On November 17, 2020, the Minister of Innovation Science and Industry, introduced Bill C-11, also known as the Digital Charter Implementation Act, 2020. If passed, it would repeal parts of the Personal Information Protection and Electronic Documents Act (“PIPEDA”) and replace them with a new legislative regime governing the collection, use, and disclosure of personal information for commercial activity in Canada. Bill C-11 is set to enact the Consumer Privacy Protection Act (“CPPA”) to maintain, modernize, and extend existing rules and to impose new rules on private sector organizations for the protection of personal information.
Under the CPPA, the consent regime is set to be reformed. While organizations will still need to obtain an individual’s valid express consent for the collection, use or disclosure of their personal information, the CPPA expands the number of exemptions that allow personal information to be collected and used without consent. These include business operations exceptions whereby an organization may collect or use an individual’s personal information without their knowledge or consent if the collection or use is: (1) made for a prescribed business activity (i.e. service delivery) under the CPPA; (2) such that a reasonable person would expect such a collection or use for that activity; and, (3) such that personal information is not collected or used for the purpose of influencing an individual’s behaviour or decisions. Moreover, the CPPA provides that if personal information is de-identified, it does not require an individual’s knowledge or consent.
Like PIPEDA, the CPPA will grant individuals the right to access and amend their personal information. What is noteworthy is that the CPPA will allow individuals to request that organizations delete their personal information, subject to whether the information is severable and whether there are legal retention obligations. The CPPA will also contain algorithmic transparency requirements for automated systems. Individuals would have the right to request that organizations explain how a prediction, recommendation or decision was made by an automated system and explain how the personal information was obtained.