Monday, June 20, 2022

Video: An overview of the Digital Charter Implementation Act, 2022

Finally, the government of Canada has tabled its long-awaited privacy law, intended to completely overhaul Canada’s private sector privacy law, and rocket the country to the front of the pack for protecting privacy. Not quite, but I’ll give you an overview of what it says.

Highlights

On June 26, 2022, the Industry Minister François Philippe Champagne finally tabled in the House of Commons Bill C-27, called the “Digital Charter Implementation Act, 2022”. This is the long-awaited privacy bill that is slated to replace the Personal Information Protection and Electronic Documents Act, which has regulated the collection, use and disclosure of personal information in the course of commercial activity in Canada since 2001.

PIPEDA, contrary to what Minister Champagne said at the press conference later that day, has been updated a number of times but there really has been a broad consensus that it was in need of a more general overhaul.

The bill is very similar to Bill C-11, which was tabled in 2019 as the Digital Charter Implementation Act, 2019, and which languished in parliament until dying when the federal government called the last election.

The bill creates three new laws. The first is the Consumer Privacy Protection Act, which is the main privacy law. The second is the Personal Information and Data Protection Tribunal Act and the third is the Artificial Intelligence and Data Act, which I’ll have to leave to another episode.

I don’t plan to do a deep dive into the bill in this video, as I want to spend more time poring over its detailed provisions. We can’t just do a line-by-line comparison with PIPEDA, as the Bill is in a completely different structure than PIPEDA. You may recall that PIPEDA included a schedule taken from the Canadian Standards Association Model Code for the Protection of Personal Information. The statute largely said “follow that”, and there are a bunch of provisions in the body of the Act that modify those standards or set out how the law is overseen.

The most significant difference is what many privacy advocates have been calling for: the Privacy Commissioner is no longer an ombudsman. The law includes order-making powers and punitive penalties. The Bill also creates a new tribunal called the Personal Information and Data Protection Tribunal, which replaces the current role of the Federal Court under PIPEDA with greater powers.

Other than order making powers, I don’t see much of a difference between what’s required under the new CCPA and what diligent, privacy-minded organizations have been doing for years.

This is a high-level overview of what’s in Bill C-27, and I’ll certainly do deeper dives into its provisions in later videos.

Does the law apply any differently?

PIPEDA applied to the collection, use and disclosure of personal information in the course of commercial activity and to federally-regulated workplaces. That hasn’t changed, but a new section 6(2) says that the Act specifically applies to personal information that it collected, used or disclosed interprovincially or internationally. The privacy commissioner had in the past asserted that this was implied, but it was never written in the Act. Now it will be. Two things about that are problematic: the first is that it’s not expressly limited to commercial activity, so there’s an argument that could be made that it would apply to non-commercial or employee personal information that crosses borders. The second dumb thing is that this means that a company with operations in British Columbia and Alberta, when it moves data from one province to another not only has to comply with the substantially similar privacy laws of each province, now they have to comply with the Consumer Privacy Protection Act. That seems very redundant.

It includes the same carve-outs for government institutions under the Privacy Act, personal or domestic use of personal information, journalistic, artistic and literary uses of personal information and business contact information.

We really could have benefitted from a clear extension of the Act to personal information that is imported from Europe so we can have confidence that the adequacy finding from the EU, present and future, really applies across the board.

It does have an interesting approach to anonymous and de-identified data. It officially creates these two categories. It defines anonymize as: “to irreversibly and permanently modify personal information, in accordance with generally accepted best practices, to ensure that no individual can be identified from the information, whether directly or indirectly, by any means.” So there effectively is no reasonable prospect of re-identification. To de-identify data means “means to modify personal information so that an individual cannot be directly identified from it, though a risk of the individual being identified remains.” You’re essentially using data with the identifiers removed.

The legislation does not regulate anonymous data, because there is no reasonable prospect of re-identification. It does regulate de-identified data and generally prohibits attempts to re-identify it. The law also says that in some cases, de-identified data can be used or even has to be used in place of fully identifiable personal information.

What happened to the CSA model code?

When you look at the CCPA, you’ll immediately see that it is very different. It’s similar in structure to the Personal Information Protection Acts of Alberta and British Columbia, in that the principles of the CSA Model Code are not in a schedule but are in the body of the Act. And the language of these principles has necessarily been modified to be more statutory rather than the sort of language you see in an industry standards document.

Any changes to the 10 CSA Principles?

The ten principles themselves largely haven’t been changed, and this should not be a surprise. Though written in the 90’s, they were based on the OECD guidelines and we see versions of all the ten principles in all modern privacy laws.

What has changed is the additional rigor that organizations have to implement, or more detail that’s been provided about how they have to comply with the law.

For example, principle 1 of the CSA model code required that an organization “implement policies and practices to give effect to the CSA Model Code principles”. The CCPA explicitly requires that an organization have a privacy management program:

Privacy management program

9 (1) Every organization must implement and maintain a privacy management program that includes the policies, practices and procedures the organization has put in place to fulfill its obligations under this Act, including policies, practices and procedures respecting

(a) the protection of personal information;

(b) how requests for information and complaints are received and dealt with;

(c) the training and information provided to the organization’s staff respecting its policies, practices and procedures; and

(d) the development of materials to explain the organization’s policies and procedures.

Volume and sensitivity

(2) In developing its privacy management program, the organization must take into account the volume and sensitivity of the personal information under its control.

This privacy management program has to be provided to the Privacy Commissioner on Request.

With respect to consent, organizations expressly have to record and document the purposes for which any personal information is collected, used or disclosed. This was implied in the CSA Model Code, but is now expressly spelled out in the Act.

Section 15 lays out in detail what is required for consent to be valid. Essentially, it requires not only identifying the purposes but also communicating in plain language how information will be collected, the reasonably foreseeable consequences, what types of information and to whom the information may be disclosed.

I’ll have to save digging into the weeds for another episode.

Collection and use without consent

One change compared to PIPEDA that will delight some and enrage others is the circumstances under which an organization can collect and use personal information without consent. Section 18 allows collection and use without consent for certain business activities, where it would reasonably be expected to provide the service, for security purposes, for safety or other prescribed activities. Notably, this exception cannot be used where the personal information is to be collected or used to influence the individual’s behaviour or decisions.

There is also a “legitimate interest” exception, which requires an organization to document any possible adverse effects on the individual, mitigate them and finally weigh whether the legitimate interest outweighs any adverse effects. It’s unclear how “adverse effects” would be measured.

Like PIPEDA, an individual can withdraw consent subject to similar limitations that were in PIPEDA. But what’s changed is that an individual can require that their information be disposed of. Notably, disposal includes deletion and rendering it anonymous.

Law enforcement access

On a first review, it doesn’t look like there are many other circumstances where an organization can collect, use or disclose personal information compared to section 7 of PIPEDA.

In my view, it is very interesting that the exceptions that can apply when the government or the cops come looking for personal information have not changed from section 7(3) of PIPEDA. For example, the provision that the Supreme Court of Canada in R v Spencer said was meaningless is essentially reproduced in full.

44 An organization may disclose an individual’s personal information without their knowledge or consent to a government institution or part of a government institution that has made a request for the information, identified its lawful authority to obtain the information and indicated that the disclosure is requested for the purpose of enforcing federal or provincial law or law of a foreign jurisdiction, carrying out an investigation relating to the enforcement of any such law or gathering intelligence for the purpose of enforcing any such law.

The Supreme Court essentially said “what the hell does lawful authority mean”? And the government has made no effort to do so in Bill C-27. but that’s just as well, since Companies should always say “come back with a warrant”.

Investigations

The big changes are with respect to the role of the Privacy Commissioner. The Commissioner is no longer an ombudsman with a focus on nudging companies to compliance and solving problems for individuals. It has veered strongly towards enforcement.

As with PIPEDA, enforcement starts with a complaint by an individual or the commissioner can initiate it on his own accord. There are more circumstances under the CCPA where the Commissioner can decline to investigate. After the investigation, the matter can be referred to an inquiry.

Inquiries seem to have way more procedural protections for fairness and due process than under the existing ad hoc system. For example, each party is guaranteed a right to be heard and to be represented by counsel. They’ve always done this to my knowledge, but this will be baked into the law. Also, the commissioner has to develop rules of procedure and evidence that have to be followed. These rules have to be made public.

At the end of the inquiry, the Commissioner can issue orders to measures to comply with the Act or to stop doing something that is in contravention of the Act. The commissioner can continue to name and shame violators. Notably, the Commissioner cannot levy any penalties.

The Commissioner can recommend that penalties be imposed by the new Privacy and Data Protection Tribunal.

The Tribunal

The legislation creates a new specialized tribunal which hears cases under the CCPA. It is expected that its jurisdiction will likely grow to include more matters. The “online harms” consultation that took place in the last year anticipated that certain questions would be determined by this tribunal as well.

Compared to C-11, the new bill requires that at least three of the tribunal members have expertise in privacy.

Its role is to determine whether any penalties recommended by the Privacy Commissioner are appropriate. It also hears appeals of the Commissioner’s findings, appeals of interim or final orders of the Commissioner and a decision by the Commissioner not to recommend that any penalties be levied.

Currently, under PIPEDA, complainants and the Commissioner can seek a hearing in the federal court after the commissioner has issued his finding. That hearing is “de novo”, so that the court gets to make its own findings of fact and determinations of law, based on the submissions of the parties. The tribunal, in contrast, has a standard of review that is “correctness” for questions of law and “palpable and overriding error” for questions of fact or questions of mixed law and fact. These decisions are subject to limited judicial review before the Federal Court.

So what about these penalties? They are potentially huge and I have a feeling that the big numbers were pulled out of the air in order to support political talking points that they are the most punitive in the G7. The maximum administrative monetary penalty that the tribunal can impose in one case is the higher of $10,000,000 and 3% of the organization’s gross global revenue in its financial year before the one in which the penalty is imposed.

The Act also provides for quasi-criminal prosecutions, which can get even higher.

The Crown prosecutor can decide whether to proceed as an indictable offence with a fine not exceeding the higher of $25,000,000 and 5% of the organization’s gross global revenue or a summary offence with a fine not exceeding the higher of $20,000,000 and 4% of the organization’s gross global revenue. If it’s a prosecution, then the usual rules of criminal procedure and fairness apply, like the presumption of innocence and proof beyond a reasonable doubt.

No comments: