Canada’s Federal Government Proposes Changes to Privacy Act
On June 16, 2022, the government of Canada tabled a bill that would make significant changes to privacy laws impacting employers in the federal jurisdiction. The new legislation, the Digital Charter Implementation Act (Bill C-27) would replace Part 1 of the Personal Information Protection and Electronic Documents Act (PIPEDA) and would create three pieces of legislation in its place, the Consumer Privacy Protection Act (CPPA), the Personal Information and Data Protection Tribunal Act (PIDPTA), and the Artificial Intelligence and Data Act (AIDA).
Consumer Privacy and Protection Act (CPPA)
The legal framework of the CPPA is designed around the familiar concept of consent. As under PIPEDA, employers would be required to obtain consent for the collection, use, and disclosure of personal information except in limited circumstances. In terms of an employment relationship, the bill would only apply to employers in federal industries (examples of which include transportation, radio, and banks), and most obligations for employers would remain much the same as under PIPEDA.
The major change worth noting would be the ability for individuals, including employees of federal organizations, to request that their personal information be deleted, effectively withdrawing consent where the data is not strictly needed. The CPPA outlines the process of requesting deletion of information, and establishes timelines for response and processes for denials and appeals. The bill also specifies practices to be followed regarding sharing personal information with service providers. Namely, employers would be able to share data with service providers without separate consent, but the onus would be on the collector of private data to ensure that the service provider operates with the same diligence and notifies the organization in the case of any breaches.
Also of note, the CPPA would require organizations to implement a privacy management program that must consider the volume and sensitivity of the personal information under their control.
The bill would exempt business activities and those purposes that are consistent with employment activities when the information retained is from an employee or potential employee. The CPPA would also include a “legitimate interest” exception, meaning that an organization may use and disclose personal data (including providing information to the government and law enforcement) without an individual’s consent or knowledge if the organization or broader public has an interest that outweighs the infringement to the individual.
The CPPA would create a stricter standard for the personal data of minors. Under the bill, any federal employer with employees under the age of majority would need to consider any personal information from these individuals as sensitive information without exception.
An important addition under the CPPA is the differentiation between anonymous and de-identified data as types of nonpersonal information. Under the CPPA, organizations may freely share anonymous data, which may be a useful tool for employers that need information about employees, without the need to associate the data with individuals. The CPPA considers information de-identified if it could pose a risk of identification even when identifiers have been removed or scrubbed. This type of information would still be subject to all the protections of the CPPA.
Personal Information and Data Protection Tribunal Act (PIDPTA)
Enforcement of the regulations set out by the CPPA would fall in the hands of the tribunal created by the PIDPTA. The tribunal may impose fines of up to $10 million or 3 percent of an organization’s gross global revenue for breaching the CPPA. Individuals would also have a separate right of action under the act.
The tribunal created would also review orders and recommendations from the federal privacy commissioner.
Artificial Intelligence and Data Act (AIDA)
The AIDA would regulate the processing of data related to human activities by artificial intelligence systems that have a full or partial level of autonomy. The AIDA is meant to prevent the propagation of biases based on human rights protected grounds.
In practice, the AIDA would demand that organizations publish descriptions and uses of artificial intelligence software. Violations could result in fines up to $25 million or 5 percent of global revenue. There are also penalties for individual offenders ($100,000 or five years imprisonment).
What the New Privacy Laws Could Mean for Employers
In anticipation of Bill C-27 taking effect, employers may want to review existing policies and practices to determine what revisions will be needed to address the new regulatory framework. In particular, federally regulated employers may want to ensure the exceptions under the legislation applied if possible. The bill provides for several different types of exceptions to the general consent requirement, notably for business operations. Generally, employers would be allowed to collect or use employees’ personal information without their knowledge or consent for any reason listed under the exceptions provided for by law provided that:
“a reasonable person would expect the collection or use for such an activity; and
the personal information is not collected or used for the purpose of influencing the individual’s behaviour or decisions.”
Exceptions specified in the legislation include:
Use or disclosures related to business activities;
Transfer of data to service providers;
Circumstances in which personal information has been de-identified;
Internal research, analysis, and development (if the information has been de-identified);
Use or disclosure of personal information in furtherance of prospective business transactions;
Personal information produced by an employee in the course of business, provided the information that is used or disclosed is done so in a manner that is consistent with the purposes for which the information was produced;
During the course of managing an employment relationship, any federal work, undertaking, or business (anything necessary to establish, manage, or terminate an employment relationship where the employee was told that personal information may be collected or disclosed);
Disclosures to lawyers or notaries; information revealed on witness statements;
Information used or disclosed in the course of prevention, detection, or suppression of fraud; and
Information used or disclosed for the purposes of collecting debts.
Specifically in the employment context, the need for consent would not apply to information that organizations used for purposes consistent to those for which the information was provided. Federal employers and businesses may use personal data as necessary to establish, manage, or terminate an employment relationship with an individual.
It should also be noted that employers would be permitted to use personal information without employees’ knowledge or consent “if it is reasonable to expect that the collection with their knowledge or consent would compromise the availability or the accuracy of the information and the collection is reasonable for purposes related to investigating a breach of an agreement or a contravention of federal or provincial law.” In other words, in certain types of workplace investigations (e.g., workplace harassment complaints), an employer may be permitted to use an employee’s personal information to investigate a complaint.
The new bill would require employers to ensure that their use of personal data either complies with the CPPA’s requirements or reasonably mitigates harm without an undue negative impact on the employee. This may require employers to closely and conservatively assess whether the use of data is in line with the purpose provided for. In any situation in which this is not the case, employers may be required to have a critical need to use the information without informing the employee and obtaining consent. Such exceptions may be rare.
Ultimately, federally regulated organizations that collect and use employee data may want to begin examining their processes and systems so that they are ready should the bill pass. For example, organizations may want to create processes for individuals (like employees, former employees, and individuals who went through any stage of hiring) to request deletion of any of their personal data that the organization is not using for employment purposes. Employers may want to reexamine internal privacy management programs and train (or retrain) privacy management representatives to assess these issues. By starting early, employers may be able to amend their policies and practices as smoothly as possible.
Kshemani Constantinescu, a law student currently participating in the summer associate program in the Toronto office of Ogletree Deakins, also contributed to this article.