Digital Charter Implementation Act

The goal of PIPEDA to allow continued flow of data from EU after it had passed the original Privacy Directive, but has taken new importance since Court of Justice of EU “Schrems II” decision. That decision did not touch on Canada’s adequacy but, clearly, the EU’s expectations since the General Data Protection Regulation came into place have increased, and mandate for the European Data Protection Board is to review all adequacy findings.

Proposed changes will be implemented through Digital Charter Implementation Act. It amends a number of pieces of legislation. First, Part 1 renames Consumer Privacy Protection Act. Part 2 establishes a specialized privacy and data protection tribunal through Personal Information and Data Protection Tribunal Act.

Key features of reforms:

• Privacy management program: Section 9 requires organizations to maintain a privacy management program setting out policies procedures organization takes to protect personal information, deal with privacy complaints, train personnel, and develop materials to explain an organization’s policies and procedures. Allows “on-demand” access to the OPC for these policies.
• Appropriateness: Valencia IIP Advisors Managing Director of Privacy Michael Power pointing this out: While no provisions explicitly addressing privacy risk assessment or privacy by design, Section 12 outlines factors for the appropriateness of processing and calls for an assessment of the proportionality of the loss of privacy against the benefits as mitigated by organizational measures.
• Meaningful consent: PIPEDA already a consent-based regime. New act codifies guidance from the privacy commissioners, who made clear their approach to consent mirrors GDPR. Also removes burden of having to obtain consent when it would not provide any meaningful privacy protection.
• Legitimate interests: Section 18 codifies the circumstances in which an organization does not have to rely on consent, such as where a person would not reasonably be required, or for instance, to deliver a requested service or is required for the organization to protect itself.
• Automated decision-making: PIPEDA ill-suited to address automated or algorithmic decision-making. CPPA provides for algorithmic transparency, and the right of individuals to require  explanation of how automated decisions about them were made.
• Deidentified information: PIPEDA’s definition of personal information as being “information about an identifiable individual” has presented challenges in the era of Big Data. The proposed legislation takes a more risk-based approach, allowing for the use of deidentified information and clarifying when it can be used without consent.
• Data portability/mobility: Individuals would be given the right to transfer their data from one organization to another. Also, there is the concept of “data mobility frameworks” to be approved by regulation as secure mechanisms for enabling mobility.
• Right to erasure: Discussed during Bains’ briefing, the CPPA will permit individuals to require organizations, including social media companies, to delete data and allow individuals to withdraw consent for the use of their information.
• Enhanced enforcement and oversight: Those familiar with PIPEDA are aware of the OPC’s limited enforcement powers under that law. The OPC currently operates in a largely ombudsman capacity. It can investigate and report upon complaints, make recommendations and enter into compliance agreements with organizations, but it has no power to levy fines. The CPPA remedies this by providing order making abilities and penalties, including orders for cessation of processing activities.
• As mentioned above, the PI and Data Privacy Tribunal would potentially “quicker” and less formal path to enforcement of the OPC’s orders, now given effect of Federal Court order.
• Administrative monetary penalties may be ordered up to 3% global revenue or C$10 million for noncompliant organizations. The draft legislation also contains an expanded range of offenses for certain serious contraventions of the law, subject to a maximum fine of 5% of global revenue or C$25 million (approximately US$19 million).
• Codes of practice and certification: The CPPA would permit the approval of codes of practice and certification for certain activities and sectors, as well as also provides certain protections to participants in relation to complaints and orders.
• A private right of action: Individuals will be able to sue for a privacy violation if the OPC determines there is a privacy violation and upheld by the tribunal. It is worth noting that harms under Canadian law are not limited to financial harms; what is open is how this may play out in a class proceeding context.
• Transfers to service providers: The issues relating to consent that arose in the Equifax decision are resolved by providing that consent is not required where a transfer is made to a service provider (s. 19).

What remains to be seen now is how this new legislation will (or won’t) integrate with provincial laws. Quebec has tabled changes to make its law very GDPR-like; BC, before election, was also considering changes; Alberta  announced plans to update health privacy law.

As above, Ontario initiated consultations in summer for its own possible private sector privacy law. A major challenge for any federal system is how to respect the constitutional divisions of power while providing a national framework that supports intrajurisdictional (provincial) trade and consistency. Due to the work of our commissioners and our principles-based laws, we have had remarkable consistency in the interpretation and application of privacy laws across Canada. Given this history, there is likely little appetite for a complex, patchwork approach — particularly given current economic climate.

Another significant threshold we have to address is EU adequacy. Bains touched on this in his briefing by discussing interoperability with the GDPR, and the need to retain adequacy. Many of the issues that “Schrems II” raised in relation to the EU-U.S. Privacy Shield agreement are not quite so serious for Canada to overcome but must still be addressed.

We are only at the beginning of serious discussions on how to structure privacy in Canada’s federal system and meet the CPPA’s many goals. But one thing is certain: If and when the Digital Charter Implementation Act receives royal assent, it will fundamentally change the privacy landscape in Canada.