The federal Minister of Innovation, Science and Industry just introduced today as Bill C-11 “An Act to enact the Consumer Privacy Protection Act and the Personal Information and Data Protection Tribunal Act and to make consequential and related amendments to other Acts” (the “Act”).
The Act includes significant content which will take some time to analyze in-depth. The Act, among other elements, creates the Personal Information and Data Protection Tribunal, which can levy fines of up to the higher of $10,000,000 and 3% of the organization’s gross global revenue in its financial year before the one in which the penalty is imposed, while certain other offences can lead to penalties which are the higher of $25,000,000 and 5% of the organization’s gross global revenue in its financial year before the one in which the organization is sentenced;
However, this article is focused on one specific issue, based on a brief temperature check of the Act: that is, the issue of rights provided to individuals by the Act: specifically, to what extent are they net new, or just clarification of existing rights under the existing PIPEDA, and to what extent are they directly sourced from the EU General Data Protection Regulation (the “GDPR”) such that organizations already compliant with GDPR may have a significant leg up.
The Act will provide individuals with the following rights:1. Right of Data Portability.
How is this New: Under PIPEDA, individuals upon request are required to be given access to that information. The individual may then “port” their personal information to another organization if they so wish. The new Act, however contemplates a more direct “Disclosure under data mobility framework” (s.72), such that, subject to the regulations, on the request of an individual, an organization must as soon as feasible disclose the personal information that it has collected from the individual, to an organization designated by the individual, if both organizations are subject to a data mobility framework provided under the regulations.
GDPR: Article 20 (Data Portability)2. Right to withdraw/remove/erase basic personal data from a platform.
How is this New: Individuals already have the right under PIPEDA to withdraw their consent for the collection, use and disclosure of their personal information, subject to legal or contractual restrictions and reasonable notice. Inspired by “the right to be forgotten” under the EU GDPR, the proposed Act provides for “Disposal at individual’s request” (s.55), such that if an organization receives a written request from an individual to dispose of personal information that it has collected from the individual, the organization must, as soon as feasible, dispose of the information, unless (a) disposing of the information would result in the disposal of personal information about another individual and the information is not severable; or (b) there are other requirements of this Act, of federal or provincial law or – notably – of the reasonable terms of a contract, that prevent it from doing so.
GDPR: Article 17 (Right to erasure (‘right to be forgotten’))3. Right to know how personal data is being used, including with a national advertising registry
How is this new: PIPEDA already allow individuals, upon request, to be informed of the existence, use, and disclosure of his or her personal information and to be given access to that information. The Act appears to largely duplicate this requirement in “Information and Access” (s.63(1)), requiring that on request by an individual, an organization must (a) inform them of whether it has any personal information about them, how it uses the information and whether it has disclosed the information, and (b) give the individual access to the information.
GDPR: Article 12 (Transparent information, communication and modalities for the exercise of the rights of the data subject).4. Right to withdraw consent for the sharing or sale of data
How is this New: Again, individuals already have the right under PIPEDA to withdraw their consent for the collection, use and disclosure of their personal information, subject to legal or contractual restrictions and reasonable notice, and where the organization is required tp inform the individual of the implications of such withdrawal. The proposed Act appears to slightly modify those qualifications, providing for “Withdrawal of Consent” (s.17(1) and (2)), in whole or in part, upon the individual, at any time, giving reasonable notice to an organization (subject to the Act, to federal or provincial law or to the reasonable terms of a contract. Upon receiving the notice from the individual, the organization must, again, inform the individual of the consequences of the withdrawal of their consent and, as soon as feasible after that, cease the collection, use or disclosure of the individual’s personal information in respect of which the consent was withdrawn.
GDPR: Article 21 (Right to Object) ss.2 and 35. Right to review and challenge the amount of personal data that a company or government has collected
How is this New: Given that PIPEDA already allows individuals (a) upon request, to be informed of the existence, use, and disclosure of his or her personal information and to be given access to that information, and (b) to withdraw consent, these two rights combine to effectively provide an avenue to do this already. Further, PIPEDA requires organizations (a) to put procedures in place to receive and respond to complaints or inquiries about their policies and practices relating to the handling of personal information, which procedures should be easily accessible and simple to use; (b) to inform individuals who make inquiries or lodge complaints of the existence of relevant complaint procedures; (c) to investigate all complaints; and (d) if a complaint is found to be justified, to take appropriate measures, including, if necessary, amending its policies and practices.
The proposed Act also provides for “Complaints and requests for information” in a very similar fashion (s.73), allowing an individual to make a complaint, or a request for information, to an organization with respect to its compliance and requiring the organization to respond, investigate and make any necessary changes to its policies, practices and procedures as a result of the investigation, in addition to ensuring that the organization makes readily available information about the process for making a complaint or request.
GDPR: Article 21 (Right to Object)6. Right to have their data protected by data security requirements;
How is this New: In order to avoid making a “technology pick” which could swiftly become out of date,PIPEDA has only limited security provisions, including that security measures should be proportionate to the sensitivity of the personal information, and should include physical, organizational and technological measures. The nature of the safeguards will vary depending on the sensitivity of the information that has been collected, the amount, distribution, and format of the information, and the method of storage, with more sensitive information to be safeguarded by a higher level of protection.
Again, the provisions of the proposed Act regarding “Security safeguards” (s.57) are effectively identical to those of PIPEDA, in that (a) again, an organization must protect personal information through physical, organizational and technological security safeguards which are proportionate to the sensitivity of the information, as well as taking into account the quantity, distribution, format and method of storage of the information.
GDPR: Article 32 (Security of Processing)7. Right to be informed when personal data is breached
How is this New: PIPEDA already requires that where there is a breach of security safeguards at an organization, that the organization report to the Privacy Commissioner and notify the individual of such breach, if “it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to the individual.” The proposed Act includes the same requirements in “Report to Commissioner” (s.58(1)) and Notification to Individual” (s.58(3)).
GDPR: Articles 33 (Notification of a personal data breach to the supervisory authority) and 34 (Communication of a personal data breach to the data subject).
In summary, the Act both introduces new GDPR concepts of the right of data portability and the right to be forgotten, but also largely copies certain pre-existing rights in PIPEDA, in many cases from their previous awkward position in the “Principles Set Out in the National Standard of Canada Entitled Model Code for the Protection of Personal Information, CAN/CSA-Q830-96” which was scheduled to PIPEDA. In short, the proposed Acts introduces a few new individual rights of significance based on GDPR with which organization will need to become familiar, but most of the individual rights are simply PIPEDA redux. This will assist organizations seeking to comply with the new proposed Act, if and when it comes into force.