Part II: What Could Privacy Reform Look Like in Canada? Insights from Bill C-11
Introduction
In March 2021, we wrote our first article about the Federal Government’s Bill C-11, An Act to enact the Consumer Privacy Protection Act and the Personal Information and Data Protection Tribunal Act and to make consequential and related amendments to other Acts. That article focused on Bill C-11’s introduction of enhanced consent requirements, limitations on the use of de-identified information, and new measures surrounding algorithmic transparency in the proposed Consumer Privacy Protection Act (CPPA).
When the federal election was called on August 17, Bill C-11 died on the order paper, meaning that the legislation was not passed before the dissolution of parliament. Given that Bill C-11 only saw limited debate at second reading and never reached committee study, there wasn’t much legislative progress lost. It is likely, however, that new privacy legislation will be introduced in the next parliament.
The Liberal Party of Canada secured a second consecutive minority government in the federal election held on September 20. The federal political parties’ positions changed very little in the election, with no significatnt changes in seat counts for any party. The political dynamics in the House of Commons will likely be similar in Canada’s 44th Parliament as they were in the 43rd. It remains to be seen whether the Liberals will seek to revive Bill C-11 as drafted, as the government’s position is effectively the same now as it was when Bill C-11 was first introduced in the last parliament.
The parties’ election platforms may provide some insight into their priorities on the issue of privacy reform as they head back to the House of Commons.
Privacy reform was not a focus for any of the major parties on the campaign trail. Indeed, the incumbent Liberal Party of Canada did not commit to re-introducing Bill C-11 in its current form if re-elected. In their platform, the Liberals commited to implement the Digital Charter and establish a digital policy taskforce. They also commited to enhancing cybersecurity protections and increasing international cooperation on matters of privacy and intelligence-sharing.
The Conservative Party of Canada, which will return to its position as the Official Opposition, explicitly committed in its platform to introduce privacy legislation that is stronger than Bill C-11, along with security-focused measures to enhance international cooperation in address cybersecurity threats. The Conservative caucus may aggressively oppose a re-introduction of Bill C-11 if the Liberal government takes that approach.
The New Democratic Party (NDP), whose twenty-five votes will be meaningful in a minority parliament, committed in its platform to strengthen the powers of the Office of the Privacy Commission of Canada (OPC) and introduce a digital bill of rights. The NDP also committed to address online hate and foreign cybersecurity threats.
The Green Party of Canada committed to enshrine digital rights in a similar fashion to the European Union, and to listen to OPC recommendations on enhacing powers and strengthening the existing regime. The Greens will only have two seats in the next parliament.
Although Bill C-11 is dead, it is likely to inform what privacy law reform looks like in Canada. In this regard, some observations can be gleaned from Bill C-11 about what may be included in new legislation and what will be prioritized in the redrafting process. We will focus on the aspects of Bill C-11 that we did not cover in our first article, including enahnced powers of the OPC, the introduction of a new tribunal, a private right of action, and stringent enforcement measures.
New powers for the OPC are likely
The current regime under the Personal Information and Electronic Documents Act (PIPEDA) provides limited authority for the OPC to enforce recommendations in instances of non-compliance. The OPC has been calling for reform for years. It is likely that new privacy legislation would act on these demands and enhance the OPC’s toolkit.
Presently, under PIPEDA, the OPC has the power to initiate complaints or respond to and investigate complaints filed by individuals. However, following investigations, the OPC’s enforcement toolkit is restricted to public interest disclosure (naming and shaming), creating compliance agreements, and auditing personal information management practices. The OPC may also report offences to the Attorney General of Canada or of a province if the OPC is satisfied that there is sufficient evidence of such an offence occurring. The OPC has an additional ability under PIPEDA to apply to the Federal Court to hear the matter, in which case the Federal Court can order corrective measures, order an organization to make corrective measures public, or award damages.
Bill C-11 offered a starting point for change in this area. The bill would have significantly expanded the OPC’s toolkit, introducing new powers of inquiry and order-making. Under the CPPA, the OPC could commence an inquiry in response to a complaint or if an existing compliance agreement is breached.
The OPC’s order-making powers would have been subject to appeal under Bill C-11, which would be made to the proposed Personal Information and Data Protection Tribunal (Tribunal) within 30 days of the order being made.
The introduction of this appeal mechanism was a significant reform in Bill C-11, introducing a more robust administrative process by which individuals and organizations affected by OPC decisions can seek recourse. The framework for adjudicating privacy issues is limited under the PIPEDA regime, and it is likely that something similar to the appeal routes proposed in Bill C-11 could appear in future legislation.
New administrative bodies are possible
Part II of Bill C-11 created the Tribunal through the enactment of the Personal Information and Data Protection Tribunal Act (PIDPTA). The Tribunal would oversee the CPPA’s enforcement regime, effectively checking the new powers afforded to the OPC. The Tribunal would have jurisdiction to hear appeals of OPC decisions and set fines on organizations proposed by the OPC.
If Bill C-11 is revived or something similar is drafted, the composition of a new tribunal is likely to be a point of concern for privacy experts. Under Bill C-11, there was no requirement for tribunal members to be subject-matter experts. The Tribunal was to consist of three to six members appointed by the Governor in Council, but only one of those members was required to have experience in the field of information and privacy law.
Privacy experts took issue with this approach. In an area of law that can be nuanced, technical, and constantly evolving, the possible lack of expertise on the Tribunal could have proven problematic. Concerns would certainly have been raised in consultation and parliamentary committees had C-11 proceeded further in the legislative process, and we can expect that the privacy community will reiterate this point if new privacy legislation is introduced.
While the introduction of an administrative tribunal strengthens a regime that is currently constrained under PIPEDA, there is risk that a tribunal would add procedural complexity and bureaucratic delays to processes. Nonetheless, in an economy that is rapidly changing, the balance between innovation and consumer protection has become an increasingly acute issue, and there is a dire need for greater consistency and predictability. A tribunal regime may deliver this via a review mechanism of the current “ad hoc” investigative reports issued by the OPC.
If privacy reform legislation is proposed in the next parliament, Bill C-11 provides some indication that new legislation could introduce additional administrative mechanisms for the regime. The framework for adjudicating privacy issues is quite thin in its present state, and it is likely that something similar to the Tribunal under Bill C-11 could re-emerge.
Significant penalties are likely
If Bill C-11 had passed before the end of the parliamentary session, Canada’s privacy law regime would have carried some of the strongest financial penalties in the world. This would have been a significant development, given that PIPEDA presently contains relatively blunt enforcement mechanisms. It is unclear whether legislation would dial back these measures or re-commit to strong enforcement.
Administrative Monetary Penalties (AMPs) were a prominent tool in Bill C-11. AMPs in the bill were not intended to be punitive, but are instead intended to promote compliance. The Bill provided for considerations of individual circumstances and the business/commercial impact of large financial penalties. The OPC and Tribunal were required to take the following factors into consideration when imposing AMPs:
- The nature and scope of the contravention;
- Whether the organization had voluntarily paid compensation to a person affected by the contravention;
- The organization’s history of compliance with the CPPA;
- The organization’s ability to pay the penalty and the likely effect of paying it on the organization's ability to carry on its business;
- Any financial benefit that the organization obtained from the contravention; and
- Any other relevant factor. (sections 93(2) and 94(5) of CPPA)
If the OPC found an administrative breach, penalties could have been as high as 3% of an organization's global revenue (not limited to revenue generated in Canada), or $10 million, whichever is more.
The CPPA also allowed for more serious penalties above and beyond basic AMPs. Contraventions of the following could have rendered a party guilty of either an indictable offence or an offence punishable on summary conviction:
- Obligation to report breaches of security safeguards;
- Obligation to maintain records of privacy breaches;
- Obligation to retain information subject to an access request;
- Prohibition against using de-identified information to identify an individual;
- Prohibition on reprisal against employees;
- An order under subsection 92(2); or
- Obstruction of the Commissioner or the Commissioner’s delegate in the investigation of a complaint, in conducting an inquiry or in carrying out an audit
A party found guilty of an indictable offence would be liable to a fine not exceeding $25 million or 5% of the organization’s gross global revenue (not limited to revenue generated in Canada), whichever is higher.
A party found guilty of an offence punishable by summary conviction would be liable to a fine not exceeding $20 million or 4% of the organization’s gross global revenue (not limited to revenue generated in Canada), whichever is higher. Revenue was to be calculated based on the gross revenue generated in the organization’s financial year preceding the one in which the sentence is determined.
It is possible that the penalties regime under a new bill would vary from the model set out in Bill C-11. There is debate among law-makers and regulators about whether AMPs are the most effective tool for promoting compliance in the first place, but it is unlikely that the new Liberal government would alter its position on this issue after drafting the original bill with extensive use of AMPs. Indeed, advocates for the regime under Bill C-11 suggest that such strict measures are necessary to advance consumer protection objectives.
Regardless, new legislation will almost certainly include a revised penalties regime. There is stronger appetite for aggressive enforcement in the privacy space among consumer advocates, especially in the wake of discussions around Bill C-11, and it is likely that a future bill will incorporate stiffer penalties than we presently see under the PIPEDA regime.
A private right of action may still be introduced
Bill C-11 also introduced a private right of action, which provided individuals with a direct cause of action against an organization if that organization contravened the CPPA. This was a significant development, providing an additional means of recourse that is unprecedented in the Canadian privacy and information law landscape. While Canada’s Anti-Spam Law, introduced in 2014, features this enforcement mechanism, its implementation was indefinitely suspended.
Bill C-11 included limitations on who could exercise the private right of action and the timeframe in which it was available. The proposed right of action was only available to individuals who had exhausted all possible statutory recourse under the CPPA. Therefore, the individual claimant must have completed the complaint and appeal processes set out in the CPPA before pursuing this right of action. Moreover, individuals could only seek recourse through the private right of action within two years of the individual becoming aware of either:
- The OPC or Tribunal making a final finding that the organization has contravened the CPPA; or
- The organization being convicted of an offence under the CPPA.
A private right of action is a bold addition to the privacy and information landscape, raising myriad questions about the practical usefuleness of empowering individuals to seek legal recourse against organizations. Like Bill C-11’s enforcement regime, it is likely that the Liberal government will maintain its position that a private right of action is worthwhile addition to Canada’s privacy landscpare, but observers will watch closesly to see if this mechanism survives redrafting.
Possible Developments in Ontario
The Government of Ontario published a white paper On June 17, 2021, providing an overview of its approach to new privacy legislation in the province. This legislation has not yet been introduced.
The Ontario government’s objective in developing new privacy legislation is to facilitate the emerging digital economy. The white paper cited comments from privacy experts and the Privacy Commissioner criticizing weaknesses in Bill C-11, and proposed legislative reforms in Ontario to supplement measure contained in Bill C-11.
The white paper suggests that Ontario likely intended to table a robust privacy bill to fill gaps left in Bill C-11, while seeking to address some of the uncertainties created by Bill C-11 in the minds of the business community (e.g. requirements pertaining to de-identified data). The purpose and scope of such a bill may broaden with Bill C-11’s death. Due to constitutional constraints imposed in the federal realm, the Ontario legislation will necessarily be broader in its application than Bill C-11, notably by addressing employee personal information held by all non-federally regulated employers in the Province.
Given that the white paper was drafted before the federal election was called, the void in privacy reform is even greater now than anticipated. It is possible that Bill C-11’s death on the order paper will provide more impetus for Ontario to introduce new legislation in order to advance necessary privacy reforms in anticipation of stagnation on the issue at the federal level. Indeed, the Ontario government may well see the economic risk of inaction to be too great in a rapidly digitizing economy.
Ontario’s legislation could introduce various measures including a fundamental right to privacy for Ontarians, safeguards for artificial intelligence (AI), protections for children, and a new consent regime among other policy tools.
Next steps and further considerations
Bill C-11 died on the order paper, but the bill provides a snapshot of the state of privacy reform discussions at the federal level. With a minority Liberal government now re-elected, it remains to be seen whether the government will revive its original bill or take the opportunity to redraft new privacy legislation. Regardless of how quickly a new bill arrives, any new legislation will seek to build on Bill C-11 – undoubtedly the starting point for the most significant reform of Canada’s privacy laws since PIPEDA was enacted in the year 2000. Any new bill is likely to significantly develop the powers of the OPC, strengthen enforcement measures, and develop new means of recourse for individuals and organizations affected by contraventions of privacy law in Canada.
Article provided by: Wendy Wagner (Gowling WLG, Canada)
Discover more about INPLP, the INPLP-Members and the GDPR-FINE database
Dr. Tobias Höllwarth (Managing Director INPLP)