Canada’s New Consumer Privacy Protection Act (Bill C-27)
Author: Gayle Wadden
Compliance Works Inc. CLO Gayle Wadden writes about how recently introduced privacy legislation may impact federally regulated employers. The Consumer Privacy Protection Act will apply to non-anonymized personal information that is about an employee, or an applicant for employment, if the organization collects, uses or discloses that information in connection with the operation of a federal work, undertaking or business.
The Canadian federal government has re-introduced amendments to PIPEDA in Bill C-27 and created a new act called the Consumer Privacy Protection Act (“CPPA”). The CPPA will have broad application to organizations that collect, use and disclose personal information in the course of commercial activities, but it will also have specific implications for federally regulated employers.
- Canadian federal employers would be required to respond to this new privacy legislation when it comes into force.
- The CPPA would replace parts of the Personal Information Protection and Electronic Documents Act (PIPEDA) that deal with the responsibilities of Canadian organizations that collect, use or disclose personal information.
While Bill C-27 may be amended and not all changes currently proposed may come into force, Compliance Works Inc. is following this Bill and will continue to publish important updates relevant to federally regulated employers. Federally regulated organizations can include banks, airlines, air transportation companies, radio broadcasters, and shipping companies, among others.
6 Proposed Changes to Canadian Privacy Legislation Employers Need to Know
The CPPA would apply to every Canadian federal employer. Like PIPEDA, the CPPA will also apply to every organization in respect of non-anonymized personal information that the organization collects, uses, or discloses in the course of commercial activities.
The CPPA is also focused on the protection of personal information, but there are some significant differences between CPPA and PIPEDA. Leadership teams, HR and people leaders, and compliance professionals will want to understand 6 important changes included in the proposed privacy legislation relevant to employers:
- Automated Decision Systems
- Proposed Business Transactions and Personal Information
- Minors’ Personal Information
- Disposal of Personal Information
- Data Mobility
- New Penalties for Contraventions and Offences
1. Automated Decision Systems
The CPPA includes specific provisions regarding automated decision systems. Automated decision systems are defined as “any technology that assists or replaces the judgment of human decision-makers through the use of a rules-based program, regression analysis, predictive analytics, machine learning, deep learning, a neural network or other technique”.
The requirements regarding automated decision systems apply broadly, but there are specific considerations in the employment context. For example, if a federally regulated employer uses automated decision systems in its hiring and HR practices (such as resume screening or ranking programs, aptitude tests, personality tests etc. that meet the above definition), it will need to comply with the following requirements in the CPPA:
- Plain Language: The organization must publish in plain language a general account of its use of any automated decision system to make predictions, recommendations or decisions about individuals that could have a significant impact on them; and
- Response to Request for Explanation: If an individual makes a request, the organization must provide the individual with an explanation of the prediction, recommendation or decision and the explanation must include the type of personal information that was used, the source of the information and the reasons or principal factors that led to the prediction, recommendation or decision.
2. Proposed Business Transactions and Personal Information
Just like PIPEDA, the CPPA provides that organizations that are parties to a prospective business transaction can use and disclose personal information without consent if certain conditions are met. However, the CPPA adds a significant requirement.
- De-identification of personal information: Under the CPPA, organizations must de-identify personal information before it is used or disclosed, and it must remain de-identified until the transaction is completed. The only exception to this requirement is if de-identifying would undermine the objectives for carrying out the transaction and the organization has considered the risk of harm to the individual that could result from using or disclosing the information.
This is an important change for Canadian employers. In any proposed business transaction, federally regulated employers will need to consider whether any information they are using or disclosing contains personal information, and if so, they will need to determine whether de-identifying the information would undermine the transaction’s objectives. If not, then organizations must de-identify that information before using or disclosing it.
3. Minors’ Personal Information
The CPPA has some specific requirements regarding sensitive information. The CPPA specifically states that the personal information of minors is sensitive information. While this is not an exhaustive list of the requirements related to sensitive information, we have highlighted two examples for employers:
- Disclosure of Retention Periods: Organizations must make available the retention periods applicable to sensitive information.
- Privacy Management Program: Organizations are also required to consider the sensitivity of information when developing their privacy management program or when complying with other requirements under the Act. Employers who employ minors will have to be mindful of this when considering their obligations under the Act.
4. Disposal of Personal Information
The CPPA outlines the right of individuals to request that an organization dispose of their personal data, subject to some exceptions. One of those exceptions is where other legal requirements or the reasonable terms of a contract prevent the organization from disposing of the information.
- Requests of Employees to Dispose of their Personal Information: Employers do have obligations to retain employment information for a period of time under other legislation (such as employment standards and health and safety legislation), but the CPPA may allow a former employee to request the disposal of their personal information after those retention periods have passed.
5. Data Mobility
Under the CPPA, individuals will have the right to transfer their data from one organization to another. The CPPA contemplates the creation of a data mobility framework, the details of which will be provided under the regulations, which are not yet available. It’s unclear at this time whether this provision will have any specific impact in the employment context, but this is something to watch.
6. Increased Penalties
The CPPA enhances the powers of the Privacy Commissioner and proposes much stronger penalties and fines against an organization for contraventions or offences.
- Maximum Fines Significantly Higher and Added Penalties: Currently the maximum fine for an offence under PIPEDA is $100,000 and there is no penalty amount for contraventions other than offences. Under the new Act there are penalties for contraventions of the Act and separate fines for offences, with significantly higher maximums:
- The maximum penalty for all contraventions taken together is the higher of $10,000,000 and 3% of the organization’s gross global revenue in its financial year before the one in which the penalty is imposed.
- The maximum fine on conviction of an offence is the higher of $25,000,000 and 5% of the organization’s gross global revenue in its financial year before the one in which the organization is sentenced.
Bill C-27 would also enact the Personal Information and Data Protection Tribunal Act which would create a new tribunal to hear appeals of decisions made by the Privacy Commissioner under the CPPA and the Artificial Intelligence and Data Act which would regulate the use of artificial intelligence systems.