Since the turn of the century, Canadian data privacy law has been defined primarily by the Personal Information Protection and Electronic Documents Act (PIPEDA). Two decades later, a new bill proposing the Digital Charter Implementation Act (DCIA) is being considered to succeed PIPEDA. DCIA is a large piece of legislation, as three smaller acts comprise the whole omnibus bill. These three acts are the Consumer Privacy Protection Act (CPPA), the Personal Information and Data Protection Tribunal Act (PIDPTA), and the Electronic Documents Act (EDA); each of these acts addresses a different area of data privacy. In short, DCIA would repeal Part I of PIPEDA, retain and rename Part II of PIPEDA and create new enforcement frameworks for violations of Canadian data privacy law.
Whether your organization is currently operating in Canada or considering expansion, below is an overview of the key-items to focus on with respect to DCIA. Following the summary are recommendations that your organization should focus on today to efficiently plan for Canada’s privacy upgrade.
I. Consumer Privacy Protection Act
CPPA would replace Part I of PIPEDA. This replacement would result in significant changes and updates in the realms of consent rights, data subject rights, disclosures requirements, and Artificial Intelligence (AI) and algorithms.
A. Consent. CPPA looks to shift away slightly from PIPEDA’s heavy focus on consent; under PIPEDA, consent was the primary legal justification for collection, use, and disclosure of personal information. This shift from consent is primarily accomplished through a number of new exceptions for when consent is required, including:
1. “Business Activities” Exception – Subject to a three-part test:
a. First, the activity must be a part of an exhaustive list of activities within the legislation. This list includes activities that “are necessary to provide or deliver a product or service that the individual has requested” and activities that are “necessary for the organization’s information, system or network security”.
b. Second, the intended manner of the activity must be one that a reasonable person would expect their data to be collected or used for.
c. Third, the personal information must not be collected or used “for the purpose of influencing the individual’s behavior or decision” in order to fall under the exception. For example, if the personal information is used for direct marketing, the activity would fall outside of the exception.
2. “Service Provider” Exception – Allows organizations to transfer personal information to service providers without the data subjects’ knowledge or consent. “Service provider” is defined as “an organization, including a parent corporation, subsidiary, affiliate, contractor or subcontractor, that provides services for or on behalf of another organization to assist the organization in fulfilling its purposes”.
3. “De-identification” Exception – Empowers organizations to use data subjects’ personal information without the individual’s knowledge or consent if it is de-identified.
4. Internal Research and Development Exception – Grants organizations the ability to use an individual’s personal information for internal research and development without the individual’s knowledge or consent if the information is de-identified before usage.
CPPA also loosens the requirement that a business acquire fresh consent prior to using personal information for a different purpose than the one disclosed upon collection. Under CPPA, organizations merely need to record the new purpose with no requirement to obtain fresh consent.
B. New Data Subject Rights. CPPA proposes the creation of several new rights for data subjects. These rights follow in the footsteps of other modern data privacy laws such as General Data Protection Regulation (GDPR) and the newly-passed California Privacy Rights Act. The two primary new data subject rights are a right to data mobility and a right to deletion. The right to data mobility requires organizations to disclose any information they possess about the individual to an organization designated by the individual. This will likely make certain markets more competitive, as consumers will be able to easily transfer data from one business to another. Additionally, CPPA proposes granting consumers a right to deletion. With this right, data subjects will be empowered to request that covered organizations delete any personal information they hold.
C. Disclosures and Internal Procedures. CPPA would mandate a privacy management program for all covered organizations that must include the policies, practices and procedures respecting “(a) the protection of personal information; (b) how requests for information and complaints are received and dealt with; (c) the training and information provided to the organization’s staff respecting its policies, practices and procedures; and (d) and the development of materials to explain the organization’s policies and procedures put in place to fulfil its obligations under [the] Act.” Additionally, CPPA would require the Canadian Privacy Commissioner to provide guidance for complying with the privacy management program requirements upon request. This should make achieving compliance easier for covered entities.
D. AI and Algorithms. CPPA is drafted to address the concerns of AI, something not contemplated under PIPEDA. Specifically, CPPA would regulate “automated decision systems”, defined as “any technology that assists or replaces the judgement of a human decision-maker using techniques such as rules-based systems, regression analysis, predictive analytics, machine learning, deep learning, and neural net.” Critically, the definition includes any technology that assists the judgement of a human decision-maker, which makes the definition broadly applicable. For any organization that uses an automated decision system, the organization must provide any data subject with an explanation of the prediction, recommendation, or decision being made by the automated decision system and how their personal information was used to make the prediction, recommendation, or decision upon request by the data subject. Consequently, Canada’s regulation of AI and algorithms may become more wide-reaching than the European Union’s influential GDPR, under which, only decisions made “solely” by an automated system are subject to regulation.
II. Personal Information and Data Protection Tribunal Act
DCIA highlights a concerted push for stricter enforcement of Canadian data privacy law. Under DCIA, the previously-mentioned Privacy Commissioner would now have order-making powers, something that the Commissioner currently does not have. With order-making powers, the Privacy Commissioner would be able to order companies to take or refrain from certain actions regarding the collection or use of personal information. Additionally, the Privacy Commissioner will be able to make recommendations for financial penalties. Some of these penalties may include 3% of global revenue or $10 million for non-compliance. In the case of a serious violation, 5% of global revenue or $25 million in fines may be recommended.
Through DCIA, PIDPTA would create the Personal Information and Data Protection Tribunal (Tribunal). Primarily, the Tribunal would exist to hear appeals from the Privacy Commissioner and adjust or eliminate penalties if appropriate. The Tribunal’s rulings would be able to override the Privacy Commissioner’s findings and recommendations. Additionally, the Tribunal would be empowered to issue its own penalties, if appropriate.
III. Electronic Documents Act
The EDA is the simplest part of DCIA. Simply put, it is a renaming of Part II of PIPEDA. No material changes are being proposed to the text of the law. Consequently, PIPEDA Part II’s goal of legitimizing electronic documents as legally-binding alternatives to paper documents remains unchanged.
We are still in the early stages of bill introduction. However, it is important for organizations to keep in mind that change is coming and there are steps that can be taken now to allow for an efficient and cost-effective transition when a new privacy regime goes into effect.
What to Do Now?
- Develop sound policies and procedures that govern your organization’s collection, use and sharing of information. If these policies and procedures are in place, they should be reviewed annually to confirm updates. Keep in mind the potential new consent exceptions and how these may impact your organization’s collection practices if ultimately passed.
- Once sound policies are in place, form a privacy management program. A committee or designated officer should be in charge of the management and implementation of the program with buy-in from all organizational departments.
- If your organization is currently using or planning to use automated decision systems in the handling of personal data, tailor policies to comply with specific automated decision making requirements (including existing US and international laws). It is key to assess the risks and benefits derived from using automated decision systems in different areas and record the determinations and reasoning for continuing or ceasing the usage of automated decision systems.
- Train, train, train…many organizations have policies and procedures in place but don’t ensure employees have the proper training and support to understand when privacy laws come into play. Create cheat-sheets and guides for employees to ensure key privacy procedures are followed during the most at-risk scenarios.
- Test your organization’s procedures. Can your business operationalize its policies? Think through whether your organization can respond to and act on a deletion or transport request from a data subject (and force your subcontractors to as well).
Understand that the risks of noncompliance will increase in severity – now is the time to act. McGrath North’s Privacy and Cybersecurity Practice Group is here to help. Contact McGrath North’s experienced attorneys for practical guidance that your organization can efficiently and economically operationalize through your organization.