On November 17, 2020, the Minister of Innovation, Science and Industry, Navdeep Bains, tabled proposed legislation in Parliament that aims to overhaul Canada’s data privacy law. Bill C-11, entitled An Act to enact the Consumer Privacy Protection Act and the Personal Information and Data Protection Tribunal Act and to make consequential and related amendments to other Act, will create new data privacy obligations and new enforcement mechanisms for these obligations if it becomes law.
Bill C-11 seeks to enact the Consumer Privacy Protection Act (the CPPA) while simultaneously repealing corresponding provisions from Canada’s existing data privacy legislation, the Personal Information Protection and Electronic Documents Act (PIPEDA). The CPPA would create new data privacy obligations and maintain PIPEDA’s principles.
Under the CPPA, the federal Privacy Commissioner would be empowered to investigate contraventions of the CPPA, as well as make orders and impose penalties. Penalties for some administrative offences may be up to 3% of an organization’s global revenues or $10 million, whichever is greater. The most serious offenses under the CPPA may be punishable by up to 5% of an organization’s global revenues or $25 million, whichever is greater. If enacted into law, these penalties would be the harshest of their kind in any G7 country.
Bill C-11 also seeks to enact the Personal Information and Data Protection Tribunal Act. This act would create an administrative tribunal that hears appeals of the Privacy Commissioner’s decisions and assists in administering the CPPA.
In addition to reiterating the existing data privacy principles in PIPEDA, the CPPA would create many new data privacy obligations that would affect any business that collects individuals’ data. Three aspects of these new obligations should be of particular note to social media platforms.
First, the CPPA would impose new requirements for obtaining individuals’ consent to collect and use their data. Organizations must obtain individuals’ consent prior to data collection, unless an organization can demonstrate that implied consent is sufficient given the circumstances. These consents must be written in plain-language that will be readily understood by lay individuals. Organizations cannot ask individuals to consent to data collection beyond what is strictly necessary for these organizations’ purposes. Furthermore, individuals may withdraw their consent at any time, subject to some limitations.
Second, under the CPPA, individuals would have expanded rights to their own data in organizations’ possession. Subject to a few exceptions, on the request of an individual, an organization must inform that individual whether it has any personal information about them, how this information is being used and whether it has been disclosed. Individuals will also be able to request access to any of their personal information in an organization’s possession. Moreover, organizations would be required to delete an individual’s personal information upon their request.
Third, the CPPA would introduce the concept of algorithmic transparency. Upon the request of an individual, an organization would be required to provide an explanation as to why its algorithms made a particular prediction, recommendation, or decision based on that individual’s personal data.
Bill C-11 is not yet law, and it still needs to proceed through committee review and consultation. There will likely be many opportunities for industry consultation before the CPPA becomes law.