This article is written by Sakshi Jayesh Chauhan, pursuing Diploma in Cyber Law, FinTech Regulations and Technology Contracts from LawSikho. The article has been edited by Smriti Katiyar (Associate, LawSikho).

Introduction

In the contemporary world, where the internet has entered every facet of our lives, from working online to buying and selling online, a man enters into multifarious commercial transactions on an everyday basis. These transactions often involve sharing of enormous personal information over the web, which if not secured precautiously, could lead to yet another instance like the Alibaba Data Breach of November 2019.

In light of this, the government of Canada introduced a Bill on the ‘Digital Charter Implementation Act’ in the parliament in November 2020. This Act aims to strengthen the privacy protection for Canadians as they engage in commercial activities. This Bill, if passed, shall bring a two-fold change in the country’s federal privacy legislation. Firstly, it will create a ‘Consumer Privacy Protection Act’ (CPPA) which shall lay down the new privacy law to be adhered to by businesses and organizations while dealing with customer data. And secondly, the Act will create a new ‘Personal Information & Data Protection Tribunal Act’ (PIPTD) which shall set up an administrative tribunal that can impose monetary penalties for privacy violations. 

In this article, we will briefly discuss the important provisions of both the legislations and understand how this Bill aims to uphold the privacy of the citizens.

What is the Consumer Privacy Protection Act(CPPA)?

The intent of the legislature behind enacting this act is to support and promote E-commerce but also protect the personal information of customers that is collected, used, and disclosed during the course. This Act repealed Part 1 of the existing ‘Personal information Protection & Electronic Documents Act’ (PIPEDA) and turned it into stand-alone legislation i.e. The Electronic Documents Act.

Further, it is common knowledge that data constantly flows across borders and geographical territories and economic activities rely on analysis, circulation, and exchange of personal information. In such circumstances, protecting personal information in a manner that recognizes the right of privacy of individuals concerning their personal information becomes indispensable. There exists a dire need and responsibility on the shoulders of the organization to use data only for purposes that a reasonable person would consider appropriate in the circumstances. To ensure that the organizations abide by this principle, this Act has to come into force.

This act shall hold every organization responsible for the private information that is under its control and which it has collected, used, or disclosed interprovincially or internationally. 

Following are a few key highlights of the CPPA Act

Organization to appoint a designated individual

These individual/s shall be responsible for matters of obligations under this Act, and their business contact information is to be available to any person who requests it. However, this does not relieve the organization of its responsibilities.

Organization to implement a privacy management program 

Under this system, the organization shall formulate certain policies, practices, and procedures in the below-mentioned areas in order to fulfil its obligations under this Act. 

1. Protection of personal information;
2. Mechanism dealing with requests for information and complaints;
3. Training and information provided to the organization’s staff w.r.t these policies, practices, and procedures;
4. Development of materials to explain the organization’s policies and procedures.

While developing this privacy management system, the organization has to take into account the volume and sensitivity of personal information under its control. Further, in the event when the organization transfers personal information to a service provider (i.e. another entity providing its services to assist the org. In fulfilling its purpose), it needs to be ensured that the service provider undertakes substantially the same protection of personal information as that done by the organization.

The purpose for which the information is collected

It needs to be taken utmost care of the fact that the use, collection, and disclosure of the personal information of a customer is only done for reasonable purposes corresponding to the task. Following factors to be taken into consideration while determining if the purpose is appropriate:

1. Sensitivity of personal information;
2. Purposes to represent legitimate business needs of the organization;
3. Effectiveness of collection, use, or disclosure in meeting those legitimate business needs;
4. Striking out any other less intrusive method of achieving those purposes;
5. Determining whether an individual’s loss of privacy is proportionate to the benefits.

In addition to this, the purpose has to be determined either before or at the time of collection of the personal information. And if a new purpose arises subsequently, it must be recorded and the organization shall forbid it to use/disclose it without obtaining the individual’s valid consent for that purpose.

Information to be provided to the individual while obtaining consent

Following information has to be provided to the individual in plain language before obtaining their consent:

1. Purpose of collection, use, or disclosure of the personal information;
2. The way in which the personal information is to be collected, used, or disclosed;
3. Any reasonably foreseeable consequences of such collection, use, or disclosure;
4. The specific type of personal information that is collected, used, or disclosed;
5. The names of any third parties to which the organization may disclose the personal information.

Furthermore, the individual has the right to withdraw the consent at any time by giving reasonable notice to the organization.

Exceptions to consent

Under the following circumstances the organization may disclose the personal information of the individual without their consent:

1. Transfer of information to the service provider;
2. To de-identify the personal information (i.e. to modify personal information by using technical processes to ensure that information does not identify an individual);
3. For the organization’s research and development purposes, the provided information is de-identified before use;
4. Disclosure to the lawyer who is representing the organization;
5. For debt collection;
6. If collection is in the interest of the individual and consent cannot be obtained in a timely manner;
7. For purpose of investigation;
8. Emergency disclosure, wherein disclosure is necessary to identify the individual who is injured, ill or deceased and is made to a government institution.

Furthermore, the Act provides that the personal information can be lawfully disclosed after a period:

1. 100 years after the record containing the information was created;
2. 20 years after the death of the individual. 

Access to and amendment of personal information

On request by an individual, the organization must inform them of whether it has any personal information about them, and how the information is being used, and whether it has been disclosed. Also, the individual must be provided access to all the information.

In addition to the above-mentioned highlights of the CPPA, the Act also provides for the appointment of a Commissioner, a privacy commissioner appointed under section 57 of the Act. 

Role of the Commissioner

1. Approval of Code of Practice i.e. the regulations set in motion by the organization for the protection of personal information;
2. Investigation and inquiry of any complaint received under the CPPA and the same has to be disposed of with a year;
3. A commissioner may attempt to resolve the complaint via mediation & conciliation unless an inquiry is being conducted in respect of complaints;
4. After inquiry, the commissioner decided whether to recommend that a penalty be imposed on the organization by the tribunal.

However, before forwarding the complaint to the Tribunal, there are certain facts to be taken into consideration by the commissioner:

1. The nature and scope of the contravention;
2. Whether the organization has voluntarily paid compensation to a person affected by the contravention;
3. The organization’s history of compliance with this Act;
4. Any other relevant factor.

Further, the Act sets that the maximum penalty for all the contraventions shall not exceed $10,000,000 and 3% of the organization’s gross global revenue in its financial year before the one in which the penalty is imposed. Besides any complainant or organization affected by the findings of the investigation, order or decision may appeal it to the tribunal within 30 days after the day on which the commissioner renders its decision on the matter hitherto.  

Therefore, from a brief overview of the CPPA, it can be seen that the government of Canada is building a space where citizens have confidence that their data is safe and privacy is respected.

What is the Digital Charter Implementation Act, 2020?

Personal Information and Data Protection Tribunal Act (PIPTD)

This Act aims to establish an administrative tribunal that will hear appeals of decisions made by the Privacy Commissioner of Canada under the Consumer Privacy Protection Act and will further impose penalties for any contravention of obligations by the organization under the Act. 

Some key highlights of the functioning of the Tribunal are as follows:

Jurisdiction and composition

The Tribunal has jurisdiction in respect of all appeals that may be made under sections 100 & 101 of CPPA and in respect of imposition of penalties under section 94 of the Act. Further, the Act states that the tribunal shall consist of three to six members appointed by the Governor in Council on the recommendation of the minister.

These officers shall hold office for a term not exceeding five years and maybe for cause removed by the Governor in council. Also, the Act categorically states that one of the members of the tribunal must have experience in the field of information and privacy law.

Nature of hearings

The tribunal is not bound by any legal or technical rules of evidence in conducting a hearing in relation to any matter that comes before it and it must deal with all matters as informally and expeditiously as the circumstances and considerations of natural justice permit. 

Party may appear before the tribunal in person or be represented by another person, i.e. including legal counsel.

Decision of Tribunal

A decision of majority members of the panel is the decision of the tribunal. Further, the Act mandates that the decision of the tribunal shall be final and binding except for judicial review under Federal Courts Act, not subject to appeal or review by any court. 

That being said, the businesses would not have to appear before the Federal court of Canada, rather the tribunal will allow the parties to resolve matters at a lower cost and in a more accessible manner.

Public availability of decisions

Tribunal must make its decisions and reasons for them publicly available. This promotes openness and transparency in the system. However adequate measures are undertaken to protect the complainant’s name & personal information that can be used to identify the complainant by the public.

Suggestions to the Amendment of the Bill

The Bill by incorporating the two new legislation indeed aims to provide a higher threshold of security to the personal information of the individuals and lays down adequate obligations on the part of the organization to make them conscious of their responsibility.

However, a few amendments to the Bill is requisite in order to achieve the holistic goal of proving privacy security to Canadians:

1. This Bill keeps the federal government out of the ambit of its provisions. Therefore, there exists a grey area as to the obligations and responsibilities of the government and its affiliates and subsidiaries when it comes to the protection of privacy of the individuals.
2. Since the tribunal hearing shall be disposed of in a summary and informal manner, it can create a possibility of the defendant only needing to create a smokescreen in order to successfully avoid summary judgment. And the court shall not analyze the issues in any great detail. Thus, in these circumstances, an individual’s application will only be successful if a case is overwhelmingly in his favour.

Conclusion

The Bill in its whole is a very meticulously drafted document wherein the government has set out to deliver an ambitious and comprehensive reform of Canada’s framework for protecting the privacy of Canadians while fostering innovation amongst Canadian businesses. This Bill will undoubtedly foster trust and confidence in the business industry, wherein each business corporation will know its rules of the road for delivering products and services; and in return, Canadian consumers shall possess strong protection over their private information. 

It goes without saying that in the digital age, the protection of privacy of individuals is of paramount importance and this trust will help to facilitate the E-commerce market and even encourage investment in Canadian businesses. 

References

1. Bill C-11

---

Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.

LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join:

https://t.me/joinchat/J_0YrBa4IBSHdpuTfQO_sA

Follow us on Instagram and subscribe to our YouTube channel for more amazing legal content.