Bill C-11 (the Digital Charter Implementation Act) was introduced on November 17, 2020. It proposes the new Consumer Privacy Protection Act (“CPPA”) as a replacement for the existing Personal Information Protection and Electronic Documents Act (“PIPEDA”), the federal legislation regulating the management of personal information in the private sector.
This is the tenth and final article in a series of articles addressing specific issues raised by the proposed CPPA. This article addresses the CPPA’s proposed changes to the accountability, openness and transparency obligations, with an overview of the requirements for privacy policies and what organizations must do to prepare in anticipation of the CPPA. An organization’s privacy policy plays a vital role in its privacy compliance program, being the instrument by which the organization meets its openness and transparency obligations under the act.
Click here for a more general discussion of the changes introduced by the Bill; scroll to the bottom for links to other posts in the CPPA: In Depth series.
Move away from permissive language to mandatory language
One of the key changes under Bill C-11 is the move away from principles-based PIPEDA (based on the OECD Principles, which found their way into a schedule to PIPEDA) to enacting actual language and obligations within the statute itself. While substantively very similar to the principles under Schedule 1 of PIPEDA, the provisions proposed in Bill C-11 will bring additional clarity about requirements for compliance, in part because much of the language of the Schedule in PIPEDA (“should”) would be replaced by clear requirements under the CPPA (“must”). For example, PIPEDA’s Principles on accountability and openness hold organizations accountable and require them to make public and readily available detailed information on their policies and practices for the management of personal information. Under the CPPA, these principles are more clearly articulated, with concrete obligations for compliance.
New emphasis on privacy management programs under the CPPA
While not spelled out under PIPEDA, the concept of a privacy management program as demonstration of accountability through appropriate policies and procedures that promote good practices has appeared in previous guidance from the Office of the Privacy Commissioner of Canada (“OPC”). OPC guidance reflects the OPC’s interpretation of PIPEDA, but is non-binding.
Whereas PIPEDA requires various standalone elements to address privacy concerns, the CPPA would speaks (in section 9) in terms of a comprehensive “privacy management program”. This program would have to include “policies, practices and procedures put in place to fulfil [the organization’s] obligations” under the CPPA. The CPPA would also set out what types of policies, practices and procedures would be required to demonstrate accountability for the protection of personal information. These policies, practices and procedures must those that address the protection of personal information as well as requests for information and complaints are received and dealt with. In addition, the CPPA would require that training and information be provided to the organization’s staff respecting its policies, practices and procedures, along with the development of materials to explain the organization’s policies and procedures put in place to fulfil its obligations under the CPPA.
The CPPA would also require that an organization’s privacy management program must be proportionate to the volume and sensitivity of the personal information that the organizations control. A similar obligation exists in PIPEDA, but is more narrowly framed in terms of the form of consent and the safeguards protecting personal information needing to be appropriate to the sensitivity of the information.
In a new provision under the CPPA (section 109(e)), the OPC would also, on request by an organization, have to “provide guidance on the organization’s privacy management program”.
Readily available information presented in plain language
PIPEDA’s Openness Principle requires organizations to make information about privacy policies and practices “readily available” to individuals. This requirement would be transposed into the CPPA, but would also create new standards for the type of information to be presented and the manner in which organizations must present such information to individuals.
While PIPEDA Principle 4.8.1 requires the information to be in a form that is “generally understandable”, the new law would raise the bar and creates a higher standard to make the information be available in “plain language”. PIPEDA’s “generally understandable” requirement begs the question of “understandable to who?” The CPPA requirement of “plain language” is less subjective, but will likely still create a challenge for organizations, considering the complexity of privacy management programs as well as the various new rights and obligations to be introduced. However, it is not a new concept and this requirement to present information using “clear and plain language” is also present in the European General Data Protection Regulation (“GDPR”). A privacy policy that uses complex language, long documents resembling contracts and complicated legal concepts to explain the organization’s privacy management program defeats the whole purpose of creating an instrument of transparency, openness and accountability. An incomprehensible privacy policy may also invalidate consent, if it is sufficiently comprehensible that the individual cannot be said to have understood what they were consenting to.
Additional information required
The Openness and Transparency provisions in the CPPA would also include a restructuring and restatement of the obligations under Principle 4.8.2 of PIPEDA, mandating the type of additional information that an organization must make available in fulfilling its obligations of openness and transparency under the CPPA. In privacy policies under the CPPA, organizations would need to:
Describe the type of personal information being handled
An obligation similar to current obligations under Principle 4.8.2(c), to describe in the privacy policy the types of personal information that the organization collects, uses and discloses as part of its commercial activities. This obligation also extends to a description of information collected by the organization and then transferred to a service provider for processing, as the organization remains accountable for this personal information even after such a transfer.
- Provide a general account of how the organization uses personal information, and application of any consent exceptions
This is another nod to the current obligation under PIPEDA’s Principle 4.8.2(c). However, the CPPA would unpack the current obligation and introduce a further requirement to provide a general account of how the organization will apply exceptions to consent, should it choose to process personal information without the consent of the individual. The exceptions to the requirement for consent under the CPPA [discussed in more detail in our other post here] mirror current exceptions under PIPEDA, but the CPPA also introduces new broader ones, such as exceptions for certain enumerated business activities, for de-identifying personal information, for research and development within the organization (provided the information is first de-identified) and for socially beneficial purposes (if the information is first de-identified and the if the disclosure is to a government or health care institution).
- Provide a general account of the use of any automated decision system to make certain predictions, recommendations or decisions
This presents a new requirement for organizations that use such systems to make “predictions, recommendations or decisions” about individuals based on their personal information. In an effort to promote algorithmic transparency, organizations would be required to provide a general account of their uses of any automated decision system used for the purpose of making predictions, recommendations or decisions that could have “significant impacts” on individuals. This disclosure would likely find a home in an organization’s privacy policy.
The definition of “significant impacts” is not provided under the CPPA, which creates some ambiguity for organizations seeking to comply. It remains to be seen how any such impact will be measured and what level of impact will trigger the obligation to account for the use of such algorithmic systems in the privacy policy.
The CPPA falls short of the GDPR’s prohibition on fully automated decision making systems that result in a legal or similarly significant effect without consent of the individual or a prescribed legal authorization (the CPPA sidesteps the issue by using a definition that would capture any such system that “assists or replaces” human judgement). It is likely that under the CPPA, an automated decision making system that resulted in legal consequences for an individual (e.g., predictive policing models) would be considered “significant”. Less clear is whether a decision made by such automated systems to increase the price of certain goods or services in a particular area would qualify as “significant” and require disclosure in a privacy policy.
- Provide information about international or interprovincial transfers or disclosure of personal information that may have reasonably foreseeable privacy implications
Personal information transferred to a different country becomes subject to that country’s laws. Considering the purpose of the CPPA, which recognizes the importance for the flow of personal information across borders and geographical boundaries in economic activity, it is no surprise that a transparency requirement about international transfers is included. Nevertheless, not every international transfer must be flagged in the policy. Information about international and interprovincial transfers must be provided only if there are “reasonably foreseeable privacy implications,” such as when the privacy and data protection legal framework in that foreign jurisdiction may impact the individual’s rights to privacy. This is in line with current guidance from the OPC to include in the policy information about storage or transfers to a foreign jurisdiction.
- Provide information about an individual’s right to disposal of or access to their personal information
The CPPA would introduce new privacy rights for individuals, and as a result, the transparency obligations include the requirement for organizations to provide enough information for individuals to know how to exercise their new rights under the CPPA. Among these new rights is the right to request the disposal of personal information. For further discussion of access rights, see our article here. For a further discussion of disposal rights and obligations, see our article here.
- Provide contact information
The organization must make public the business contact information of a designated individual within the organization to whom complaints or requests may be directed. This is the same requirement as found in PIPEDA.
The current regime makes the organization accountable to the individuals whose information the organization collects, uses or discloses. Under the CPPA, the OPC would have the power to challenge organizations and hold them accountable by requesting access to their privacy management program, which contains all of the policies, practices and procedures included in the organization’s privacy management program (section 10). For this reason, organizations may want to consider to have clear understanding of what is, and what is not, within the privacy management program, so as to avoid having to disclose peripheral information or materials if asked.
Are there penalties for a non-compliant privacy policy?
Similar to the current regime, individuals will still be able to make complaints regarding non-compliance by organizations with the requirements under the CPPA, which could include a failure of an organization’s privacy policy to meet Openness and Transparency standards. Such complaints will then be investigated by the OPC. The OPC can also initiate its own investigations into the organization’s compliance.
Under the CPPA, the OPC’s enforcement powers would \be expanded, allowing the OPC to issue findings of contraventions of the CPPA and issue compliance orders. A compliance order may be issued to make an organization take certain measures to comply with the CPPA or stop doing something that is in contravention of the CPPA. With the new privacy regime, the Privacy Commissioner would be able to make recommendations that a monetary penalties be imposed by the newly formed Tribunal.
For further information on penalties, orders and other enforcement provisions, see our previous post here.
Other posts in the CPPA: In Depth series:
Part 5: CPPA: An in-depth look at the data mobility provisions in Canada’s proposed new privacy law
Part 6: CPPA: An in-depth look at the disposal provisions in Canada’s proposed new privacy law
Part 7: CPPA: An in-depth look at the consent provisions in Canada’s proposed new privacy law
Part 8: CPPA: An in-depth look at the access request provisions in Canada’s proposed new privacy law
For more information about Denton’s data expertise and how we can help, please see our Transformative Technologies and Data Strategy page and our unique Dentons Data suite of data solutions for every business, including enterprise privacy audits, privacy program reviews and implementation, and training in respect of personal information. Subscribe and stay updated. Subscribe and stay updated
