In today’s digital society, we give our personal information to organizations all of the time, sometimes unknowingly. Even when we provide an organization with consent to collect our personal information, we often do not know how it is being used or whether it is being shared with others.
Other jurisdictions have stringent measures on the collection, use and disclosure of personal information. In May 2018, the European Union implemented the General Data Protection Regulation (“GDPR”). This was significant in the global effort to drag privacy law into the digital era.
Prior to its enactment, governments around the world had been trying to fit a square peg into a round hole, applying pre-digital and pre-internet legal precedent on privacy to a world that had dramatically changed. The GDPR has been held up as a model for regulation of personal information, and a laudable attempt to strike that key balance between privacy and economic activity.
Now it looks as if Canada may soon have its own answer to these 21st century challenges, in the form of Bill C-11, which had its first reading on November 17, 2020. Bill C-11 would replace the Personal Information Protection and Electronic Documents Act (“PIPEDA”), and would introduce real and significant changes to the law of privacy in this country.
Consumer Privacy Protection Act
Part of the Bill is the introduction of the Consumer Privacy Protection Act (“CPPA”). The CPPA’s stated purpose echoes the push and pull between personal privacy and business operations:
…to establish — in an era in which data is constantly flowing across borders and geographical boundaries and significant economic activity relies on the analysis, circulation and exchange of personal information — rules to govern the protection of personal information in a manner that recognizes the right of privacy of individuals with respect to their personal information and the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances.
While the CPPA sets out to attempt to strike a balance between privacy and economic activity, the key sections of the Act clearly tilts the playing field in favour of consumer rights and remedies.
A key purpose of the CPPA is the accountability of organizations. Similar to PIPEDA, every organization will have to implement a privacy management program. This will include putting into place policies, practices and procedures regarding:
(a) the protection of personal information;
(b) how requests for information and complaints are received and dealt with;
(c) the training and information provided to the organization’s staff respecting its policies, practices and procedures; and
(d) the development of materials to explain the organization’s policies and procedures put in place to fulfil its obligations.
Organizations will have to take the following factors into account when determining whether a “reasonable person” would consider it appropriate to collect, use or disclose personal information:
(a) the sensitivity of the personal information;
(b) whether the purposes represent legitimate business needs of the organization;
(c) the effectiveness of the collection, use or disclosure in meeting the organization’s legitimate business needs;
(d) whether there are less intrusive means of achieving those purposes at a comparable cost and with comparable benefits; and
(e) whether the individual’s loss of privacy is proportionate to the benefits in light of any measures, technical or otherwise, implemented by the organization to mitigate the impacts of the loss of privacy on the individual.
As with PIPEDA, consent is needed to collect, use or disclose an individual’s personal information, but this requirement is expressed in stronger terms in the CPPA.
The CPPA provides for fines and penalties that are much more significant than PIPEDA. An organization found not in compliance with the Act can face penalties of up to $10,000,000 or 3% of the organization’s gross global revenues (whichever is higher). If an organization knowingly breaches certain sections of the Act that relate to the reporting of privacy breaches, or interferes with the Privacy Commissioner of Canada’s investigation, it may face penalties of up to $25,000,000 or 5% of gross global revenues (whichever is higher).
Further, the CPPA introduces a statutory private right of action for individuals affected by breaches of the Act. The relevant section of the proposed Act reads in part as follows:
Damages — contravention of Act
106 (1) An individual who is affected by an act or omission by an organization that constitutes a contravention of this Act has a cause of action against the organization for damages for loss or injury that the individual has suffered as a result of the contravention if
(a) the Commissioner has made a finding under paragraph 92(1)(a) that the organization has contravened this Act…
Such a cause of action would only arise if a finding by the Privacy Commissioner of Canada (“Commissioner”) that the Act was breached is either not appealed, or is dismissed on appeal.
A plaintiff would need to show that damages or injury resulted from the breach of the CPPA. This represents a new horizon for litigants, in terms of articulating loss and damage in the context of collection, use, or disclosure of personal information. It can be anticipated that actions commenced pursuant to the CPPA will borrow heavily from the case law on the tort of intrusion upon seclusion, and specifically the idea that a breach of privacy itself, in certain contexts, entitles an individual to compensable damages.
Personal Information and Data Protection Tribunal Act
The second proposed piece of legislation forming part of Bill C-11 is the Personal Information and Data Protection Tribunal Act (“PIDPT”). The PIDPT would create a new body (“the Tribunal”) that would be responsible for ordering the penalties outlined above for breach of the CPPA. The Commissioner would have the power find that a breach of the CPPA had occurred and to order an organization comply with the Act.
Jurisdiction to order penalties under the CPPA, however, would rest exclusively with the Tribunal. If a matter is brought before it by either the organization or the Commissioner, the Tribunal would have the right to seek submissions from both. It would have the power to order penalties regardless of whether the Commissioner recommended that penalties be imposed.
Bill C-11 outlines a number of other requirements on organizations as relate to the collection, use, and disclosure of personal information. For example, the Bill seeks to clarify the circumstances in which personal data may be exchanged and shared across borders, and clarifies to some extent the circumstances that amount to proper collection, use and disclosure of personal information.
On the other hand, Bill C-11 makes it easier for individuals to access and transfer their own information that is held by an organization, so that it can be reviewed and challenged by the individual.
Response from the Commissioner
Bill C-11 has only passed first reading, so there is much debate still to be had on the form and content of the proposed Acts and other changes within. He will be called upon to provide submissions to Committee on the legislation, but on November 19, 2020, the Commissioner already published his preliminary thoughts.
The Commissioner’s impression is primarily supportive of Bill C-11, pointing to the clarity of the proposed Acts, and to the fact that it would provide the Commissioner with real powers to issue orders.
The Commissioner did, however, express some hesitation regarding the fact that the penalties to back up these orders would lie with a different body (The Tribunal). He also expressed concern that this additional layer of bureaucracy would impact the remedies available to individuals affected by breaches of the new Act.
Brave New Digital World
Most of the commentary surrounding Bill C-11 has been positive. There is recognition that legislation of this nature was long overdue, and that it is high time that Canada follows the lead of the European Union and its GDPR.
If there is surprise at the proposed Bill, it is with respect to its ambition: in its current form, it is a genuine attempt to provide robust protection to individuals. The creation of a private right of action is an interesting addition that will be brought before the courts by eager litigants if Bill C-11 receives Royal Assent. We will see how it all plays out, and whether other countries follow suit with similar legislation.