This post compares Bill C27 to Bill C11 and GDPR to CPPA
On June 16, 2022, the federal government took a second shot at a complete overhaul of the private sector privacy law regime that both protects individualsâ personal information and regulates organizationsâ privacy practices. Bill C27: Digital Charter Implementation Act, 2022 will implement the Consumer Privacy Protection Act (CPPA) to replace the federal Personal Information Protection and Electronic Documents Act (PIPEDA), which has regulated the collection, use and disclosure of personal information in the course of commercial activity in Canada since 2001. While updated a number of times since it took effect, the broad consensus is that PIPEDA is in need of a general overhaul. The governmentâs first shot to do so was the 2019 Bill C-11: Digital Charter Implementation Act, 2019. However, Bill C-11 languished in Parliament, ultimately dying with the federal October 2019 federal election. The consensus at the time was that Bill C-11 required revision before it was passed in any event (though it did give organizations a sense of what to expect). Bill C27 is very similar, though not identical, to Bill C-11, and creates three new laws:
The Consumer Privacy Protection Act, the main privacy law that will replace PIPEDA, as did Bill C-11.
The Personal Information and Data Protection Tribunal Act, creating a new tribunal to replace the current role of the Federal Court under PIPEDA and enabling the new penalty regime, as did Bill C-11.
The Artificial Intelligence and Data Act, much of which will depend on regulations that havenât yet been released so itâs unknown what it will look like. This is a new addition to Bill C27 compared to Bill C-11 and doesnât exactly fit with the CPPA/Tribunal regulatory framework.
Hereâs a look at 12 key differences between the regulation of the collection, use and disclosure of personal information under PIPEDA, and under the newest version of the CPPA.
1. Complete Restructuring
The Bill C27 version of the CPPA, as was the Bill C-11 version, is a completely different structure compared to PIPEDA.
CSA Model Code. PIPEDA included a schedule taken from the Canadian Standards Association (CSA) Model Code for the Protection of Personal Information, and essentially said, âfollow thatâ. In contrast, the CPPA, similar in structure to the provincial Personal Information Protection Acts of Alberta and British Columbia, incorporates the CSA Model Codeâs 10 principles in the body of the actual Act rather than in a schedule. The 10 principles in the new Act are largely unchanged, except the language is necessarily modified so itâs more âstatutoryâ compared to that typically in an industry standards document. This isnât surprising; though written in the 90âs, the principles were based on the Organization for Economic Co-operation and Development (OECD) guidelines, and versions of all the ten principles exist in all modern privacy laws. What is changed, however, is the additional detail about what organizations must do to comply with the law.
Privacy Management Program. A prime example is principle 1 of the CSA model code. This required that an organization âimplement policies and practices to give effect to the CSA Model Code principlesâ. However, section 9 of the new CPPA explicitly requires that an organization implement and maintain a privacy management program that âincludes the policies, practices and procedures the organization has put in place to fulfill its obligations under this Actâ. The CPPA further sets out particular policies, practices and procedures the program must cover and the factors the organization must take into account in developing its program. The organization must provide its privacy management program to the Privacy Commissioner on request.
Documenting Consent. Another example is with respect to documenting consent. The CSA Model Code implicitly required organizations to record and document the purposes for which they collect, use or disclose any personal information. The new CPPA expressly spells this requirement out. In addition, section 15 of the CPPA sets out in detail whatâs required for consent to be valid. Essentially, it requires not only identifying the purposes for which the personal information will be used, but also communicating in plain language: how the information will be collected; the reasonably foreseeable consequences of the proposed collection, use and disclosure; and what types of information will be disclosed and to whom.
The 2022 version of the CPPA will carry significant consequences for those that breach it.
Administrative Monetary Penalties. Bill C27 will implement significant penalties for non-compliance with the CPPA â though slightly different from those proposed in Bill C-11. The 2022 version of the CPPA authorizes a maximum administrative monetary penalty in one case of the higher of $10M and 3% of the organizationâs gross global revenue in its financial year before the one in which the penalty is imposed. The first version of the CPPA would have authorized administrative monetary penalties and fines of up to $25M or 5% of global revenue, whichever is higher. Currently, PIPEDA only authorizes penalties for violation of the Digital Privacy Actâs data breach response obligations, and those are still markedly lower than those under the CPPA: the maximum fine for breaching the Digital Privacy Act is $100,000 per violation (though if there were multiple violations, which would not be uncommon, the fines could add up).
Quasi-Criminal Prosecutions. The CPPA also provides for quasi-criminal prosecutions that can carry even higher financial consequences. The Crown prosecutor can decide whether to proceed by way of either: an indictable offence, with a fine not exceeding the higher of $25M and 5% of the organizationâs gross global revenue; or a summary offence, with a fine not exceeding the higher of $20M and 4% of the organizationâs gross global revenue. If there is a prosecution, the usual rules of criminal procedure and fairness, like the presumption of innocence and proof beyond a reasonable doubt, apply.
3. Enlarged Privacy Commissioner Role & PowersÂ
The most significant difference between PIPEDA and the CPPA, both in its Bill C-11 and Bill C27 forms, reflects what many privacy advocates have called for: a move away from the traditional ombuds model. Under the CPPA, the Privacy Commissioner is no longer an ombuds with a focus on nudging companies to compliance and solving problems for individuals; it has veered strongly towards enforcement â and a much more adversarial regime. As with PIPEDA, enforcement starts either with a complaint by an individual, or the Commissioner can initiate a complaint of their own accord. However, from that point on the process will change.
Investigation. The CPPA sets out more circumstances than did PIPEDA in which the Commissioner can decline to investigate. After the investigation, the Commissioner can refer the matter to an inquiry.
Inquiries. Inquiries have many more procedural protections for fairness and due process than under PIPEDAâs ad hoc system. For example, the CPPA guarantees each party a right to be heard and to be represented by counsel. While in practice this has typically occurred, it will be required under the CPPA. In addition, the CPPA requires the Privacy Commissioner to develop rules of procedure and evidence, make then public, and follow them.
Orders. At the end of the inquiry, the Commissioner can issue compulsory orders of measures a party must take to comply with the CPPA or orders it stop doing something that contravenes the CPPA. Under PIPEDA, the Privacy Commissioner only has the power to make recommendations to a breaching organization. As under PIPEDA, the Commissioner can also continue to name and shame violators. Notably, the Commissioner canât itself levy any penalties, but they can recommend that the new Privacy and Data Protection Tribunal do so.
4. New Personal Information and Data Protection Tribunal
Bill C27 implements a new, specialized âPersonal Information and Data Protection Tribunalâ to replace the current role of the Federal Court under PIPEDA â with greater powers.
Appeals. The CPPA will allow organizations accused of violating the CPPA a new right to appeal the Privacy Commissionerâs findings, interim orders and final orders. Under PIPEDA, only complainants and the Commissioner can seek a hearing in the Federal Court after the Commissioner has issued their finding.
Role. The Tribunalâs role is to determine whether any penalties recommended by the Privacy Commissioner are appropriate. It also hears appeals of the Privacy Commissionerâs findings, interim or final orders, and decisions not to recommend any penalties be levied. Under PIPEDA, a Federal Court hearing after the Commissioner has issued their finding is âde novoâ (new): the Court starts fresh and makes its own findings of fact and determinations of law, based on the partiesâ submissions. In contrast, the Tribunal will review the Commissionerâs decision under a stricter standard: âcorrectnessâ for questions of law; and âpalpable and overriding errorâ for questions of fact or questions of mixed law and fact. Practically, this means that while organizations that collect, use or disclose personal information will now have the opportunity to appeal the Commissionerâs decision, that appeal will be subject to a stricter standard of review. The Tribunalâs decisions are subject to limited judicial review before the Federal Court.
Jurisdiction. While the Tribunalâs jurisdiction is currently limited to the CPPA, itâs expected that will grow. For example, the âonline harmsâ consultation of the last year anticipated that the Tribunal would also review determinations made under the relevant legislation.
Members. Bill C27 requires that at least three of the Tribunal members have expertise in privacy.
CPPA applies to the collection, use and disclosure of personal information during commercial activity and to employee information of federally regulated organizations. The Bill C27 version of CPPA also applies to all personal information an organization collects, uses, or discloses interprovincially or internationally. In the past, the federal Privacy Commissioner asserted this was implied under PIPEDA; itâs now expressly stated. There are some carve-outs for government institutions under the federal Privacy Act, for personal or domestic, journalistic, artistic and literary uses of personal information and for business contact information. This expanded application reflects the increased digitization and globalization of the economy, that knows no border, and that the COVID-19 Pandemic accelerated. However, there are two problematic aspects to this expansion:
Breadth. Itâs not limited to commercial activity, so an argument could be made that it applies to non-commercial or employee personal information (which would otherwise be beyond the scope of the law) that crosses borders.
Redundancy & Duplication. For organizations with operations in Quebec, British Columbia and in Alberta (the only Canadian provinces with provincial general privacy legislation thatâs substantially like PIPEDA), it must now comply not only with the substantially similar provincial privacy laws of both provinces, but also with the CPPA, when it moves data from one province to another.
CPPA fails to fill the cross-border gap that also exists under PIPEDA: it doesnât expressly extend to personal information imported into Canada from the European Union under an EU adequacy finding. Under the General Data Protection Regulation (GDPR), organizations can only export from the EU personal data to countries the EU determines have adequate protections. So, an EU adequacy finding still only applies to the extent the CPPA, as does PIPEDA, covers. A clear extension of the CPPA to personal information imported from Europe would have been beneficial to ensure confidence that the adequacy finding from the EU, present and future, applies across the board.Â
6. Statutory Right of Action
Bill C27 version of the CPPA creates a new privacy breach legal claim. An individual can sue an organization (within two years of the Commissionerâs finding) for compensation where the Privacy Commissioner decides the organization violated the individualâs privacy under the CPPA, and the Personal Information and Data Protection Tribunal upholds that finding. While PIPEDA limits any action to recover compensation for a violation of privacy to the Federal Court, the CPPA will also allow individuals to file such actions in the superior court of a province. However, the wording of the CPPA makes it unclear whether a violator is also exposed to class action liability.
7. Data Portability & Deletion
Both versions of the CPPA provide for new individual rights of data portability and deletion. Consumers can require an organization to transfer their data to another organization (subject to regulations that arenât yet available), likely a boon to open banking. Bill C27 version of the CPPA narrows the data portability provisions compared to that in the Bill C-11 version by requiring that data portability be connected to a âdata mobility frameworkâ. Individuals can also require that an organization delete the personal information itâs collected about them, subject to some limitations, in what appears to be a limited form of the âright to erasureâ.
8. Algorithmic Transparency
Bill C27 CPPA requires algorithmic transparency. Individuals will have the right to require an organization to explain how an automated decision-making system made a prediction, recommendation or decision about the individual that could have a significant impact on them.
9. Collection, Use & Disclosure Without Consent
When can an organization collect, use and disclose personal information without consent.
Certain Business Activities. The CPPA allows collection and use without consent for certain business activities where it would reasonably be expected to provide the service, for security purposes, for safety, or for other prescribed activities. Notably, an organization canât use this exception where the personal information is to be collected or used to influence the individualâs behaviour or decisions.
Legitimate Interest. Thereâs also a âlegitimate interestâ exception to consent for collection, use and disclosure requiring an organization to document any possible adverse effects on the individual, mitigate them, and finally weigh whether the legitimate interest outweighs any adverse effects. However, itâs unclear how âadverse effectsâ will be measured.
Consent Withdrawal & Disposal. The CPPA allows an individual to withdraw consent and require that an organization dispose of their information; notably, disposal includes deletion and rendering the data anonymous.
10. No Change to Access by Law Enforcement (Yet)Â
Surprisingly, the exceptions that can apply when the government or policing authorities seek personal information from an organization remain the same as those in section 7(3) of PIPEDA. Section 44 says,
An organization may disclose an individualâs personal information without their knowledge or consent to a government institution or part of a government institution that has made a request for the information, identified its lawful authority to obtain the information and indicated that the disclosure is requested for the purpose of enforcing federal or provincial law or law of a foreign jurisdiction, carrying out an investigation relating to the enforcement of any such law or gathering intelligence for the purpose of enforcing any such law.
11. Anonymizing & De-Identifying Data
As did the Bill-C11 version of the CPPA, the Bill C27 version of CPPA makes new rules around the de-identification of data â including allowing for organizations to use an individualâs personal information without their consent in order to de-identify their data â but appears to limit other uses of de-identified data. Under certain circumstances, organizations can also disclose de-identified data to public entities for socially beneficial purposes. However, the CPPA now takes an interesting approach to anonymous and de-identified data by officially creating two separate categories:
Anonymize. To anonymize is defined as âto irreversibly and permanently modify personal information, in accordance with generally accepted best practices, to ensure that no individual can be identified from the information, whether directly or indirectly, by any means.â So, effectively thereâs no reasonable prospect of re-identification. The CPPA doesnât regulate anonymous data because, by definition, thereâs no reasonable prospect of re-identification.
De-identify. To de-identify data means âto modify personal information so that an individual cannot be directly identified from it, though a risk of the individual being identified remains.â So, youâre essentially using data with the identifiers removed. The CPPA does regulate de-identified data and generally prohibits attempts to re-identify it. It also says that in some cases, de-identified data can be used or even has to be used in place of fully identifiable personal information.
As did the Bill C-11 version of the CPPA, the Bill C27 CPPA introduces the concept of âCodes of Practiceâ. Notwithstanding the requirement for a privacy management program, the CPPA allows private organizations to establish a âcodeâ and internal certification programs for complying with the CPPA, which the Privacy Commissioner will approve. Once approved, this âcodeâ will effectively establish the organizationâs legal compliance obligations.
Let's take a closer look at where GDPR and CPPA differ and converge. (simplified)
We will list where the CPPA and GDPR intersect or diverge. Under the CPPA, the federal privacy commissioner has the power to investigate, and prosecute, if necessary, any organisation that violates the framework imposed by the CPPA, much like GDPR. The penalties are like those under GDPR (discussed later in this article).
*If it is in both GC will appear, if it is in CPPA a C, GDPR a GÂ
Any organisation that collects user data (Data Collector [DC]) must obtain the users (Data Provider [DP]) full consent, in how the data is collected, used or disclosed. (GC)
An individual would have the right to request access to their personal data that is held by any organisation. (GC)
The data must be deleted by the organisation, if requested to do so by the provider. (GC)
An employer should inform an individual upon request that is holds personal data about them, whether they have used it, and if so, how it has been used. The organisation should also inform the individual if the data has been disclosed. Exceptions apply. (C)
The CPPA is a part of Bill C27 in Canada, and is meant to work in conjunction with other legislations around privacy (PIPEDA) and spam (CASL). Also, as noted above, CPPA follows closely the rules of GDPR. The one critical aspect of this is that it takes user privacy more seriously, and breaches of that privacy, will be severely penalised.
The collection, use and disclosure of personal data requires overt consent. (GC)
Consent cannot be âimpliedâ it needs to be explicit. (GC)
The purpose and use of the data must be explained in clear terms. (GC)
There are exemptions from consent under very specific circumstances (GC)
There are increased transparency requirements imposed regarding the use of algorithms and AI systems, requiring organisations to justify why a specific prediction, recommendation or decision was made by an algorithm. Based on the collection of the data providers personal data. (C )Â
Personal Information and (De)Identifiers
It also includes much clearer guidelines on what makes up data identifiers and what can be done with regards to use or non-use regarding sensitive personal data. (GC)Â
The CPPA, like the GDPR, clearly makes it the responsibility of the data consumer/organisation to ensure that data is used and stored properly. This includes data that is transferred to another organisation (regardless of the relationship between the organisations). This means that transferring data
inter-provincially or internationally have the same implications. (GC)Â
Minimum: CAD 10 M or 3% of global revenue, whichever is greater.
Maximum: CAD 25 M or 5% of global revenue, whichever is greater.
Minimum: ⏠10 M or 2% of global revenue, whichever is greater.
Maximum: ⏠20 M or 4% of global revenue, whichever is greater.
A consumer that has been affected by the violation of CPPA has the right to sue for damages with a private right of action. A two-year limit would apply, and proof must be clear on exactly how the organisation violated the CPPA. The exception is if the organisation was already fined by the CPPA.
Under GDPR an organisation must report a detected breach within 72 hours, or face penalties. From what we can find there is no such specific requirement under CPPA.
The two legislations are very similar and provide a great deal more protection for the consumer. They also make it clear that organisations are not owners of a consumerâs personal data. They are only custodians of it, with the express consent of the consumer,
which can be revoked at any time.
We work with organisations to protect data more strongly. That way if they do get breached, the breached data is unusable to the breacher. This means your data is safe.
