Background
On November 17, 2020, Bill C-11, the Digital Charter Implementation Act, 2020 was introduced. If passed, the proposed Act would repeal part 1 of the Personal Information Protection and Electronic Documents Act (PIPEDA) and a new Consumer Privacy Protection Act (CPPA) would regulate the way in which personal information is collected, used and disclosed by private sector organizations in the course of their commercial activity.
The bill would also create an administrative tribunal to hear appeals of decisions made by the Privacy Commissioner of Canada and impose penalties. Currently, such appeals are heard in federal court.
As technology continues to evolve, the proposed Act is meant to protect Canadians by creating and enhancing current obligations, including:
- Increasing control and transparency when Canadians’ personal information is handled by companies;
- Giving Canadians the freedom to move their personal information from one organization to another;
- Ensuring that Canadians have the ability to request that their personal information be destroyed;
- Providing the Privacy Commissioner with broad order-making powers, including the ability to force an organization to comply; and
- Fines of up to 5% of revenue or $25 million.
What Will Change?
The proposed Act brings about many changes. Highlighted below are what we feel are some of the most significant:
Privacy Program: Organizations would be required to maintain a privacy management program setting out policies and procedures the organization takes to protect and deal with personal information. The Office of the Privacy Commissioner (OPC) could request these procedures at any time.
Consent: The Act adopts elements of the OPCs Guidelines for obtaining meaningful consent, creating transparency requirements.
Exceptions: The Act defines a list of “business activities” for which an organization can process personal information without consent.
Transfers to Service Providers: The Act would establish that consent is not required to transfer personal information to a service provider.
Automated Decision-Making: If an organization uses an “automated decision system”, under the Act, they must ensure how a prediction, recommendation or decision about a person is made is documented.
Data Mobility: The Act would allow that on the request of an individual, an organization must, as soon as feasible, disclose the personal information it has on file of the individual to another organization if those organizations are subject to a “data mobility framework”.
Disposal of PI: The Act would provide individuals with an explicit right to request the deletion of their personal information.
Revised OPC powers: The OPC would have the authority to issue enforcement orders and recommend penalties. Currently, the OPC only has the power to recommend measures after an investigation.
Private Right of Action: The Act would allow individuals to sue companies within two years following a regulatory investigation. The individual would have to prove loss in order to recover damages.
Codes of practice and certification: The Act would allow for the creation of codes of practice and certification programs to facilitate compliance with the Act, which would be subject to approval by the OPC.
What Do We Do?
For now, we wait but plan for changes to your privacy program in the years ahead. If the bill is passed, the draft legislation will be open for a comment period in which you are encouraged to submit comments. The OPC released a statement on November 19, 2020 related to the bill. Our guess is we will see amendments based on the OPCs statement.
We’re Here To Help
If you have questions related to this or privacy legislation in general, please contact us.