Bill C-11 and Personal Information: The Federal Government Begins its Reform Process

Vanessa Deschênes and Elisabeth Lesage-Bigras[1]
ROBIC, LLP
Lawyers, Patent and Trademark Agents

On Novermber 17, the Federal Government put forth Bill C-11; An Act to enact the Consumer Privacy Protection Act and the Personal Information and Data Protection Tribunal Act and to make consequential and related amendments to other Acts (“Bill C-11”). A much-anticipated and major reform of federal privacy legislation (“PI“), Bill C-11 appears to be a step towards a tough regime combining both the European trend of the General Data Protection Regulations (“GDPR”)[2] and the California Consumer Privacy Act[3].

As it the case in the previous version of the Act, PL C-11 is principles-based and attempts to balance the rights of individuals with the need of organizations to collect and use data. It should be noted that compared to the Quebec Bill (“Bill 64“)[4], Bill C-11 is much less prescriptive in many respects.

But what are the main changes? While the present article is only intended to be an overview, we will suggest, in the upcoming days and weeks, a complete series of articles analysing in greater depth this reform’s future implications.

a. New Rights for Users

As we were entitled to in Bill 64, Bill C-11 grants users a new series of rights, including the right to mobility of their PI (Article 72, Bill C-11), as well as the right to request the withdrawal of their PI (Article 55, Bill C-11), which is reminiscent of the right to data portability and the European right to oblivion.

More notably, Bill C-11 introduces a new private right of action (Article 106, Bill C-11) and thus recognizes that an individual may sue a company at fault for interests and damages when it suffers the effects of a violation of the law.

b. Concept of Control and Service Providers

In addition, Bill C-11 substantially clarifies the concept of “control”. According to section 7(2) of Bill C-11, an organization has control of PI, or rather PI is “under” the organization’s responsibility, which decides not only the collection manner, but also the purpose or purposes for which it collects, uses or discloses the PI, even if a service provider does so on its behalf.

Therefore, Bill C-11 resolves the uncertainties surrounding the use of service providers by drawing inspiration from what is being done in Europe with the GDPR. That is, under Section 11 of Bill C-11, while organizations must ensure that service providers provide equivalent protection for the PI that they transfer to them, service providers are not otherwise subject to most of the other obligations of Bill C-11 with respect to PI transferred to them except for security measures and client notification in the event of a breach, as long as they do not have “control” of the PI.

c. Privacy Management Program, Code of Practice and Certification Programs

Another significant change is that Section 9 Bill C-11 requires organizations to adopt a PI Protection Management Program. At the same time, it will also be possible for organizations to have codes of practice or certification programs approved by the Privacy Commissioner of Canada (“Commissioner”) upon request under sections 76 and 77 Bill C-11.

Regarding the implementation of a PI protection management program, we invite you to read our article written in the context of the Quebec bill: Being compliant is good, but being able to demonstrate it is even better! : A look at Bill 64 and the concept of privacy management program

d. Concept of Acceptable Means

An interesting addition, Bill C-11 introduces in section 12, specifically subsection 12(2) Bill C-11, a list of elements to assess the acceptability of the organization’s collection, use and disclosure of PI. This list includes, but is not limited to, the sensitivity of the PI, the legitimate business needs of the organization, and the availability of alternative means, as factors relevant to the assessment of acceptability.

It should be noted that the French version of Bill C-11 sometimes uses the term “nature délicate” or “sensibilité” of PI, suggesting that a distinction may exist. However, in analyzing the English version, we find that the term “sensitivity” is used instead, thus removing any doubt that a distinction between these terms exists.

 e. New Flexibility in Consent Requirements

Surprisingly, PL C-11 reinforces the notion of consent by stating in paragraph 4 of the new section 15 that consent “must be expressly obtained”, making implied consent an exception. However, the Commissioner himself, during the specific consultations on PL 64, referred to the fact that “the protection of personal information cannot solely be based on consent”.

That being said, it may be the reason why, similarly to Europe, it seems that the legislator wishes to introduce a certain flexibility into the notion of consent (Article 15, Bill C-11), by reducing the number of situations in which it must be requested. This would come to mitigate the risk of “consent fatigue”, which several experts have pointed out during the specific consultations on Bill 64. Indeed, unlike the current regime, Bill C-11 provides a comprehensive set of exceptions to obtaining consent. The Bill includes, for instance, business activities (s. 18, Bill C-11), transfer of PI to service providers (s. 19, Bill C-11), research and development (s. 20, Bill C-11) and depersonalization of PI (s. 20, Bill C-11), among others.

f. Automated Decisions and Right to Information

As in Bill as well as under the European regime, the federal legislator included in Bill C-11 a specific mention, in article 63 Bill C-11, on automated decision-making systems. Indeed, this section allows users who have been the subject of such a decision to ask the organization not only for an explanation of the decision, but also for information on the source of the PIs that were used for such a decision (art. 63 (3), Bill C-11).  The Legislator thus remains consistent with its approach to artificial intelligence in recent years, as illustrated by the Artificial Intelligence Guidelines and the Directive on Automated Decision-Making.

g. Enhanced Powers of the Commissioner and New Tribunal

Finally, as repeatedly requested by the Federal Commissioner himself, the latter will be given new powers to issue orders (s. 92, Bill C-11). In addition, a new tribunal will be created; the Personal Information and Data Protection Tribunal. It will therefore be the responsibility of this tribunal, on the recommendation of the Commissioner, to impose the new fines and penalties, which, depending on the severity of the offence, may range from 3 to 5% of the company’s gross revenue or from 10 to 25 million Canadian dollars, according to sections 93, 94 and 125 Bill C-11.

As we pointed out in our comments on the Quebec Bill, the scope of the current reforms to the protection of PI, of which the federal legislation is no exception, will require many changes within organizations if they are not already up to speed with, for instance, the GDPR. In addition, at the present time, several new provisions, such as the right to data mobility, will be specified by regulation. However, we know that the devil is often in the details.

Additionally, several questions remain. For instance, what will happen to the equivalency status of provincial legislation? This is a particularly topical issue in Quebec  with the new Bill 64. It will be important to monitor not only the evolution of these two projects, but also what is currently being done in other Canadian provinces such as Ontario, Alberta and British Columbia to see how these laws will be harmonized  in the future.

---