Brief overview of potential changes to PIPEDA

Claire Mazzini

Avocate

Privacy has been on a lot of people’s minds in the past few years, with new or amended legislation being studied and enacted across the globe (on what seems like a monthly basis), creating a quasi-infinite number of changes to write, talk and debate about. In Quebec, recent focus has been on Bill 64: An Act to modernize legislative provisions as regards the protection of personal information (now Law 25), but the Government of Canada has also been looking to review its privacy legislation.

BACKGROUND The Personal Information Protection and Electronic Documents Act (PIPEDA) was assented in 2000 and “applies to private-sector organizations across Canada that collect, use or disclose personal information in the course of a commercial activity.”¹ PIPEDA does not apply to provinces that have their own legislation, if they are deemed substantially similar; today, this applies to privacy laws in Alberta, British Columbia and Quebec. In a December 2001 decision, the European Commission recognized that PIPEDA “provides adequate protection for certain personal data transferred from the EU to Canada.”² This adequacy decision “ensures that data processed in accordance with the GDPR can be subsequently transferred from the EU to Canada without requiring additional data protection safeguards (for example, standard contractual rules) or authorization to transfer the data.”³ It is safe to say that the European Union’s General Data Protection Regulation (GDPR), applicable since May 2018, was a turning point for privacy laws. Under section 45 of the GDPR, adequacy decisions are subject to periodic review by the European Commission at least every four years, and the Commission can repeal, amend or suspend a decision. PIPEDA, last amended in 2019, has been under the microscope and a potential review of the adequacy decision by the European Commission can only increase the pressure to modernize the law. Bill C-27, An Act to enact the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Act and to make consequential and related amendments to other Acts (or the Digital Charter Implementation Act), was introduced in June 2022⁴. Sponsored by the Minister of Innovation, Science and Industry, Bill C-27 is currently at its second reading in the House of Commons and would notably replace PIPEDA. BILL C-27: CONSUMER PRIVACY PROTECTION ACT (CPPA) The CPPA aims to be a stronger and more modern version of PIPEDA, including by:

increasing control and transparency when Canadians’ personal information is handled by organizations;
giving Canadians the freedom to move their information from one organization to another in a secure manner;
ensuring that Canadians can request that their information be disposed of when it is no longer needed;
establishing stronger protections for minors, including by limiting organizations’ right to collect or use information on minors and holding organizations to a higher standard when handling minors’ information;
providing the Privacy Commissioner of Canada with broad order-making powers, including the ability to order a company to stop collecting data or using personal information; and
establishing significant fines for non-compliant organizations—with fines of up to 5% of global revenue or $25 million, whichever is greater, for the most serious offences.”⁵

Interesting are the potential changes to the concept of personal information. Defined under section 2(1) of PIPEDA as “information about an identifiable individual”, it has been examined by Federal Courts and the subject of an Interpretation Bulleting by the Privacy Commissioner of Canada⁶. The CPPA would keep the definition of personal information under PIPEDA but introduce under its section 2(1) the concepts of de-identified data and anonymized data. While this approach may seem reminiscent of the concepts of personal data, pseudonymized data and anonymized data put forward under the GDPR, the impact of these two additional concepts under the CPPA is still to be determined.

BILL C-27: PERSONAL INFORMATION AND DATA PROTECTION TRIBUNAL ACT
Sections 4 and 5 of the Personal Information and Data Protection Tribunal Act establish a tribunal with a limited jurisdiction to⁷:

Hear appeals made by complainants or organizations that are affected by certain findings, orders or decisions identified under sections 101 or 102 of the CPPA; and
Impose penalties on organizations when the conditions set out in section 95 of the CPPA are met.

Under section 94 of the CPPA, the Privacy Commissioner of Canada could decide to make recommendations to the tribunal about the imposition of penalties on an organization, where the Commissioner has found such organization to have contravened to certain provisions of the CPPA.