On June 16, 2022, the federal government introduced Bill C-27, the Digital Charter Implementation Act, 2022 (Bill C-27 or Bill). If passed, the Bill would significantly reform federal private-sector privacy law. Bill C-27 is the successor to the federal government’s earlier proposal, Bill C-11, which was introduced in 2020 but died on the order paper as a result of the 2021 federal election.
Like the 2020 proposal, Bill C-27 would, if passed:
Repeal parts of the Personal Information Protection and Electronic Documents Act (PIPEDA) that regulate the processing of personal information and enact a new Consumer Privacy Protection Act (CPPA or Act)
Enact the Personal Information and Data Protection Tribunal Act (PIDPTA), which establishes an administrative tribunal to hear appeals of certain decisions made by the Privacy Commissioner of Canada under the CPPA and impose penalties for contravention of certain of its provisions
The Bill would also introduce rules to regulate “high-impact” artificial intelligence systems in the private sector under the new Artificial Intelligence and Data Act (AIDA). Be sure to read our companion Blakes Bulletin on the proposed AIDA.
Below we outline the most significant new proposals contained in the Bill. The proposed CPPA is similar in many respects to the 2020 proposal but provides more clarity for organizations to understand their data governance obligations.
NEW EXCEPTION FOR LEGITIMATE BUSINESS INTERESTS
Bill C-11 was criticized by some for proposing expanded exceptions from the requirement to obtain valid consent to collect and use personal information for certain “business activities.” The approach taken in Bill C-27 to exempted “business activities” is narrower. It also seeks to align the federal legislation with the European Union’s General Data Protection Regulation (GDPR) by creating a new exception for “legitimate business interests.”
If passed as currently drafted, the CPPA would permit organizations to collect or use personal information without an individual’s knowledge or consent for purposes in which the organization has a legitimate interest that outweighs any potential adverse effect on the individual. This exception is similar to Article 6(1)(f) of the GDPR, which provides that an organization’s legitimate interests are a lawful basis for processing personal data.
The CPPA would require organizations to undertake and keep a record of its assessment of how it identified whether any potential adverse effect on an individual is likely to result from the collection or us and the reasonable measures taken to reduce the likelihood of those effects occurring or to mitigate or eliminate them. Organizations would also be required to comply with any prescribed requirements.
This new proposal supports the federal government’s goal of implementing an agile regulatory framework for the data-driven economy. It does this by reducing the number of situations an organization is required to obtain consent in the ordinary course of business.
CLARIFICATION ON ANONYMIZED AND DEIDENTIFIED INFORMATION
In the data-driven economy, organizations regularly rely on deidentified or anonymized information to analyze operations, develop new products and respond to customer needs. Currently, PIPEDA does not define anonymous or deidentified information. It also does not provide clarity on whether anonymized or deidentified information is considered personal information. Bill C-27 proposes to expressly define these processes in the CPPA as follows:
Anonymize would mean to irreversibly and permanently modify personal information, in accordance with generally accepted best practices, to ensure that no individual can be identified from the information, whether directly or indirectly, by any means.
Deidentify would mean to modify personal information so that an individual cannot be directly identified from it, though a risk of the individual being identified remains.
Subject to limited exceptions, deidentified personal information would be considered “personal information” under the CPPA. Bill C-27 thankfully clarifies that anonymized information would not be subject to the Act.
BUSINESS TRANSACTION EXEMPTION
Like Bill C-11, Bill C-27 would require parties to first deidentify personal information if they intend to rely on the prospective business transaction exemption to use and disclose personal information without consent. However, Bill C-27 introduces the following combined exemptions from this requirement:
If deidentifying the information would undermine the objectives for carrying out the transaction
If the seller has considered the risk of harm to the individual that could result from using or disclosing the personal information
OBLIGATIONS WHEN USING SERVICE PROVIDERS
Like the federal government’s 2020 proposal, the CPPA requires organizations to ensure, by contract or otherwise, that their service providers protect personal information. However, the standard has been revised to require “equivalent” protection of that information rather than “substantially the same level” of protection. This could be seen as setting a higher or more rigid standard for organizations to meet.
Bill C-27 expands the list of potential violations that could result in an administrative monetary penalty beyond what was contemplated under Bill C-11. The updated list includes violations of:
The requirement for service providers to implement equivalent protections to personal information
The requirement to implement and maintain a privacy management program in compliance with the Act
The requirement to inform individuals of the consequences of consent withdrawal and to implement withdrawal as soon as possible
Bill C-27 expands the Privacy Commissioner of Canada’s powers to include the ability to provide guidance on or recommend that corrective measures be taken in relation to an organization’s privacy management program.
Bill C-27 would also require that the Privacy Commissioner of Canada consider the purpose of the Act when exercising any powers and performing any duties under the Act. This is in addition to considering the size and revenue of the organization and the volume and sensitivity of data processing. The requirement to consider the purpose of the Act may help to promote a more balanced interpretation of the Act.
CLARIFICATION OF DATA-SUBJECT RIGHTS
Right to Deletion
Unlike Bill C-11, Bill C-27 would expand the right to request that an organization dispose of personal information to include all personal information “under the organization’s control” as opposed to just “personal information that is has collected from the individual.” However, Bill C‑27 introduces some exceptions to the right of disposal, including where:
A request is vexatious or made in bad faith
The information is scheduled to be disposed of in accordance with the organization’s information retention policy (unless the information relates to a minor)
The information is required for a legal proceeding
The information is not severable
Algorithmic Transparency Rights
Bill C-27 also limits CPPA’s algorithmic transparency requirements to automated decision systems that could have a “significant impact” on individuals. It is currently unclear whether the evaluation of “significant impact” would align with AIDA’s definition of a “high-impact system.” Bill C-27 outlines that, on request, organizations must provide an explanation that indicates the type of personal information that was used to make the prediction, recommendation or decision; the source of the information; and the reasons or principal factors that led to the prediction, recommendation or decision.
DATA PROTECTION TRIBUNAL
Bill C-27 maintains most of the proposals related to the structure of the Personal Information and Data Protection Tribunal (Tribunal) that were previously introduced under Bill C-11. However, Bill C-27 elevates the Tribunal’s powers and orders as analogous to that of a superior court of record.
Bill C-27 is expected to be debated in the House of Commons in Fall 2022, and further amendments may be proposed.
Stay tuned for further updates throughout the summer detailing the impact of specific proposals in Bill C-27 on Canadian businesses.