Report on Supply Chain Compliance 3, no. 23 (December 10, 2020)
The Canadian government introduced a bill into Parliament Nov. 17, the Digital Charter Implementation Act of 2020, that makes a number of changes and clarifications to Canada’s existing data privacy regulatory framework. The bill would establish a new privacy law (the Consumer Privacy Protection Act) and create the Personal Information and Data Protection Tribunal. The Consumer Privacy Protection Act lays out the changes to existing law, while the Tribunal acts as an enforcer of the law and an interlocutor between private enterprise, the government and private citizens.
The act applies to any organization in respect of personal information:
That collects, uses or discloses such information “in the course of commercial activities.”
That is “about an employee of, or an applicant for employment with, the organization and that the organization collects, uses or discloses in connection with the operation of a federal work, undertaking or business.”
That is “collected, used or disclosed interprovincially or internationally.”
That is “collected, used or disclosed by an organization within a province, to the extent that the organization is not exempt from the application of this Act under an order made under paragraph 119(2)(b).”
The proposed act defines personal information as “information about an identifiable individual.” This is the same as the definition found in the GDPR. The GDPR also goes into detail regarding the meaning of an “identifiable” individual, and companies should refer to those definitions to gain a deeper understanding of the regulatory burden under this proposed law.
The critical requirements for companies to be aware of are the privacy management program and the designated individual allocation. The law requires that companies put together a compliance program specifically tailored toward data security. All of the standard elements of a compliance program may be a part of the privacy management program, including policies and procedures, training and education, and auditing and monitoring. The designated individual is essentially the go-to person for data security in the event of a complaint, breach or other action.
The act provides a list of factors companies must take into account when considering whether to collect, use or disclose personal information:
the sensitivity of the personal information;
whether the purposes represent legitimate business needs of the organization;
the effectiveness of the collection, use or disclosure in meeting the organization’s legitimate business needs;
whether there are less intrusive means of achieving those purposes at a comparable cost and with comparable benefits; and
whether the individual’s loss of privacy is proportionate to the benefits in light of any measures, technical or otherwise, implemented by the organization to mitigate the impacts of the loss of privacy on the individual.
The act also contains an extensive list of exemptions (cases for which companies are not required to obtain meaningful consent from individuals whose personal information they are collecting, using or disclosing). These exemptions include various business activities, such as:
an activity that is necessary to provide or deliver a product or service that the individual has requested from the organization;
an activity that is carried out in the exercise of due diligence to prevent or reduce the organization’s commercial risk;
an activity that is necessary for the organization’s information, system or network security;
an activity that is necessary for the safety of a product or service that the organization provides or delivers;
an activity in the course of which obtaining the individual’s consent would be impracticable because the organization does not have a direct relationship with the individual; and
any other prescribed activity.
There are many more exemptions listed in the proposed bill. It seems that businesses may have many options to choose from when categorizing the personal information they use, collect or disclose as requiring or not requiring meaningful consent.
Canada’s proposed privacy bill creates new burdens for companies, including a privacy-focused compliance program, the designation of a responsible individual and some notification requirements.
Companies should study the exemptions regarding obtaining meaningful consent with legal counsel.
1 Government of Canada, “New proposed law to better protect Canadians’ privacy and increase their control over their data and personal information,” news release, November 17, 2020, https://bit.ly/2Vi85TZ.
2 Bill C-11, An Act to enact the Consumer Privacy Protection Act and the Personal Information and Data Protection Tribunal Act and to make consequential and related amendments to other Acts, 2nd Session, 43rd Parliament, 2020, https://bit.ly/2VkHLbC.
3 Council Regulation 2016/679, General Data Protection Regulation, 2016 O.J. L119, art. 4, https://bit.ly/2Vy4D7R.
4 Bill C-11, An Act to enact the Consumer Privacy Protection Act and the Personal Information and Data Protection Tribunal Act and to make consequential and related amendments to other Acts.