Understanding the Draft of the Consumer Privacy Protection Act and Artificial Intelligence and Data Act
Written by Sébastien Gittens, Stephen Burns and Ruth Promislow
On June 16, 2022, the Digital Charter Implementation Act, 2022 (DCIA) was introduced as Bill C-27. The DCIA will enact the Consumer Privacy Protection Act (CPPA), the Personal Information and Data Protection Tribunal Act (PIDPTA), the Artificial Intelligence and Data Act (AIDA), and make amendments to other related acts.
The CPPA will effectively replace the current federal legislative scheme governing the collection, use and disclosure of personal information by private sector organizations under the Personal Information Protection and Electronic Documents Act (PIPEDA).
The PIDPTA will establish the new Personal Information and Data Protection Tribunal. It will have jurisdiction in respect of all appeals relating to various findings, orders or decisions made under the CPPA and in respect of the imposition of certain penalties under that Act.
The AIDA, on the other hand, will seek to regulate international and interprovincial trade and commerce in artificial intelligence systems by: establishing common requirements for the design, development and use of those systems; and prohibiting certain conduct in relation to such systems.
CPPA and PIDPTA
Despite the former federal Privacy Commissioner's concerns regarding the previous draft of the CPPA, the new draft of the CPPA is substantially similar to the previous draft. Just like the previous draft, the new version is built on the foundation of PIPEDA's 10 fair information principles, and proposes a number of material changes to PIPEDA, including the following:
Application: The CPPA will continue to apply in respect of personal information that:
- is collected, used or disclosed in the course of commercial activities by an organization, including such activities that occur inter-provincially or internationally; or
- is about an employee of, or an applicant for employment with, an organization involved in the operation of a federal work, undertaking or business.
There are provinces with private sector privacy or health legislation that have been deemed substantially similar to PIPEDA and, as a result, PIPEDA does not apply in respect of such privacy or health information activities within such provinces. Given the changes in CPPA, the question continues: will such substantial similarity orders continue to apply in respect of such provincial legislation?
As a result, should the existing substantial similarity orders not continue to apply, then organizations in British Columbia, Alberta and Quebec for personal information, and Ontario, New Brunswick, Newfoundland and Labrador, and Nova Scotia for health information, may need to comply with both the provincial and federal legislation in respect of those activities.
Appropriate Purpose: Consistent with PIPEDA's 10 fair information principles, an organization may collect, use or disclose personal information only for purposes that a reasonable person would consider appropriate in the circumstances. In the draft, the CPPA also includes specific factors an organization must consider in determining whether such purposes are appropriate, including, for example, the sensitivity of the personal information, and whether the purposes represent legitimate business needs of the organization.
Accountability: Consistent with PIPEDA's 10 fair information principles, an organization is accountable for personal information under its control. In the draft, the CCPA also includes specific guidance on when an organization "controls" personal information: namely, control arises when an organization decides to collect personal information and determines the purposes for its collection, use or disclosure, regardless of whether the information is collected, used or disclosed by the organization itself or by a service provider on behalf of the organization.
Obligation to Implement Privacy Management Program: Expanding on the obligation to have policies and practices to give effect to PIPEDA, organizations will now be required to implement and maintain a "privacy management program" that includes the organization's policies, practices and procedures put in place to fulfil its obligations under the CPPA.
Record Purpose for Collection: Consistent with PIPEDA's 10 fair information principles, an organization must determine at or before the time of collection each of the purposes for which the personal information is to be collected, used or disclosed. Under the CPPA, it must also record those purposes.
Record New Purpose: Consistent with PIPEDA's 10 fair information principles, an organization must not use or disclose personal information for a new purpose unless the organization obtains valid consent before any use or disclosure for that new purpose. Under the CPPA, it must also record those purposes.
Consent: Consistent with PIPEDA's 10 fair information principles, the individual's consent (express, deemed or implied) must be obtained at or before the time of collection. In the draft, the CCPA also includes specific guidance on the requirements for consent to be valid. Specifically, an organization must provide the following information in plain language that an individual to whom the organization’s activities are directed would reasonably be expected to understand:
- the purposes for the collection, use or disclosure of the personal information;
- the way in which the personal information is collected, used and disclosed;
- the reasonably foreseeable consequences of the collection, use or disclosure of the personal information;
- the types of personal information that are to be collected, used or disclosed; and
- the names of any third parties or types of third parties to which the organization may disclose the personal information.
Exception for Business Activities: Consistent with PIPEDA's 10 fair information principles, there are exceptions under the draft CPPA that permit collection, use or disclosure of personal information without the knowledge or consent of the individual. In the draft, the CCPA also includes an exemption for 'business activity', where a reasonable person would expect such a collection or use of personal information for that activity, which is defined to include:
- an activity that is necessary to provide a product or service that the individual has requested from the organization;
- an activity that is necessary for the organization’s information, system or network security;
- an activity that is necessary for the safety of a product or service that the organization provides; and
- any other prescribed activity.
In addition, an organization may collect or use an individual’s personal information without their knowledge or consent if the collection or use is made for the purpose of an activity in which the organization has a legitimate interest that outweighs any potential adverse effect on the individual resulting from that collection or use and:
- a reasonable person would expect the collection or use for such an activity; and
- the personal information is not collected or used for the purpose of influencing the individual’s behaviour or decisions.
To do so, the organization must:
- identify any potential adverse effect on the individual that is likely to result from the collection or use;
- identify and take reasonable measures to reduce the likelihood that the effects will occur or to mitigate or eliminate them;
- comply with any prescribed requirements; and
- record its assessment of how it meets the foregoing conditions.
Right to Disposal: Consistent with PIPEDA's 10 fair information principles, personal information that is no longer required to fulfil the identified purposes should be destroyed, erased, or made anonymous. In the draft, the CCPA also provides that organizations must, subject to certain limitations, also dispose of personal information upon request by the individual if:
- the information was collected, used or disclosed in contravention of this Act;
- the individual has withdrawn their consent, in whole or in part, to the collection, use or disclosure of the information; or
- the information is no longer necessary for the continued provision of a product or service requested by the individual.
It should be noted, however, that an organization may, in certain circumstances, refuse a request to dispose of personal information if:
- disposing of the information would result in the disposal of personal information about another individual and the information is not severable;
- there are other requirements of the CCPA, of federal or provincial law or of the reasonable terms of a contract that prevent it from disposing of the information;
- the information is necessary for the establishment of a legal defence or in the exercise of other legal remedies by the organization;
- the information is not in relation to a minor and the disposal of the information would have an undue adverse impact on the accuracy or integrity of information that is necessary to the ongoing provision of a product or service to the individual in question;
- the request is vexatious or made in bad faith; or
- the information is not in relation to a minor and it is scheduled to be disposed of in accordance with the organization’s information retention policy, and the organization informs the individual of the remaining period of time for which the information will be retained.
Safeguards: Consistent with PIPEDA's 10 fair information principles, an organization must protect personal information through physical, organizational and technological security safeguards that are proportionate to the sensitivity of the information. In the draft, the CCPA also provides that in addition to considering the sensitivity of the personal information, an organization must also take into account the quantity, distribution, format and method of storage of the information, in establishing its security safeguards. Of note: the security safeguards must now include reasonable measures to authenticate the identity of the individual to whom the personal information relates.
Transfers to Service Providers: In the draft, the CCPA clarifies that an organization may transfer personal information to a service provider without the knowledge or consent of the individual, providing that the organization ensures, by contract or otherwise, that the service provider provides a level of protection of the personal information equivalent to that which the organization is required to provide under the CPPA.
Service Provider Obligations: Consistent with PIPEDA's 10 fair information principles, if an organization transfers personal information to a service provider, the organization must ensure, by contract or otherwise, that the service provider provides substantially the same protection for the personal information as that which the organization is required to provide under the CPPA. In the draft, the CCPA also clarifies that: (i) service providers are directly responsible under the CPPA to protect personal information through physical, organization and technological safeguards; and (ii) if a service provider determines that a breach of security safeguards has occurred that involves personal information, it must notify the organization that controls the personal information as soon as feasible.
Prospective Business Transactions: Consistent with PIPEDA's business transactions exemption, the CPPA includes an exemption for certain business transactions. Unlike PIPEDA, the CPPA also provides that, absent valid consent, an organization can only provide de-identified information to a potential counterparty in connection with a prospective business transaction—unless doing so would undermine the objectives for carrying out the transaction and the organization has taken into account the risk of harm to the individual that could result from using or disclosing the information. This marks a material shift from the existing legislation that permits personal information to be disclosed to a prospective purchaser without knowledge or consent of the individuals.
Automated Decision System: New to the federal private sector privacy regime, the draft CPPA provides that if the organization has used an automated decision system to make a prediction, recommendation or decision about the individual that could have a significant impact on them, the organization must, on request by the individual, provide them with an explanation of the prediction, recommendation or decision that indicates the type of personal information that was used to make the prediction, recommendation or decision, the source of the information and the reasons or principal factors that led to the prediction, recommendation or decision.
De-Identified and Anonymized Information: New to the federal private sector privacy regime, the draft CPPA addresses the collection, use and disclosure of "de-identified information" in certain circumstances:
- for example, an organization may use an individual's personal information without their knowledge or consent to de-identify the information; and
- an organization may use an individual's personal information without their knowledge or consent for the organization's internal research, analysis and development purposes, if the information is de-identified before it is used.
It should be noted, however, that for the purposes of various sections under the draft CPPA, personal information that has been de-identified is considered to be personal information.
"De-identify" is defined as the process of ensuring that information does not identify an individual or could not be used in reasonably foreseeable circumstances, alone or in combination with other information, to identify an individual. The current drafting of the Act is unclear regarding the extent to which the Act will be relied on to regulate the use and disclosure of de-identified information.
The draft CPPA also makes clear that it does not apply in respect of personal information that has been anonymized (i.e., personal information that has been irreversibly and permanently modified, in accordance with generally accepted best practices, to ensure that no individual can be identified from the information, whether directly or indirectly, by any means).
Access by Privacy Commissioner: Expanding on the powers of the Privacy Commissioner under PIPEDA, under the draft CPPA, on request of the Privacy Commissioner, an organization must provide the Commissioner with access to the policies, practices and procedures that are in included in the organization's privacy management program. While the draft CPPA provides that the Privacy Commissioner may not use the information obtained by way of this access right as a basis to initiate a complaint or audit, it is difficult to see how the Privacy Commissioner can separate what he learns from this access from what he considers to be "reasonable grounds" for initiating a complaint or audit.
Commissioner's Powers: While the Privacy Commissioner has only limited enforcement powers under PIPEDA, under the draft CPPA, this will no longer be the case:
- When carrying out an investigation of a complaint, conducting an inquiry or carrying out an audit, the Privacy Commissioner may, among other things, make any interim order that the Commissioner considers appropriate.
- After investigating a complaint (either initiated by a complainant or the Privacy Commissioner), the Privacy Commissioner may conduct an inquiry and render a decision and order the organization to take specific steps, cease taking any particular action (such as collecting information), and recommend that the Tribunal impose a penalty in respect of certain contraventions (as detailed below).
- While there is a right of appeal to the Tribunal from the decision of the Privacy Commissioner, the Tribunal will only replace its finding of fact for that of the Privacy Commissioner based on a palpable and overriding error standard. In effect, this standard means that the Tribunal will defer to findings of fact by the Privacy Commissioner.
- A service provider may be the subject of a complaint, investigation and inquiry to the extent the service provider failed to comply with its obligations under the Act.
The Tribunal: The new Personal Information and Data Protection Tribunal will be established under the draft PIDPTA. The Tribunal will have jurisdiction in respect of all appeals relating to various findings, orders or decisions made under the CPPA and in respect of the imposition of certain penalties under that Act. Any decision of the Tribunal may, for the purposes of its enforcement, be made an order of the Federal Court or of any superior court and is enforceable in the same manner as an order of the court.
Penalties for Non-Compliance: While the penalty provisions are limited under PIPEDA, under the draft CPPA, the Privacy Commissioner may recommend to the Tribunal that a penalty for contravention of the various obligations in the CPPA be imposed on the organization. The maximum penalty is the higher of $10 million or 3 percent of gross global revenue.
- A penalty may be recommended for contravention of the provisions regarding valid consent, the obligation to dispose of personal information when it is no longer required, the requirement to dispose of personal information upon request, and the obligation to implement appropriate safeguards.
- Service providers may be subject to this penalty if the Privacy Commissioner finds that they failed to comply with the obligation to implement security safeguards.
Penalties for Knowing Contravention: While the penalty provisions are limited under PIPEDA, under the draft CPPA, every organization that knowingly contravenes one of the following obligations is guilty of an indictable offense and is liable to a fine not exceeding the higher of $25 million or 5 percent of gross global revenue:
- report breach of security safeguards giving rise to a real risk of significant harm;
- notify impacted individuals of such a breach;
- maintain a breach record;
- retain personal information that is the subject of a request;
- do not use de-identified information alone or in combination with other information to identify an individual, except in order to conduct testing of the effectiveness of security safeguards that the organization has put in place to protect the information;
- do not penalize whistleblower; or
- comply with a compliance order issued by the Privacy Commissioner.
Private Right of Action: Building upon the private right of action under PIPEDA, the draft CPPA also establishes a cause of action for loss or injury arising from an organization's contravention of its obligations under the legislation. The CPPA extends the limitation period to two years after the day on which the individual (who is affected by an act or omission by an organization that constitutes a contravention of the CPPA) becomes aware of:
- the relevant decision of the Privacy Commissioner (or in the event of an appeal, of the Tribunal's decision), with respect to such act or omission; or
- a conviction under the indictable offence section.
The private right of action may extend to service providers to the extent there is a finding that they failed to comply with their obligations under the CPPA.
Intended to regulate international and interprovincial trade and commerce in artificial intelligence system, the draft AIDA introduces various obligations on organizations using artificial intelligence. The following is a summary of some of the material obligations in this proposed legislation.
Establishing Measures: The draft AIDA requires that anyone who carries out a "regulated activity" and who processes or makes available for use anonymized data in the course of that activity must establish measures with respect to:
- the manner in which data is anonymized; and
- the use or management of anonymized data.
In this context, a "regulated activity" means any of the following activities carried out in the course of international or interprovincial trade and commerce:
- processing or making available for use any data relating to human activities for the purpose of designing, developing or using an artificial intelligence system;
- designing, developing or making available for use an artificial intelligence system or managing its operations.
High-Impact Systems: A person who is responsible for an artificial intelligence system must assess whether it is a "high-impact system" (i.e., an artificial intelligence system that meets the applicable criteria set out in the regulations), and if so:
- establish measures to identify, assess and mitigate the risks of harm or biased output that could result from the use of the system;
- establish measures to monitor compliance with the mitigation measures they are required to establish under the AIDA and the effectiveness of those mitigation measures; and
- notify the Minister if the use of the system results or is likely to result in material harm.
Publication of Description: Organizations that make available for use a high-impact system must publish on a publicly available website a plain-language description of the system that includes an explanation of:
- how the system is intended to be used;
- the types of content that it is intended to generate and the decisions, recommendations or predictions that it is intended to make;
- the mitigation measures established under the AIDA in respect of it; and
- any other information that may be prescribed by regulation.
On the other hand, organizations who manage the operation of a high-impact system must on a publicly available website a plain-language description of the system that includes an explanation of:
- how the system is used;
- the types of content that it generates and the decisions, recommendations or predictions that it makes;
- the mitigation measures established under AIDA in respect of it; and
- any other information that may be prescribed by regulation.
Record Keeping: The draft AIDA establishes various record keeping obligations with respect organizations that carry out any regulated activities.
Penalties for Non-Compliance: A contravention of the AIDA may result in significant consequences: a fine of not more than the greater of $10,000,000 and 3 percent of gross global revenues.
Artificial Intelligence and Data Commissioner: A senior official may be appointed as the Artificial Intelligence and Data Commissioner, whose role will be to assist the Minister in the administration and enforcement of the AIDA.
If enacted as currently drafted, we anticipate that the CPPA and AIDA will have a substantial impact on the extent of regulatory scrutiny of organizations with respect to their privacy practices, and use of artificial intelligence. As a result, organizations will likely need to undertake a comprehensive review of how they conduct business and manage their privacy practices, policies and procedures across Canada, and AI systems.
The Bennett Jones Privacy & Data Protection group is available to discuss how the changes may affect an organization's privacy obligations.