May 2016, the Office of the Privacy Commissioner of Canada (OPC) published a discussion paper exploring potential enhancements to the Personal Information Protection and Electronic Documents Act (PIPEDA). The paper asked organizations, individuals and other interested parties to provide comments related to key issues and potential solutions to the consent model as currently formulated.

On June 15, 2017 the Office of the Privacy Commissioner of Canada (OPC) published a report on qualitative public opinion research conducted with Canadians on the issue of consent under the PIPEDA. The purpose of the research was to understand Canadians’ opinions, attitudes, and concerns with respect to consent.

It was noted that the question of consent became a recurring theme in discussions and emerged as the key measure used by participants for assessing what are acceptable or not acceptable uses of personal information by companies. There was widespread agreement among participants that consent implies both understanding and acceptance of terms and conditions related to the collection and use of their personal information.

On September 21, 2017, the OPC also published their Report on Consent in their 2016-17 Annual Report to Parliament. The report outlined recommendations to address consent challenges posed by the digital age.

Keep In Mind

Consent is one of the foundational elements of PIPEDA. To ensure your organization is always meeting requirements related to consent, you should be able to answer yes (and evidence) the following questions from the OPC’s PIPEDA Self-Assessment Tool related to consent, regardless of the types of products or services you offer:

  • You obtain customer consent for any collection, use or disclosure of personal information.
  • If you don’t obtain customer consent for the collection, use and disclosure of personal information, you have determined that it is not required under s.7 of PIPEDA.
  • You make reasonable efforts to ensure that clients and customers are notified of the purposes for which personal information will be used or disclosed.
  • You do not require clients and customers to consent to the collection, use or disclosure of personal information beyond what is necessary to fulfill explicitly specified and limited purposes as a condition of supplying a product or service.
  • You assess the purposes and limit the collection, use and disclosure of personal information when it is required as a condition for obtaining a product or service.
  • You obtain consent through lawful and fair means.
  • You allow a client or customer to withdraw consent at any time subject to legal or contractual restrictions and reasonable notice.
  • You inform clients and customers of the implication of the withdrawal of consent.
  • You consider the sensitivity and intended use of personal information, and the reasonable expectations of clients and customers in determining which form of consent (implied or expressed) you will accept for the collection, use and disclosure of personal information.

It is important to note that evidence of consent should be retained in a manner that is easily retrievable and easily sortable.  

We’re Here To Help

If you have questions about this new guideline regarding your consent obligations under PIPEDA, or compliance in general, please contact us.

Return to Blog Listing