This bulletin provides a high level summary of certain elements of the recently proposed Consumer Privacy Protection Act (CPPA) that will be of interest to service providers, and to organizations that engage service providers to process personal information.
The Proposed Legislation
On November 17, 2020, the Canadian government tabled Bill C-11, the Digital Charter Implementation Act, 2020 (Act). The Act proposes to:
• Enact the CPPA to replace Part 1 of the Personal Information Protection and Electronic Documents Act (PIPEDA), which is the part of PIPEDA that addresses privacy in the private sector; and
• Enact the Personal Information and Data Protection Tribunal Act to establish the Personal Information and Data Protection Tribunal (Tribunal), which would hear recommendations of and appeals from decisions of the Privacy Commissioner of Canada (Commissioner).
The CPPA retains the principles-based approach of PIPEDA, but it integrates and adds to those principles directly in the body of the CPPA rather than in a schedule (as is the case in PIPEDA). The CPPA also includes new regulatory tools to address compliance and much more severe remedies for non-compliance, including:
• New powers for the Commissioner, including audit and order making powers;
• The ability for the Commissioner to recommend, and for the Tribunal to impose, penalties up to the greater of $10 million or 3% of an organization's annual global revenues;
• Significantly expanded offences with fines up to the greater of $25 million or 5% of annual global revenues; and
• A private right of action to permit recourse to the courts in certain limited circumstances.
While the CPPA will be a dramatic change from PIPEDA, the CPPA nonetheless retains much of that was uniquely Canadian in PIPEDA and in many respects does not go nearly as far as the European General Data Protection Regulation (GDPR).
For a high-level summary of key features of the CPPA and the role of the Tribunal, please see our bulletin: "The Canadian Government Proposes Significant Changes to Privacy Law: Key Features include New Requirements, Orders, Penalties and a Private Right of Action". For a high-level summary of the net new compliance requirements for privacy officers, please see our bulletins: "Made in Canada GDPR or PIPEDA Redux? A Privacy Officer's Compliance Guide to the proposed new Federal Privacy Legislation – Part 1" and "Part 2".
A Note of Caution
The following comments assume that the CPPA is enacted in its current form. However, Bill C-11 is likely to change considerably as it advances through 2nd and 3rd reading in Parliament and receives study at the applicable Standing Committees. These changes may affect some of the issues discussed below.
Service Providers
The CPPA will more specifically address the rights and obligations of service providers.
Under the CPPA, a service provider is defined as follows:
Service provider means an organization, including a parent corporation, subsidiary, affiliate, contractor or subcontractor, that provides services for or on behalf of another organization to assist the organization in fulfilling its purposes.
The CPPA does not use the GDPR terms "controller" and "processor", but the underlying concept of control is recognized by the CPPA, and a service provider is roughly equivalent to a "processor" under the GDPR. The CPPA states that an organization is accountable for personal information that is under its control, and provides:
Personal information is under the control of the organization that decides to collect it and that determines the purposes for its collection, use or disclosure, regardless of whether the information is collected, used or disclosed by the organization itself or by a service provider on behalf of the organization.
In this bulletin, we will use the term "controlling organization" to describe an organization that has control over personal information.
Service providers must determine whether they only process personal information to provide services for a controlling organization and only for purposes determined by that controlling organization, or whether they might collect personal information for some purposes that the service provider itself determines. If a service provider collects personal information for some purposes that the service provider itself determines, then the service provider is accountable for that personal information, and the CPPA applies more generally to the service provider.
Use by a Service Provider for Incidental Purposes
At a high level, this may appear to be a simple assessment. But there can be some inherent ambiguity.
Imagine that a controlling organization agrees, in the boilerplate of a service contract, that a SaaS service provider may use personal information for the purpose of: (1) tuning the performance of the SaaS service; (2) developing new functionality; or (3) developing new products and services. As the controlling organization has consented to use for these purposes, the service provider might reasonably argue that these uses by the service provider are for purposes determined by the organization. But which entity is actually "determining" the purpose of these uses? If the Commissioner or the courts consider that a particular incidental use is unreasonable or inappropriate – even if authorized by the controlling organization, then there is a risk that the Commissioner or the courts might take the position that the incidental use is for a purpose determined by the service provider rather than the controlling organization, that the service provider is accountable for that personal information, and that the CPPA applies more generally to the service provider in respect of that use.
In addition, under the CPPA controlling organizations may be less willing to authorize service providers to use personal information for broader incidental purposes.
• The CPPA provides that an organization may collect, use or disclose personal information only for purposes that a reasonable person would consider appropriate in the circumstances, after taking into account a number of factors listed in the CPPA. Controlling organizations might be unwilling to accept the risk that incidental uses by a service provider might later be determined by the Commissioner or the courts to be inappropriate.
• Subject to certain exceptions, under the CPPA an organization must obtain an individual's valid consent for the collection, use or disclosure of the individual's personal information. A controlling organization may be unwilling to accept the risk that incidental uses by a service provider might later be determined by the Commissioner or the courts to fall outside of both the business activities exception and the service provider exception, and may also be unwilling to accept responsibility for obtaining any required consents from the affected individuals.
Service providers can expect more complex negotiations with controlling organizations that are sophisticated and that have negotiating leverage. To the extent that controlling organizations permit broad incidental uses at all, those controlling organizations: (1) may require that service providers only use de-identified personal information for those incidental uses; and (2) may seek broad unlimited service provider indemnities for third party claims arising from such incidental uses.
Contracts between Controlling Organizations and Service Providers
If a controlling organization "transfers" personal information to a service provider, then the controlling organization must ensure, by contract or otherwise, that the service provider provides substantially the same protection for the personal information as that which the controlling organization is required to provide under the CPPA. Controlling organizations will want to address this obligation in their service contracts, and – when the CPPA is final - service providers may want to consider updating their templates to more closely follow the language of this CPPA obligation.
Although the CPPA specifically refers to situations where there is a "transfer" of personal information, one must assume that the obligation is also intended to apply to those situations where there is no transfer of personal information, but the service provider otherwise collects, uses or discloses personal information on behalf of the controlling organization.
The GDPR provides a list of specific obligations that must be addressed in the contract between a controller and a processor. In contrast, the CPPA has only the general obligation discussed above.
Subcontractors and Sub-Service Providers
The definition of a service provider becomes a bit more complicated when we consider subcontractors or sub-service providers. Under the definition of a service provider: (1) it is possible for a "service provider" to act as a service provider to an organization that is itself a "service provider" to a controlling organization (for example, organization A might be a service provider to organization B, which in turn is a service provider to a controlling organization C); and (2) a subcontractor of a service provider might be a "service provider" to the controlling organization (in the above example, organization A is a subcontractor of organization B and might be considered a "service provider" to controlling organization C).
Even absent the CPPA, controlling organizations may require that some privacy-related obligations be included by the service provider in its contracts with sub-service providers. However, because the definition of service providers includes subcontractors, controlling organizations are likely required by the CPPA to ensure that contracts between service providers and their sub-service providers also provide substantially the same protection for personal information as that which the controlling organization is required to provide under the CPPA (and that this obligation be passed down through all layers of sub-service providers). Controlling organizations will want to address this obligation in their service contracts, and – when the CPPA is final - service providers may want to consider updating their templates to more closely follow the language of this CPPA obligation.
The GDPR provides that a processor cannot engage another processor without the specific or general authorization of the controller. If the authorization is general, then the processor is required to inform the controller of any intended changes to those processors, and to give the controller the opportunity to object to new processors. In contrast, the CPPA does not require a service provider to obtain the consent of the controlling organization to engage another service provider, does not require a service provider to inform the controlling organization of changes to engaged service providers, and does not require a service provider to give the controlling organization an opportunity to object to a new service provider.
A Limited Safe Harbour for Service Providers
Part 1 of the CPPA addresses the general privacy obligations of organizations and their accountability for the personal information they collect, use or disclose. Part 2 of the CPPA addresses the Commissioner's powers, duties and functions.
Part 1 of the CPPA does not apply directly to a service provider in respect of personal information that is "transferred to it", but only if the service provider does not collect, use or disclose the personal information for any purpose other than the purpose for which it is transferred. There are two exceptions to the service provider safe harbour: (1) the obligation of a service provider to protect personal information with appropriate security safeguards; and (2) the obligation of a service provider to provide notice to the controlling organization of any breach of security safeguards. Both of these exceptions are discussed below.
What if a service provider collects, uses or discloses personal information on behalf of a controlling organization, but that personal information was not "transferred to it" by the controlling organization or someone else? For example, what if a service provider collects personal information directly from individuals on behalf of the controlling organization? The drafters likely intended that Part 1 of the CPPA would not apply directly to service providers in respect of such non-transferred personal information, and the Commissioner and the courts will likely give the word "transfer" a broad and purposive meaning. However – as currently drafted – there is some risk (however small) that the Commissioner or a court might construe the safe harbour as applying only to personal information that is transferred to the service provider, and not to non-transferred personal information that is otherwise collected, used or disclosed by the service provider. When the CPPA is final, service providers may want to consider updating their templates to provide that any personal information collected by the service provider on behalf of the controlling organization is deemed to have been transferred by the controlling organization to the service provider.
As discussed above, if the Commissioner or the courts consider that a particular incidental use by a service provider is unreasonable or inappropriate – even if authorized by the controlling organization, then there is a risk that the Commissioner or the courts might take the position that: (1) the incidental use is for a purpose determined by the service provider rather than the controlling organization; (2) the service provider safe harbour does not apply; (3) the service provider is accountable for that personal information; and (4) the CPPA applies more generally to the service provider in respect of that use.
Security Safeguards
An organization, including a service provider, is required to protect personal information through physical, organizational, and technological security safeguards. The level of protection provided by those safeguards must be proportionate to the sensitivity of the personal information. In addition to the sensitivity of the personal information, the organization must, in establishing its security safeguards, take into account the quantity, distribution, format, and method of storage of the information. The security safeguards must protect personal information against, among other things, loss, theft, and unauthorized access, disclosure, copying, use and modification.
Controlling organizations will want to address this obligation in their service contracts, and – when the CPPA is final - service providers may want to consider updating their templates to more closely follow the language of this CPPA obligation.
Notice of a Breach of Security Safeguards
If a service provider determines that any breach of security safeguards involving personal information has occurred, then the service provider must as soon as feasible notify the controlling organization. A breach of security safeguards means the loss of, unauthorized access to, or unauthorized disclosure of personal information resulting from a breach of an organization's security safeguards or from a failure to establish those safeguards.
This specific service provider notice obligation is not in PIPEDA, but does reflect previous guidance provided by the Commissioner under PIPEDA.
The notice must be given by the service provider to the controlling organization, and not to the affected individuals or to the Commissioner.
This may lead to practical issues when the service provider does not contract directly with the organization that controls the personal information. There will be some service arrangements where the service provider does not know which organization is the ultimate controller of the personal information, or how to contact that controlling organization. Service providers will want to address this possibility in their customer contracts, though it may not always be easy to do so.
Controlling organizations are only required to give notice of a breach of security safeguards to the Commissioner or an affected individual if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual. In contrast, a service provider must give notice of a breach of security safeguards to the controlling organization even if there is no real risk of significant harm to any individual. The intent is that the controlling organization should make the determination as to whether there is a real risk of significant harm – not the service provider.
Controlling organizations will want to address the notification obligation in their service contracts, and – when the CPPA is final - service providers may want to consider updating their templates to more closely follow the language of this CPPA obligation.
The service provider notice obligation under the CPPA will exist and prevail, even if the service provider negotiates a narrower security breach notification obligation in its contract with the controlling organization.
Transfers of Personal Information Do Not Require Consent
Prior to April 2019, it was the Commissioner's long standing position that a transfer of personal information to a service provider was a "use" not requiring consent. In April 2019, the Commission controversially reversed that position, and declared that a transfer of PI for processing was a "disclosure" requiring consent. After widespread criticism, the Commissioner reverted to its original position, pending changes to PIPEDA.
This issue is put to rest by the CPPA, which specifically provides that an organization may transfer an individual's personal information to a service provider without their knowledge or consent.
Transfers of Personal Information Outside Canada Do Not Require Consent
Like PIPEDA (but unlike the GDPR), the CPPA does not contain an express prohibition on transfers of personal information to a service provider outside Canada or impose any additional special conditions on such transfers. However, the controlling organization is required to include in its public privacy statements information about whether or not the organization carries out any international or interprovincial transfer or disclosure of personal information that may have reasonably foreseeable privacy implications. As a consequence, controlling organizations may ask service providers to provide more detailed information about the jurisdictions in which the service provider and its sub-service providers use, transfer or disclose personal information.
The CPPA does not expressly address the possibility that a transfer of personal information to a service provider outside Canada (such as to a service provider in the United States) might subject that personal information to disclosure under the laws of the jurisdiction of the service provider (such as pursuant to FISA orders under the USA Patriot Act).
Disposal of Personal Information
General
Under CPPA, an organization is not permitted to retain personal information for a period longer than necessary to: (1) fulfil the purposes for which the information was collected, used or disclosed; or (2) comply with the requirements of the CPPA, of federal or provincial law, or of the reasonable terms of a contract. However, an organization that uses personal information to make a decision about an individual must retain the information for a sufficient period of time to permit the individual to make a request for access to that information (though it is not clear how long a sufficient period will be).
Service providers will wish to ensure that their systems have the functionality to allow the service provider to identify and dispose of personal information when it is no longer necessary to fulfil the purposes for which the information was collected, used or disclosed. Controlling organizations will want to address this functionality in their service contracts, and - after the CPPA is final - service providers may want to consider updating their templates accordingly.
On Request by an Individual
In addition, subject to limited exceptions, a controlling organization must dispose of personal information it has "collected from an individual", if so requested by the individual. (The obligation does not expressly apply to personal information collected from other sources.)
If a controlling organization disposes of personal information, it must, as soon as feasible, inform any service provider to which it has transferred the information of the individual's request and obtain a confirmation from the service provider that the information has been disposed of.
One should assume that this obligation also applies to non-transferred personal information that has been collected by the service provider on behalf of the controlling organization.
Service providers will wish to ensure that their systems have the functionality to allow the service provider to identify personal information by individual, and to dispose of that personal information. Controlling organizations will want to address this functionality in their service contracts, and - after the CPPA is final - service providers may want to consider updating their templates accordingly.
De-identification of Personal Information
We will first discuss de-identification of personal information by controlling organizations, and then by service providers.
De-identification of Personal Information by Controlling Organizations
Under PIPEDA, a question had arisen as to whether or not a controlling organization needed consent from an individual in order to create de-identified information from the individual's personal information. The CPPA resolves this question, expressly permitting a controlling organization to use an individual's personal information without their knowledge or consent to de-identify the information.
To de-identify personal information means to modify the personal information, or to create information from the personal information, by using technical processes to ensure that the information does not identify an individual or could not be used in reasonably foreseeable circumstances, alone or in combination with other information, to identify an individual. An organization that de-identifies personal information must ensure that any technical and administrative measures applied to the information are proportionate to the purpose for which the information is de-identified and the sensitivity of the personal information.
Service providers that de-identify information on behalf of controlling organizations will want to assess their de-identification processes against the standard set out in the CPPA.
Organizations are prohibited from using de-identified information alone or in combination with other information to identify an individual, except in order to conduct testing of the effectiveness of security safeguards that the organization has put in place to protect the information. A breach of this prohibition is an offence under the CPPA.
There is possibly some ambiguity as to what a controlling organization can do with de-identified personal information. If personal information is de-identified so that it ceases to be personal information, then one might have assumed that the controlling organization could then collect, use or disclose the de-identified information for any purpose without additional consent. However, there are several sections of the CPPA that describe specific permitted uses of de-identified information (research and development, prospective business transactions, socially beneficial purposes). In the author's view, these sections should be viewed as expressly confirming the broader right to use de-identified personal information in the specific situations addressed by those sections, but there is a risk that the Commissioner or a court might rely on the existence of those sections to imply some restriction on the purposes for which de-identified information can be collected, used or disclosed.
De-identification of Personal Information by a Service Provider
Does the CPPA right to de-identify personal information without consent (or knowledge) also apply to a service provider that might wish to de-identify personal information and use that de-identified information for its own purposes (where the contract with the controlling organization permits or does not prohibit that de-identification)? The answer is not entirely clear.
The right to de-identify personal information is not expressly limited to controlling organizations. However, the right to de-identify personal information is in Part 1 of the CPPA which does not apply to service providers (at least, in respect of personal information that is transferred to the service provider). On the other hand, the right to de-identify personal information is a clarification of, or an exception to, other rights in Part 1 which also do not apply to service providers.
The Commissioner or a court might take the position that: (1) the de-identification of personal information for use by a service provider for its own purposes is not a use "for or on behalf of another organization" unless it is expressly authorized by the controlling organization; (2) the service provider loses its status as a service provider in relation to such use; (3) the service provider loses the protection of the service provider safe harbour in relation to such use; and (4) the service provider is therefore more generally subject to Part 1 of the CPPA in relation to such use, and perhaps more broadly.
But if the service provider is more generally subject to Part 1 in relation to such use, then the service provider should receive the benefit of the de-identification right in Part 1 (though the service provider should disclose its de-identification practices in its privacy statement and comply with its other general Part 1 obligations). Nonetheless, there remains some risk to service providers as the Commissioner may want to construe the de-identification right narrowly.
Service providers will want to consider whether to include an express right to de-identify personal information in their service contracts with controlling organizations.
Automated Decision Systems
The CPPA introduces new requirements if an organization (or its service provider) uses an automated decision system. An automated decision system is defined as follows:
automated decision system means any technology that assists or replaces the judgement of human decision-makers using techniques such as rules-based systems, regression analysis, predictive analytics, machine learning, deep learning and neural nets.
Note that this definition includes both simple rules based decision systems and more sophisticated AI systems.
If a controlling organization uses an automated decision system to make a prediction, recommendation or decision about an individual, then the organization must, on request by the individual, provide the individual with an explanation of the prediction, recommendation or decision and of how the personal information that was used to make the prediction, recommendation or decision was obtained. To the extent that a service provider provides these services to a controlling organization, the organization will be looking to the service provider to provide the necessary information. Controlling organizations will want to address this obligation in their service contracts, and - when the CPPA is final - service providers may want to consider updating their templates accordingly.
The explainability of AI is currently a hot topic. For automated decision systems that use AI, it is not yet clear how much transparency will be required under the CPPA.
Records
Unlike the GDPR, the CPPA does not impose record keeping obligations directly on the service provider.
Under the CPPA, the controlling organization (not the service provider) must maintain records of every breach of security safeguards involving personal information under its control. However, the controlling organization may by contract require its service provider to maintain those records, insofar as the breach of security safeguards arises in connection with systems or services of the service provider. Controlling organizations will want to address this obligation in their service contracts, and - when the CPPA is final - service providers may want to consider updating their templates accordingly.
Commissioner's Guidance
The CPPA requires the Commissioner to develop guidance materials for organizations in relation to their compliance with the CPPA, in consultation with affected stakeholders.
Remedies
The CPPA substantially increases the remedies available for enforcement. The Commission has new powers, including audit and order making powers. The Commissioner can recommend, and the Tribunal can impose, penalties up to the greater of $10 million or 3% of an organization's annual global revenues. There are significantly expanded offences with fines up to the greater of $25 million or 5% of annual global revenues. There is a private right of action to permit recourse to the courts in certain limited circumstances. These remedies are discussed in greater detail in our earlier bulletins, noted above.
Conclusion
There is no guarantee that Bill C-11 will pass in its current form, particularly given the current minority Parliament. Nor is there yet any indication of when the Act or certain of its provisions may come into force or what the length of any transition period would be (the date of the coming into force of the Act and certain provisions of the CPPA are to be set by an order of the Governor in Council). To date, Bill C-11 has only been introduced in the House and received the 1st Reading. Service providers will want to monitor the progress of Bill C-11 as it advances through 2nd and 3rd reading in Parliament and receives study at the applicable Standing Committees.
