Publication
More Change Ahead: Amendments Submitted Regarding Canada's Consumer Privacy Protection Act
Published November 22, 2023
The Digital Charter Implementation Act, 2022 (Bill C-27) is progressing through Parliament and has reached the Committee on Industry and Technology (INDU). On October 3, the Minister of Innovation, Science and Industry (Minister) provided a series of proposed amendments to Bill C-27 (C-27 Amendments), to be reviewed and considered by INDU.
If Bill C-27 is passed, it will enact three new statutes: (a) the Consumer Privacy Protection Act (CPPA), an Act to support and promote electronic commerce by protecting personal information that is collected, used or disclosed in the course of commercial activities; (b) the Personal Information and Data Protection Tribunal Act, which will establish an adjudicative tribunal; and (c) the Artificial Intelligence and Data Act (AIDA), which will govern the responsible deployment of artificial intelligence technologies in Canada.
This article will discuss the C-27 Amendments in relation to the CPPA and provide a high-level overview of the new privacy legislation. It is the second in a series of articles summarizing key aspects of the new statutes and their respective Bill C-27 Amendments. See our previous article on the proposed C-27 Amendments to AIDA (here), stay tuned for our upcoming article detailing the differences between the CPPA and PIPEDA, including the marked changes in penalties and other remedies.
The Proposed C-27 Amendments
The Minister has proposed three amendments to the CPPA which, if accepted, will amend the CPPA to:
1. Explicitly recognize privacy as a fundamental right
Recognizing privacy as a fundamental right in the CPPA and Bill C-27 is aligned with the view of Canadian privacy legislation being 'quasi-constitutional' in nature.[1] Fundamental rights have supremacy where legal conflicts arise. This means that in the event of conflict between the right of privacy and the rights afforded to businesses by the CPPA, the right to privacy would take precedence.[2]
2. Recognize and reinforce the protection afforded to children
Under this broadly supported amendment, Corporations would be required to consider the "special position of children" when considering whether their data harvesting is appropriate.[3] Children's privacy protections would be added in both as a general guiding principle and a specific consideration.
3. Provide the Privacy Commissioner more flexibility to reach “compliance agreements"
This amendment would allow the Privacy Commissioner to offer an alternative remedy to non-compliant organizations in the form of a voluntary compliance agreement. By reaching an agreement with the Privacy Commissioner, the non-compliant organization could avoid going to the Personal Information and Data Protection Tribunal or court. The proposed amendment would provide broader enforcement powers to the Office of the Privacy Commissioner, by allowing the Privacy Commissioner to impose a financial penalty as part of the compliance agreement, rather than limiting such penalties to orders of the Personal Information and Data Protection Tribunal or a court.
These amendments respond to four of the 15 key recommendations proposed by the Privacy Commissioner.[4] There remain outstanding concerns which INDU has noted, several of which are particularly important to organizations:
1. What constitutes a "legitimate interest"?
The bill currently provides for certain exceptions to the requirement for consent. These exceptions are generally rooted in necessity, but they also allow for carveouts if the organization has a "legitimate interest" that outweighs potential adverse effects owing to non-consent-based collection, use or disclosure of personal information. The issue here is that "legitimate interest" is not defined within the CPPA. While "legitimate interest" is judged on a reasonable person standard, the lack of a formal definition may leave the section too vague.[5]
2. Will the government possess too much regulatory authority under the CPPA?
The current iteration of the CPPA grants the government the power to make exceptions to the law by way of regulations without needing to demonstrate that those exceptions are necessary.[6] This authority includes the ability to make regulations exempting activities from the application of the CPPA. The Privacy Commissioner has raised concerns that this amount of power is too broad.[7]
3. Will the requirements for international data flows negatively affect international business relationships?
One of the stated goals of the CPPA is to achieve the highest level of privacy protection internationally.[8] How this will be achieved is presently under debate.[9] Currently, the CPPA requires that, when data is transferred to a service provider (within or outside of Canada), the organization transferring the data must ensure, by contract or otherwise, that the service provider will meet the standards required under the CPPA.[10] It's unclear whether this current approach—which will effectively require all service providers to meet the CPPA standard—would have a negative effect on the ability of service providers in other countries to provide services to Canadian businesses.
The CPPA in a Nutshell
What Will the CPPA Do?
The CPPA will be Canada's new private-sector privacy legislation, replacing the over 20-year-old Personal Information Protection and Electronic Documents Act (PIPEDA). PIPEDA will maintain its provisions concerning electronic documents and be renamed the Electronic Documents Act.
The CPPA will focus on protecting individuals' personal information; it attempts to balance businesses' data needs and individuals' data protection by imposing obligations on organizations regarding data collection, storage, and distribution.[11]
The CPPA will align Canada's privacy legislation more closely with the European Union's General Data Protection Regulation (GDPR), which is expected to allow Canada to keep its recognition by the European Commission as providing an adequate level of protection for personal information.
Who Will the CPPA Affect?
The CPPA will apply to private-sector organizations (including associations, partnerships, persons, or trade unions) that collect, use, or disclose personal information as part of their business.[12]
The CPPA will not apply to the following:[13]
(a) Government institutions covered by the Privacy Act
(b) Individuals using personal information for personal/domestic purposes
(c) Organizations in respect of personal information collected, used or disclosed for journalistic, artistic, or literary purposes
(d) Organizations in respect of personal information collected, used or disclosed only for communicating with individuals regarding their employment, business, or profession
(e) Organizations exempted by regulation
What Are the General Obligations Under the CPPA?
Personal information collection, use or disclosure by organizations will be constrained to "appropriate purposes,"[14] which must be defined and documented prior to data collection.[15]
Organizations must generally obtain consent to collect, use, or disclose an individual's personal information.[16] Consent is not required in certain situations, including necessary business operations; investigations; law enforcement; public interest (such as communicating with next of kin); or where the applicable personal information is already publicly available.[17]
Organizations will be required to establish a privacy management program outlining their compliance with the CPPA.[18] Failure to meet these obligations can amount to maximum penalties of the higher of $10,000,000 or 3% of the organization's gross global revenue.[19] These numbers, however, are preliminary, and along with remedies and the Privacy Commissioner's powers generally represent the greatest area of debate.[20] As these develop, we will provide a fulsome exploration of all the possible penalties, how they differ from PIPEDA, and how that may affect organizations.
Monitoring the progress of the C-27 Amendments will be important to help Canadian organizations understand their obligations and what new privacy governance measures they will need to implement in the near future.
If you have any questions about the proposed amendments, please reach out to any member of our Intellectual Property group.
[1] https://www.ourcommons.ca/DocumentViewer/en/44-1/INDU/meeting-90/evidence at 1545.
[2] https://www.ourcommons.ca/DocumentViewer/en/44-1/INDU/meeting-90/evidence at 1545.
[3] https://www.ourcommons.ca/DocumentViewer/en/44-1/INDU/meeting-90/evidence at 1620.
[4] https://www.ourcommons.ca/DocumentViewer/en/44-1/INDU/meeting-90/evidence at 1535.
[5] CPPA, s 18(3); https://www.ourcommons.ca/DocumentViewer/en/44-1/INDU/meeting-90/evidence at 1605-1615.
[6] CPPA, s 122; https://www.ourcommons.ca/DocumentViewer/en/44-1/INDU/meeting-90/evidence at 1555 at 1555.
[7] https://www.ourcommons.ca/DocumentViewer/en/44-1/INDU/meeting-90/evidence at 1555.
[8] https://www.ourcommons.ca/DocumentViewer/en/44-1/INDU/meeting-90/evidence at 1555.
[9] https://www.ourcommons.ca/DocumentViewer/en/44-1/INDU/meeting-90/evidence at 1555.
[10] CPPA, s 11(1).
[11] CPPA, Part 1, s 5, Summary.
[12] CPPA, s 2(1).
[13] CPPA, s 6(4).
[14] CPPA, s 12(1).
[15] CPPA, 12(3).
[16] CPPA, 15(1).
[17] CPPA, ss 18-28.
[18] CPPA, s 9.
[19] CPPA, s 95(4).
[20] https://www.ourcommons.ca/DocumentViewer/en/44-1/INDU/meeting-90/evidence at 1655-1705.