On June 16, 2022, the Canadian federal government introduced Bill C-27 (the “Bill”). The Bill proposes to make a number of significant changes to federal privacy legislation, creating several new acts, including the Consumer Privacy Protection Act and the Personal Information and Data Protection Information Tribunal Act. The former will effectively replace the federal employer privacy obligations under PIPEDA and the latter will create a new tribunal to enforce those rights.
Consumer Privacy Protection Act (the “CPPA”)
The CPPA will repeal and replace Part 1 of the Personal Information Protection and Electronic Documents Act (“PIPEDA”), which provided rules for the collection, use and disclosure of personal information, including for federal employers. The CPPA will incorporate most of the current requirements from PIPEDA, but will also introduce many new changes, including, but not limited to, the following:
1. Anonymous and De-Identified Information: Under the CPPA, personal information may be anonymized or de-identified. Anonymous information is anything that has been modified to ensure that individuals cannot be identified. This information can be used and disclosed without restrictions. De-identified information is personal information that has identifiers removed but which may still allow for identification. That information is subject to regulations.
2. Right to Dispose: Individuals may request to have their personal information disposed (i.e. deleted) with certain exceptions.
3. Data Mobility: Individuals will also be able to request that their personal information and data be disclosed to another organization. For example, an employee could request some of their personal information in their employee file be disclosed to a new employer.
4. Consent: The CPPA establishes the need for express consent unless the organization can demonstrate that implied consent is appropriate in the circumstances. The exceptions to consent from PIPEDA are largely incorporated in the CPPA (with some changes, a few outlined below), including the exception for employment relationships, which allows for the collection, use or disclosure of personal information necessary to establish, manage or terminate an employment relationship between an organization and individual.
The CPPA will have a number of changes to the exceptions for consent:
- Business activities – personal information can be collected or used without knowledge or consent where it is necessary for a business activity, including, providing a product or service requested by an individual, for information, system or network security, and for the safety of a product or service.
- Service providers – an organization may transfer personal data to service providers without consent, subject to their compliance with the CPPA’s requirements for personal data. This confirms current practise of the many employers who use service providers such as benefit providers and payroll services to administer aspects of the employment relationship.
- Legitimate interest – an organization may collect, use and disclose personal information without consent in cases where the legitimate interest of the organization outweighs the adverse effect on the individual. This is a broad new exception with little indication of what constitutes such a “legitimate interest”.
- Business Transactions – the CPPA allows organizations to use or disclose personal information if it de-identifies the information, the information is necessary for the business transaction, and the parties comply with the requirements under the CPPA. This facilitates employers sharing employee personal information in connection with planned sales or other disposition of their business.
- Informed consent – the CPPA increased requirements for information to be provided to individuals before they can give informed consent.
5. Automated decision systems: Organizations that use automated decision systems (e.g. algorithms) that could have a significant impact on an individual must provide that individual upon request with an explanation of how the system was used to make a decision affecting them. Thus an employer which uses recruiting software to do initial sorting and short listing of job applicants will be required to explain how it works on request.
6. Privacy Management Program: Organizations must have a privacy management program that includes policies, practices and procedures respecting the protecting of personal information, how requests for information and complaints are received and dealt with, the training and information to staff, and the development of materials to explain the organizations policies and procedures. This adds significant regulatory burden for employers.
7. Enforcement: The Bill will significantly change the powers of the Office of the Privacy Commissioner, including authorizing the OPC to:
- Order organizations to change practices and publicize such changes
- Approve an organization’s Codes of Practice or Certification Program to meet compliance obligations
- Recommend penalties to the new Data Protection Tribunal
- Impose significant penalties to a maximum of $10,000,000 or 3% of gross global revenue for breaches such as failing to limit collection or obtain consent, and failing to dispose of personal data or maintain it in a secure, compliant manner.
- Impose fines up to $25,000,000 or 5% of gross global revenue for offences such as failing to report breaches to the Commissioner or maintaining records of same, destroying records which are the subject of an access appeal, using anonymous information to identify an individual except in permitted circumstances, engaging in reprisals or obstructing an inquiry by the OPC.
The Bill also creates a private right of action for individuals, allowing them to commence an action against organizations who contravene or have been convicted of an offense under the CPPA, once that is determined to have occurred by the OPC, for damages for loss or injury that the individual has suffered as a result of the contravention, act or omission. Such an action may be brought in Federal court or a superior court of a province. This change addresses a major weakness of PIPEDA, which did not provide for any compensation or other remedies for the victims of privacy breaches. No doubt class action plaintiffs’ counsel will take advantage of this new avenue for litigation.
Personal Information and Data Protection Tribunal Act (the “PIDPTA”)
PIDPTA creates a new enforcement tribunal for privacy rights, the Data Protection Tribunal to hear appeals of certain decisions under the CPPA from initial rulings of the OPC.
The Bill will:
- overhaul many aspects of personal data collection and use applicable to federal employers;
- introduce new privacy compliance obligations for federal employers, including having a policy and training on it;
- introduce broader remedial powers for the OPC, including substantially increased potential penalties for contravening privacy rights; and
- introduce a new private cause of action to allow individuals to sue for damages resulting from contraventions of the CPPA.
Given the Liberal government’s agreement with the NDP, it appears likely the Bill will pass later this year.
We encourage federal organizations and employers to monitor the news for passage of the Bill. If you want more information on this topic, you can contact us at:
Geoffrey Howard: email@example.com
Sebastian Chern: firstname.lastname@example.org