What Marketers Need to Know about Bill C-11, An Update to Canada’s Federal Privacy Law

January 12th, 2021 | ACA Team,

Padlock with digital-looking backgroundIn November 2020, the federal government announced its intention to update our federal data privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA), which has been in effect since 2000. PIPEDA allows commercial organizations in Canada to be amongst one of only 12 countries deemed “adequate” under the EU’s General Data Protection Regulation (GDPR), but it was not without its faults. The law was beginning to show some age, particularly as big data projects began emerging, and so the government announced in 2019 an ambitious Digital Charter for Canada, to which this announcement in November is directly tied.

It is understandable if the average marketer missed the announcement amidst the more urgent and ongoing COVID-19 pandemic. To assist, this article will provide a baseline understanding of what’s in the Act and how it may impact your day-to-day marketing operations if it passes as it is currently written.

Background

On November 17, the Honourable Navdeep Bains, Minister of Innovation, Science and Industry (ISED), introduced the proposed Bill C-11, the Digital Charter Implementation Act, 2020. The Act will create the Consumer Privacy Protection Act (CPPA), which will modernize Canada’s existing private sector privacy law, and will also create the new Personal Information and Data Protection Tribunal Act, which will create the Personal Information and Data Tribunal. The Tribunal will be an entity that can impose administrative monetary penalties for privacy violations. In the government’s summary of the bill, they state, “with each of these steps, the government is building a Canada where citizens have confidence that their data is safe and privacy is respected, while unlocking innovation that promotes a strong economy.”

What’s in the Act

The new modernized framework for the protection of personal information in the private sector is summarized by the government as:

  • Increased control and transparency when Canadians’ personal information is handled by companies
  • Freedom to move information from one organization to another securely
  • Ensuring that when consent is withdrawn or information is no longer necessary, Canadians can demand that their information be destroyed
  • The strongest fines among G7 privacy laws; fines of up to 5% of revenue or $25 million, whichever is greater, for the most serious offences, and order-making powers for the Office of the Privacy Commissioner of Canada (OPC)
  • The ability to create OPC-approved voluntary accountability frameworks, through regulations; codes of practice and certifications

Digging Deeper

The contents of Bill C-11 will need to be considered by each organization very carefully.

Marketers should note that consent has been strengthened and reinforced; express consent is the default. This remains in place despite many prominent voices in the privacy sector emphasizing the need to move away from consent as the basis for data collection due to its impracticality and instead put greater focus on accountability measures.

Necessity and proportionality are given greater emphasis around data collection as well. Consider what data is necessary to share and what is not. The typical data-sharing partnerships you currently have with your martech partners will need to be fully understood and documented as to where data is going out of or coming into your organization.

Companies are required to also document the purposes for which personal information is being collected, used, and disclosed and to provide notices to consumers in plain language. That data can only be used for the purposes specified. It can be a laborious task if you are an organization that has not yet put much thought into the data handling practices happening within the marketing department or are relying solely on sending visitors to a long privacy policy to learn more about what you do.

Organizations must implement a privacy management program to fulfill obligations under the Act. Appropriate internal training must take place and processes established for access requests and complaint handling.

Breach reporting is already mandatory under PIPEDA, but now a private right of action is established under which anyone affected by a breach can bring a claim for actual loss or harm, but only if the Commissioner or the Tribunal has made a finding of breach of the legislation, or the organization has been convicted of an offence. This new right of action may lead to class actions.

One of the more lauded areas of the bill is the recognition of codes of practice and certifications. These can potentially relieve the consent burden on consumers and provide “safe harbour”-type ecosystems for information sharing, interest-based advertising, de-identification, cybersecurity and more.

Further Insights

There are a lot of questions emerging as the dust begins to settle around the Act’s announcement. Some further insights can be found in a recent podcast hosted by Ottawa University law professor Michael Geist, which featured Minister Bains as guest.

The Minister spoke about the intentions behind this new commercial-based privacy law, that the government wished to balance innovation with consumer rights. “In the data economy, privacy issues are now at play in nearly every commercial transaction by businesses both large and small.”

He spoke about data portability, saying it will benefit consumers by increasing competition, and gave an example about consumers being able to transfer data to new financial technology companies.

De-identification is still deemed as personal information subject to the Act, which has been seen as problematic amongst some privacy experts. When asked about this, the Minister stated that de-identified information “does not provide an organization carte blanche to do whatever it wants with that data”; it must be used in a manner that reasonably cannot lead to re-identification.

When talking about sanctions and due process by the Tribunal, he indicates that he wants the Office of the Privacy Commissioner to focus more on guidance and compliance and let the Tribunal focus more on adjudication.

Start Preparing Now

There is much more in the Act to absorb and consider. Engage early on with your in-house counsel, external counsel, compliance team, privacy committee – whomever you have at your organization to address privacy. Let them be your resource in understanding the impact of Bill C-11 and your organization’s marketing practices. Even though amendments may happen, this exercise will be incredibly helpful for organizations to do now, calmly and rationally, without the pressure of potential fines looming above.

In terms of what’s next in the legislative process to turn Bill C-11 into law, it is expected that the legislation will move to the Standing Committee on Access to Information, Privacy and Ethics (ETHI). Should the bill become adopted, there will be a 12- to 18-month period to allow the bill to come into force so that organizations have time to meet the new requirements, regulations can be developed, and the Tribunal can be established.

Until the bill passes, keep your team informed and engaged so that the weight of the Act, once enacted, will not be a total shock to your martech relationships.

ACA Actions

The ACA has formed a special task force composed of legal and privacy experts from across its member sectors. ACA members will be updated as developments unfold.