In June 2020, Québec became the first Canadian province to propose a major privacy reform when the government introduced Bill 64, An Act to modernize legislative provisions as regards the protection of personal information, which modifies Québec’s private and public-sector privacy statutes. The Canadian government followed on November 17 with the introduction of Bill C-11, An Act to Enact the Consumer Privacy Protection Act and the Personal Information and Data Protection Tribunal Act and to make consequential and related amendments to other Acts. Bill C-11 would modernize the federal private-sector privacy regime, by replacing the privacy provisions of the Personal Information Protection and Electronic Documents Act (PIPEDA) with the Consumer Privacy Protection Act (CPPA).
The two bills are long and complex pieces of legislation and this article is not a comprehensive review.1 Rather, it highlights certain key differences between the proposed CPPA and Bill 64’s proposed amendments to Québec’s Act Respecting the Protection of Personal Information in the Private Sector (ARPPIPS), focusing on the following topics: the enforcement regime, cross-border transfer restrictions, consent and individual rights.
ENFORCEMENT: A DIFFERENT APPROACH TO PENALTIES AND PRIVATE RIGHT OF ACTION
Risks of non-compliance would increase significantly as both bills introduce large penalties: $10,000,000 or, if greater, the amount corresponding to a percentage of the organization’s global gross revenues in its previous year — 3% for Bill C-11 and 2% for Bill 64 (CCPA, s. 94 and proposed ARPPIPS, s. 90.12). The most egregious violations would constitute an offence punishable with higher fines in the case of conviction (CPPA, s. 125 and proposed ARPPIPS, s. 91).
However, the process for imposing these fines differs. Like the European General Data Protection Regulation (GDPR), Québec’s Bill 64 would give the Commission d’accès à l’information (CAI) the ability to directly impose administrative monetary penalties (s. 90.2). Bill C-11 does not empower the Office of the Privacy Commissioner of Canada (OPC) to impose penalties directly. It would only be able to recommend that the newly created Personal Information and Data Protection Tribunal (Tribunal) impose penalties (s. 93). Further, organizations would have a due diligence defence under the federal statute (s. 94(3)), not under Bill 64.
Both bills provide for a new private right of action (PRA). The Québec bill would allow individuals to seek compensation for the unlawful infringement of a right conferred by the statute or the privacy articles of the Civil Code of Québec (s. 93.1). The PRA is not as broad under Bill C-11. Any individual (not only the complainant) affected by a CPPA contravention would have a cause of action against the organization, but only if: (i) the OPC or the Tribunal find that the organization has contravened the CPPA, or (ii) the organization is found guilty of an offence (s. 106). Despite its narrower scope, Bill C-11’s PRA could lead to a spike in class actions, especially in provinces that do not have a statutory or common law privacy tort. We can expect organizations to seek appeals and judicial reviews when the OPC or Tribunal concludes to a contravention in order to avoid or delay private claims, including class actions.
CROSS-BORDER TRANSFERS
Restrictions on cross-border transfers of personal information can cause significant challenges for businesses. Bill 64 and Bill C-11 regulate these transfers in radically different manners.
Bill 64 seems to take inspiration from the GDPR. It requires organizations to perform a privacy impact assessment (PIA) prior to transferring personal information outside of Québec to assess whether the information will receive a level of protection equivalent to the one granted under Québec law (s. 17). The PIA would have to take into account the sensitivity of the information and the purposes for which it will be used and the protection measures that would apply. Perhaps more importantly, it would also need to consider “the legal framework applicable in the State in which the information would be communicated, including the legal framework’s degree of equivalency with the personal information protection principles applicable in Québec.” If, following this PIA, the organization concludes that the foreign legislation is not equivalent, it must not communicate the personal information. The bill also requires the government to publish a list of States whose legal framework governing personal information is equivalent to the Québec framework (s. 17.1). Many stakeholders have criticized this provision during the consultation hearings, since it would create a great burden on businesses operating in Québec.
Bill C-11 takes a much more liberal approach: organizations would only have a transparency obligation. They would need to make available details as to whether or not the organization carries on any international or interprovincial transfer or disclosure of personal information but only to the extent such transfer or disclosure may have reasonably foreseeable privacy implications (s. 62(2)(d)). It is not really clear at this stage how the “foreseeable privacy implications” concept translates in practice.
CONSENT
Despite calls to draw inspiration from the GDPR and adopt alternative legal basis, consent remains at the centre of both proposals. The two bills aim to reinforce consent and make it more meaningful. For instance, under the CPPA, an organization would have to provide specific information in plain language in order to obtain valid consent (s. 15(3)). The Québec bill requires that consent be given for specific purposes and requested for each purpose, in clear and simple language and separately from any other information provided to the person concerned (s. 14).
A major difference between the two bills is CPPA’s new exception allowing organizations to collect and use personal information without consent for specified “legitimate business activities” (e.g., activities necessary to provide a product or necessary for the organization’s information, system or network security). The exception would apply if a reasonable person would expect such a collection or use for the specified business activity, if the personal information is not collected or used for the purpose of influencing the individual’s behaviour or decisions (s. 18). Organizations have welcomed this proposal to grant them more flexibility for routine commercial activities that involve less privacy risks for individuals.
INDIVIDUAL RIGHTS…
Privacy 2024 Recap – some significant decisions, slow progress for reform
The past year saw a few court decisions of note as well as halting progress toward privacy…