With everything happening in the world, from GDPR in Europe and the newly enacted California Consumer Protection Act, it is no surprise that Canada has proposed a new privacy bill. Bill C-11, which went through its first reading in the House of Commons on November 17, 2020, consists of two parts: consists of two parts.
- Part 1:The Consumer Privacy Protection Act (the “CPPA“) ; and
- Part 2: The Personal Information and Data Protection Tribunal Act (the “PIDPT“).
In 1973, the US Department of Health, Education and Welfare (the “HEW”), prepared the famous report “Record, Computers and the Rights of Citizens“, in response to growing concerns around using computers to collect and maintain information about individuals. In this report, HEW introduced the idea of Fair Information Principles (the “FIPs”). The original FIPS established by HEW in this reports were as follows:
- There must be no personal data record-keeping systems which is very existence is secret.
- There must be a way for an individual to find out what information about him or her is in a record and how it’s used.
- There must be a way for an individual to prevent information about him or her obtained for one purpose from being used or made available for other purposes without consent.
- There must be a way for an individual to correct or amend a record of identifiable information about him or her.
- Any org creating, maintain, using or disseminating records of identifiable personal data must assure the reliability of the data for their intended use and must take reasonable precautions to prevent misuse of the data.
Since then, organizations have either followed these exact principles or have came up with their own versions of FIPs. The CPPA essentially obliges organizations to follow the below FIPs:
- Accountability: s.7 to s.11 of Bill C-11.
- Highlights: Amongst other things, an organization must have a designated individual who is in charge of compliance with the Bill. Additionally ever organization must establish a privacy management program.
- Appropriate Purposes: s. 12 of Bill C-11.
- Highlight: S.12 limits collection, use and disclosure to “purposes that a reasonable person would consider appropriate in the circumstances“.
- Limiting Collection, Use and Disclosure: s. 13 to s. 14 of Bill C-11.
- Highlights: on top of s.12 (see above), as per s. 13, collection of personal information will be limited to what is “necessary for the purposes determined and recorded under subsection 12(3)”. So there are two limitations imposed on collection: reasonableness and necessity.
- Consent: s. 15 to s. 52 of Bill C-11.
- Highlights: There are many exceptions to the consent requirement. The most peculiar exception has to be, in my opinion, the “Business Operation” exception. In practice, this exception could mean that once you give your consent to an organization, that organization may be able to do whatever with your information, under the “business operation” exception.
- Retention and Disposal of Personal Information: s. 53 to s. 55 of Bill C-11.
- Highlights: Individuals will have the right to request, in writing, that the organizations dispose of their personal information.
- Accuracy of the Information: s. 56 of Bill C-11.
- Highlights: An organization must not routinely update personal information it is holding. This theoretically limits the ability of an organization to collect personal information.
- Security Safeguard: s. 57 to s. 61 of Bill C-11.
- Highlight: Organizations now have to report a breach of security safeguards to the commissioner and give indivicuals affected a notice of breach.
- Openness and Transparency: s. 62 of Bill C-11.
- Access to and Amend Information: s. 63 to s. 71 of Bill C-11.
- Highlight: If an individual asks, an organization must reveal what information about that individual the organization is maintaining and how those information is being used. Further, the organization has to inform that individual whether or not the information has been disclosed to a third party.
- Mobility of Information: s. 72 of Bill C-11.
- Highlight: gives the individual the right to transfer his or her information from one org to the other.
In short, the CPPA is the Canadian version of the GDPR and follows the same philosophy: empowering individuals to have more control over their personal information.
Finally, the second part of Bill C-11,the PIDPT, establishes the Personal Information and Data Protection Tribunal. This tribunal will oversee all appeals made under ss. 100 and 101 of the CPPA and have 3-6 members with at least one member having experience in information and privacy laws. Members will not be able to hold office for more than 5 years. Any final decision made by this tribunal may only be reviewed by the Federal Court through a judicial review application.