Proposed Consumer Privacy Protection Act (CPPA): 5 Privacy Lawyer Musings
Published:
December 15, 2023
Author(s):
Over four years after it began, the federal government still hasn’t finalized its overhaul of the private sector privacy law regime that both protects individuals’ personal information and regulates organizations’ privacy practices. It’s most recent effort, Bill C-27: Digital Charter Implementation Act, 2022, which will implement the Consumer Privacy Protection Act (CPPA) to replace the federal Personal Information Protection and Electronic Documents Act (PIPEDA), remains under Committee consideration. It remains to be seen when (probably in 2024) the new CPPA will take effect. And it remains to be seen what, if any, changes to the CPPA as drafted could emerge from the committee’s considerations.
The broad consensus is that PIPEDA is in need of a general overhaul. But overall, PIPEDA actually works pretty well: it’s technologically neutral and based on workable principles now baked into the proposed CPPA in more statutory language. While the Office of the Privacy Commissioner has barely exhausted its existing authorities in the 23 years during which PIPEDA has has regulated the collection, use and disclosure of personal information in the course of commercial activity in Canada, the most significant change under the CPPA will be entirely new enforcement powers. That said, if the plan is to completely replace rather than update PIPEDA again, here are five musings on how to improve the proposed CPPA.
1. Change the Name
Words matter. The name of the new statute doesn’t accurately reflect what it would cover. Calling it the “Consumer Privacy Protection Act” implies that only Canadian consumers will enjoy its protection. But this isn’t the case: the law also covers employees of federal works, undertakings and businesses. And if lawmakers are wed to the “CPPA” abbreviation, “Canadian Privacy Protection Act” works.
2. Take Some Hats Off the Privacy Commissioner’s Head
The proposed CPPA significantly increases the penalties for contraventions. And it significantly enlarges the role and powers of the Privacy Commissioner of Canada. There is an emerging consensus that order-making powers and penalties to enforce the CPPA are desirable. But a shift to a punitive system requires a commensurate shift to increased procedural fairness. As the CPPA is drafted, the federal Privacy Commissioner of Canada wears a lot of hats – all at the same time: privacy advocate, privacy educator, privacy police, privacy judge and privacy executioner. On its face, this raises questions of bias and engages procedural fairness principles. An independent, arm’s length body (such as the Federal Court or the new Personal Information and Data Protection Tribunal) ought to make the final decision, based the evidence the Commissioner puts before it as a prosecutor would, alleging the CPPA has been violated. The Commissioner can recommend a remedy or penalty (just as police and prosecution currently do in criminal cases), but an independent arm’s length body ought to make the final decision whether the statute has been violated and what penalty, if any, is warranted. As currently crafted, resort to the Tribunal amounts to an appeal of the Commissioner’s decision, which places the onus on the organization to rebut a decision of an entity that is also the investigator and prosecutor.
The Federal Court of Canada’s April 2023 decision in Privacy Commissioner of Canada v. Facebook Inc. illustrates the point. After investigation of a complaint, the Commissioner concluded Facebook breached PIPEDA by sharing its users’ personal information with Cambridge Analytica via their third-party application hosted on the Facebook Platform, which then sold Facebook user data. The Commissioner concluded this violated PIPEDA and applied to the Federal Court for an order declaring Facebook contravened PIPEDA. But the Federal Court of Canada refused to issue the order:
Lack of Meaningful Consent. The Commissioner argued Facebook didn’t obtain users’ “meaningful consent” to share their information. The Court disagreed, concluding an organization like Facebook can rely on third-party consent though it must take reasonable steps to ensure the third-party obtains meaningful consent. The Commissioner, however, failed to prove Facebook did not obtain adequate consent.
Safeguarding User Information. The Commissioner argued Facebook failed to adequately safeguard user information in contravention of PIPEDA. Again, the Court disagreed, concluding Facebook’s safeguarding obligations end once a user authorizes Facebook to disclose information to a third-party App.
The Court was clear it owed the Commissioner’s findings no deference – but if the CPPA as drafted is passed, the Commissioner will cease to be an “ombudsman” and his findings will only be subject to limited review by the tribunal or the courts.
3. Make Childrens’ Privacy Protection More Effective
Most would agree the protection of children’s privacy is laudable and warranted. But the proposed CPPA’s efforts to protect children’s privacy will be very difficult to operationalize – and thus less effective.
Define It. The CPPA doesn’t define a “minor” (for example, as anyone under the age of 18). Without a definition in the CPPA, a ‘minor’ will be defined based on provincial and territorial legislation. This means different ages in different provinces and territories, practically unworkable for organizations that operate across Canada, and more difficult for organizations to comply. And it means some ‘children’ will be protected – but others of the same age in a different jurisdiction won’t.
Make Presumptions. Including key presumptions would make the CPPA more workable:
- A presumption that anyone over a set age (for example, 16) has the exclusive capacity to make their own decisions respecting their personal information – and that anyone under a set age (for example, 13) lacks that capacity and their parents are presumed to be the decision-makers on their behalf.
- With respect to services targeting the general public and not kids, a presumption that the users of those services are adults unless the organization has information indicating otherwise. Getting into age verification across the board is very problematic.
4. Streamline the Private Right of Action
The proposed CPPA creates a new privacy breach legal claim. But while PIPEDA limits any action to recover compensation for a privacy violation to the Federal Court, the CPPA allows aggrieved individuals to sue in the Federal Court and in the superior court of a province or territory. And it allows any individual “affected” by a violation to sue. These might be good for claimants – but it’s bad for judicial efficiency and unfair to organizations alleged to have violated privacy: it’s likely to lead to multiple, simultaneous, redundant claims across the country, exhausting already strained judicial resources; and organizations will be forced to expend the time and cost to defend multiple claims for the same alleged wrong, an unfair effect. The private right of action ought to be limited to proceedings in the Federal Court: it’s a federal law applicable across Canada, and the Federal Court is best positioned to ensure consistent decisions across the country.
5. Align “Legitimate Purposes”
The proposed CPPA imports the notion of “legitimate purposes” for processing personal information. The intent is to align the CPPA with the European General Data Protection Regulation (GDPR) – but key differences in terminology and application mean it’s not interoperable. In the CPPA, “legitimate purposes” is an exception to the requirement to obtain consent; but in the GDPR it’s a standalone legal basis for processing personal data. The CPPA should be fully harmonized with the GDPR so Canadian organizations operating internationally and European organizations doing business in Canada have the benefit of one set of consistent rules.
Furthermore, sections 18(1)(b) and 18(3)(c) of the proposed CPPA permitting the use of the legitimate interest exception only where “the personal information is not collected or used for the purpose of influencing the individual’s behaviour or decisions” aren’t necessary. First, just what does this mean? For example, is a newspaper trying to influence your behaviour or decisions when it suggests articles you might be interested in? There’s no risk here that needs mitigating. And second, section 18(3) already addresses any harm associated with behaviour-influencing by limiting an organization’s use of this exception to where it “has a legitimate interest that outweighs any potential adverse effect on the individual resulting from that collection or use.”
Please contact your McInnes Cooper lawyer or any member of our Privacy, Data Protection & Cyber Security Team @ McInnes Cooper to discuss how the new CPPA will affect your business.
Related Lawyers
Related Services
McInnes Cooper has prepared this document for information only; it is not intended to be legal advice. You should consult McInnes Cooper about your unique circumstances before acting on this information. McInnes Cooper excludes all liability for anything contained in this document and any use you make of it.
© McInnes Cooper, 2023. All rights reserved. McInnes Cooper owns the copyright in this document. You may reproduce and distribute this document in its entirety as long as you do not alter the form or the content and you give McInnes Cooper credit for it. You must obtain McInnes Cooper’s consent for any other form of reproduction or distribution. Email us at [email protected] to request our consent.
