Monday, June 27, 2022

Video: Preparing for Canada's new Consumer Privacy Protection Act

The government of Canada tabled the Digital Charter Implementation Act, 2022 in the week before parliament rose for their summer break. While this is in limbo, what, if anything, should Canadian businesses be doing to prepare for the Consumer Privacy Protection Act?

In the week before the summer break, the Industry Minister tabled in parliament the Digital Charter Implementation Act, which will overhaul Canada’s federal private sector privacy law. It has been long anticipated and for many, long overdue. With parliamentarians off the for the summer, what can we expect and what should businesses be doing to get ready for it?

I expect that when the house resumes, the bill will be referred to either the Standing Committee on Industry, which is where PIPEDA went more than 20 years ago, or to the Standing Committee on Access to Information, Privacy and Ethics.

I have to say that the current government is very unpredictable. When Bill C-11 was tabled in 2019 for the Digital Charter Implementation Act of 2019, the bill just sat there with no referral to committee and it seemed to not be a priority at all. If they are serious about privacy reform, they should get this thing moving when they are back in session.

When it gets to committee, the usual cast of characters will appear to provide comments. First up will be the minister of Industry and his staff. Then will be the privacy commissioner of Canada, who will only have had a few months in his office at that point. I would not be surprised to see provincial privacy commissioners have their say, and maybe even data protection authorities from other countries. Then industry and advocacy groups will have their say.

The Commissioner in 2019 was very critical of the C-11 version of the bill, and it appears that most of his suggestions have gone unheeded. I expect that between 2019 and now, there has been a lot of consultation and lobbying going on behind the scenes that resulted in the few changes between C-11 and C-27. It will be interesting to see how responsive the committee and the government are to making changes to the bill.

I would not be surprised to see this bill passed, largely in its current form, before the end of the year. But even if it speeds though the House of Commons and the Senate, I do not expect that we will see this law in effect for some time. In order for the Consumer Privacy Protection Act and the Personal Information and Data Protection Tribunal Act to be fully in force, the government will have a lot of work to do.

The biggest effort will be standing up the new tribunal under the Personal Information and Data Protection Tribunal Act. Doing so will not be a trivial matter. At least three members have to be recruited, and at least three of those have to have expertise in privacy and information law. They’ll need offices, staff, a registry, IT infrastructure, then they’ll need to make their rules of procedure. I can’t see that taking any less than a year, even if the government is currently informally recruiting for those roles.

An example I’d look at is the College of Patent Agents and Trademark Agents, which was established pursuant to a bill passed in December 2018 and came into force on June 28, 2021. Essentially, it took two and a half years between the passing of the bill and when the College was open for business. The college was probably more complicated to set up than the tribunal, but it provides some insight I think.

Personally, I don’t think the CPPA can be phased in without the tribunal operating as a going concern. There are transitional provisions related to complaints that are being dealt with by the Commissioner prior to the coming into force of the CPPA, but otherwise the existence of the tribunal is essential to the operation of the CPPA and the Commissioner’s mandate.

So if I had to look into my crystal ball, I don’t think we’ll see this fully in effect for at least a year and a half.

So should companies be doing anything now? I think so. When the CPPA and the Tribunal Act come into effect they will be fully in effect. In addition to making your politicians aware of any concerns you have, companies should be looking very closely at their current privacy management program – if any – to determine if it will be up to snuff.

Section 9 of the Act says that “every organization must implement and maintain a privacy management program that includes the policies, practices and procedures the organization has put in place to fulfill its obligations under this Act, including policies, practices and procedures respecting

(a) the protection of personal information; (b) how requests for information and complaints are received and dealt with; (c) the training and information provided to the organization’s staff respecting its policies, practices and procedures; and (d) the development of materials to explain the organization’s policies and procedures.”

It then says “In developing its privacy management program, the organization must take into account the volume and sensitivity of the personal information under its control.”

This is, of course, very similar to the first principle of the CSA Model Code that’s in PIPEDA. But section 10 of the CPPA says the Commissioner can ask for it and all of its supporting documentation at any time.

I can imagine the OPC sending out requests for all of this documentation to a huge range of businesses shortly after the Act comes into force.

So what does a privacy management program include? If of course includes your publicly-facing privacy statement described in section 62. What has to be in this document will change a lot compared to PIPEDA. It has to explain in plain language what information is under the organization’s control, a general account of how it uses that personal information.

If the organization uses the “legitimate interest” consent exception, the privacy statement has to include a description of that. If the organization uses any automated decision system to make predictions, recommendations or decisions about individuals that could have a “significant impact on them”, that has to be described. It also has to say whether or not the organization carries out any international or interprovincial transfer or disclosure of personal information that may have reasonably foreseeable privacy implications. You also have to state the retention periods applicable to sensitive personal information, then explain the process for questions, complaints, access requests and requests for deletion. Most privacy statements don’t currently include all this information.

You need to assess what personal information you have, where it is, who has it, who has access to it, what jurisdiction is it in or exposed to, how it is secured, when did you collect it, what were the purposes for that collection, are there any new purposes, and have those purposes expired.

A good starting point for your privacy management program is to document all the personal information under the organizations’ control and the purposes for which it is to be used. Section 12(3) of the CPPA requires that this be documented. You will also need to ensure that all of these purposes are appropriate using the criteria at section 12(2).

You’ll also want to review whether any of the consent exceptions related to business activities under 18(1) or legitimate interests in section 18(3) could be applicable, and document them.

Under s. 18(4), this documentation will have to be provided to the Commissioner on request.

You will also need to document the retention schedule for all of your personal information holdings, and make sure they are being followed. And remember, all information related to minors is deemed to be sensitive and the retention schedule for sensitive information has to be included in your privacy statement.

Next, you’ll want to inventory and document all of your service providers who are collecting, using or disclosing personal information on your behalf. You’ll need to review all of the contracts with those service providers to make sure the service provider provides the same level of protection equivalent to original controlling organizations’ obligations. It should be noted that service providers, in the definition in the Act, expressly includes affiliated companies. So you’ll need to make sure that intercompany agreements are in place to address any personal information that may be transferred to affiliates.

You’ll want to check your processes for receiving questions, complaints and access requests from individuals. You may need to tweak your systems or processes to make sure that you can securely delete or anonymise data where required.

And last, but certainly not least, you’ll want to look very closely at your data breach response plans. It needs to identify all suspected data breaches, make sure they are properly escalated and reviewed. Any breach itself of course has to be stopped, mitigated and investigated. The details will need to be recorded and you’ll also want to think about the processes for getting legal advice at that stage so information you may want to keep privileged will be protected and you can understand your reporting and notification obligations.

At the end of the day, the CCPA is not a radical departure from the existing framework of PIPEDA. It requires greater diligence and what we in the privacy industrial complex call “privacy maturity”. Even if it didn’t, the significant penalties and the cost of dealing with investigations and inquiries by the commissioner and possible hearings before the tribunal should be enough to convince organizations to up their privacy games.

Monday, June 20, 2022

Video: An overview of the Digital Charter Implementation Act, 2022

Finally, the government of Canada has tabled its long-awaited privacy law, intended to completely overhaul Canada’s private sector privacy law, and rocket the country to the front of the pack for protecting privacy. Not quite, but I’ll give you an overview of what it says.

Highlights

On June 26, 2022, the Industry Minister François Philippe Champagne finally tabled in the House of Commons Bill C-27, called the “Digital Charter Implementation Act, 2022”. This is the long-awaited privacy bill that is slated to replace the Personal Information Protection and Electronic Documents Act, which has regulated the collection, use and disclosure of personal information in the course of commercial activity in Canada since 2001.

PIPEDA, contrary to what Minister Champagne said at the press conference later that day, has been updated a number of times but there really has been a broad consensus that it was in need of a more general overhaul.

The bill is very similar to Bill C-11, which was tabled in 2019 as the Digital Charter Implementation Act, 2019, and which languished in parliament until dying when the federal government called the last election.

The bill creates three new laws. The first is the Consumer Privacy Protection Act, which is the main privacy law. The second is the Personal Information and Data Protection Tribunal Act and the third is the Artificial Intelligence and Data Act, which I’ll have to leave to another episode.

I don’t plan to do a deep dive into the bill in this video, as I want to spend more time poring over its detailed provisions. We can’t just do a line-by-line comparison with PIPEDA, as the Bill is in a completely different structure than PIPEDA. You may recall that PIPEDA included a schedule taken from the Canadian Standards Association Model Code for the Protection of Personal Information. The statute largely said “follow that”, and there are a bunch of provisions in the body of the Act that modify those standards or set out how the law is overseen.

The most significant difference is what many privacy advocates have been calling for: the Privacy Commissioner is no longer an ombudsman. The law includes order-making powers and punitive penalties. The Bill also creates a new tribunal called the Personal Information and Data Protection Tribunal, which replaces the current role of the Federal Court under PIPEDA with greater powers.

Other than order making powers, I don’t see much of a difference between what’s required under the new CCPA and what diligent, privacy-minded organizations have been doing for years.

This is a high-level overview of what’s in Bill C-27, and I’ll certainly do deeper dives into its provisions in later videos.

Does the law apply any differently?

PIPEDA applied to the collection, use and disclosure of personal information in the course of commercial activity and to federally-regulated workplaces. That hasn’t changed, but a new section 6(2) says that the Act specifically applies to personal information that it collected, used or disclosed interprovincially or internationally. The privacy commissioner had in the past asserted that this was implied, but it was never written in the Act. Now it will be. Two things about that are problematic: the first is that it’s not expressly limited to commercial activity, so there’s an argument that could be made that it would apply to non-commercial or employee personal information that crosses borders. The second dumb thing is that this means that a company with operations in British Columbia and Alberta, when it moves data from one province to another not only has to comply with the substantially similar privacy laws of each province, now they have to comply with the Consumer Privacy Protection Act. That seems very redundant.

It includes the same carve-outs for government institutions under the Privacy Act, personal or domestic use of personal information, journalistic, artistic and literary uses of personal information and business contact information.

We really could have benefitted from a clear extension of the Act to personal information that is imported from Europe so we can have confidence that the adequacy finding from the EU, present and future, really applies across the board.

It does have an interesting approach to anonymous and de-identified data. It officially creates these two categories. It defines anonymize as: “to irreversibly and permanently modify personal information, in accordance with generally accepted best practices, to ensure that no individual can be identified from the information, whether directly or indirectly, by any means.” So there effectively is no reasonable prospect of re-identification. To de-identify data means “means to modify personal information so that an individual cannot be directly identified from it, though a risk of the individual being identified remains.” You’re essentially using data with the identifiers removed.

The legislation does not regulate anonymous data, because there is no reasonable prospect of re-identification. It does regulate de-identified data and generally prohibits attempts to re-identify it. The law also says that in some cases, de-identified data can be used or even has to be used in place of fully identifiable personal information.

What happened to the CSA model code?

When you look at the CCPA, you’ll immediately see that it is very different. It’s similar in structure to the Personal Information Protection Acts of Alberta and British Columbia, in that the principles of the CSA Model Code are not in a schedule but are in the body of the Act. And the language of these principles has necessarily been modified to be more statutory rather than the sort of language you see in an industry standards document.

Any changes to the 10 CSA Principles?

The ten principles themselves largely haven’t been changed, and this should not be a surprise. Though written in the 90’s, they were based on the OECD guidelines and we see versions of all the ten principles in all modern privacy laws.

What has changed is the additional rigor that organizations have to implement, or more detail that’s been provided about how they have to comply with the law.

For example, principle 1 of the CSA model code required that an organization “implement policies and practices to give effect to the CSA Model Code principles”. The CCPA explicitly requires that an organization have a privacy management program:

Privacy management program

9 (1) Every organization must implement and maintain a privacy management program that includes the policies, practices and procedures the organization has put in place to fulfill its obligations under this Act, including policies, practices and procedures respecting

(a) the protection of personal information;

(b) how requests for information and complaints are received and dealt with;

(c) the training and information provided to the organization’s staff respecting its policies, practices and procedures; and

(d) the development of materials to explain the organization’s policies and procedures.

Volume and sensitivity

(2) In developing its privacy management program, the organization must take into account the volume and sensitivity of the personal information under its control.

This privacy management program has to be provided to the Privacy Commissioner on Request.

With respect to consent, organizations expressly have to record and document the purposes for which any personal information is collected, used or disclosed. This was implied in the CSA Model Code, but is now expressly spelled out in the Act.

Section 15 lays out in detail what is required for consent to be valid. Essentially, it requires not only identifying the purposes but also communicating in plain language how information will be collected, the reasonably foreseeable consequences, what types of information and to whom the information may be disclosed.

I’ll have to save digging into the weeds for another episode.

Collection and use without consent

One change compared to PIPEDA that will delight some and enrage others is the circumstances under which an organization can collect and use personal information without consent. Section 18 allows collection and use without consent for certain business activities, where it would reasonably be expected to provide the service, for security purposes, for safety or other prescribed activities. Notably, this exception cannot be used where the personal information is to be collected or used to influence the individual’s behaviour or decisions.

There is also a “legitimate interest” exception, which requires an organization to document any possible adverse effects on the individual, mitigate them and finally weigh whether the legitimate interest outweighs any adverse effects. It’s unclear how “adverse effects” would be measured.

Like PIPEDA, an individual can withdraw consent subject to similar limitations that were in PIPEDA. But what’s changed is that an individual can require that their information be disposed of. Notably, disposal includes deletion and rendering it anonymous.

Law enforcement access

On a first review, it doesn’t look like there are many other circumstances where an organization can collect, use or disclose personal information compared to section 7 of PIPEDA.

In my view, it is very interesting that the exceptions that can apply when the government or the cops come looking for personal information have not changed from section 7(3) of PIPEDA. For example, the provision that the Supreme Court of Canada in R v Spencer said was meaningless is essentially reproduced in full.

44 An organization may disclose an individual’s personal information without their knowledge or consent to a government institution or part of a government institution that has made a request for the information, identified its lawful authority to obtain the information and indicated that the disclosure is requested for the purpose of enforcing federal or provincial law or law of a foreign jurisdiction, carrying out an investigation relating to the enforcement of any such law or gathering intelligence for the purpose of enforcing any such law.

The Supreme Court essentially said “what the hell does lawful authority mean”? And the government has made no effort to do so in Bill C-27. but that’s just as well, since Companies should always say “come back with a warrant”.

Investigations

The big changes are with respect to the role of the Privacy Commissioner. The Commissioner is no longer an ombudsman with a focus on nudging companies to compliance and solving problems for individuals. It has veered strongly towards enforcement.

As with PIPEDA, enforcement starts with a complaint by an individual or the commissioner can initiate it on his own accord. There are more circumstances under the CCPA where the Commissioner can decline to investigate. After the investigation, the matter can be referred to an inquiry.

Inquiries seem to have way more procedural protections for fairness and due process than under the existing ad hoc system. For example, each party is guaranteed a right to be heard and to be represented by counsel. They’ve always done this to my knowledge, but this will be baked into the law. Also, the commissioner has to develop rules of procedure and evidence that have to be followed. These rules have to be made public.

At the end of the inquiry, the Commissioner can issue orders to measures to comply with the Act or to stop doing something that is in contravention of the Act. The commissioner can continue to name and shame violators. Notably, the Commissioner cannot levy any penalties.

The Commissioner can recommend that penalties be imposed by the new Privacy and Data Protection Tribunal.

The Tribunal

The legislation creates a new specialized tribunal which hears cases under the CCPA. It is expected that its jurisdiction will likely grow to include more matters. The “online harms” consultation that took place in the last year anticipated that certain questions would be determined by this tribunal as well.

Compared to C-11, the new bill requires that at least three of the tribunal members have expertise in privacy.

Its role is to determine whether any penalties recommended by the Privacy Commissioner are appropriate. It also hears appeals of the Commissioner’s findings, appeals of interim or final orders of the Commissioner and a decision by the Commissioner not to recommend that any penalties be levied.

Currently, under PIPEDA, complainants and the Commissioner can seek a hearing in the federal court after the commissioner has issued his finding. That hearing is “de novo”, so that the court gets to make its own findings of fact and determinations of law, based on the submissions of the parties. The tribunal, in contrast, has a standard of review that is “correctness” for questions of law and “palpable and overriding error” for questions of fact or questions of mixed law and fact. These decisions are subject to limited judicial review before the Federal Court.

So what about these penalties? They are potentially huge and I have a feeling that the big numbers were pulled out of the air in order to support political talking points that they are the most punitive in the G7. The maximum administrative monetary penalty that the tribunal can impose in one case is the higher of $10,000,000 and 3% of the organization’s gross global revenue in its financial year before the one in which the penalty is imposed.

The Act also provides for quasi-criminal prosecutions, which can get even higher.

The Crown prosecutor can decide whether to proceed as an indictable offence with a fine not exceeding the higher of $25,000,000 and 5% of the organization’s gross global revenue or a summary offence with a fine not exceeding the higher of $20,000,000 and 4% of the organization’s gross global revenue. If it’s a prosecution, then the usual rules of criminal procedure and fairness apply, like the presumption of innocence and proof beyond a reasonable doubt.