If your startup operates in Canada and deals with data that may include personal information, then you are familiar with PIPEDA1. Recently, the federal government introduced its long awaited privacy reform bill—Bill C-11—which overhauls PIPEDA by creating a modern and responsive law. It gives Canadians more control over their personal information and provides innovative businesses with clarity on their obligations. In this article and companion video featuring members of our Privacy and Emerging Companies and VC practices, we explore the implications of the proposed reform for emerging and high growth technology and digital companies.

What you need to know

  • Bill C-11 proposes to replace PIPEDA with the Consumer Privacy Protection Act (CPPA) and create a new administrative tribunal, the Personal Information and Data Protection Tribunal. It is unlikely that the proposed requirements under CPPA would come into effect before the end of 2022; however, as a founder it is important to understand the new rules to adjust your data management practices. In addition, VCs will ask you at your next board meeting, or during a future financing round, about what you are doing to understand CPPA implications on your company.
  • Even though CPPA contains several new obligations for businesses and new consumer rights, CPPA represents a PIPEDA 2.0-style reboot rather than a wholesale import of the E.U.'s more stringent privacy law, GDPR. This means companies that have invested in PIPEDA compliance will be able to build on their existing privacy and data governance frameworks and will not need to start from scratch.
  • Overall, CPPA:
    • retains PIPEDA's balancing of the need to protect an individual's privacy against businesses' commercial interests;
    • largely remains technology neutral;
    • continues to use consent as the central basis for the processing of personal information, while adding a few new consent exemptions for certain "business operations" and "internal R&D";
    • requires transparency about the use of predictive algorithms and plain language explanations of how personal information is processed;
    • provides individuals with the right to data portability and the right to request deletion of personal information; and
    • expands the federal Office of the Privacy Commissioner of Canada's (OPC) powers, including the ability to impose mandatory orders and to recommend that the Tribunal impose financial penalties.

The good, the bad and the ugly

Even though the CPPA will likely undergo significant revisions as a result of the legislative process, we have outlined below key changes that VCs and startups should monitor. The table below breaks down these key highlights into three categories: improvements in privacy law; changes that increase regulatory burden; and changes that increase businesses' potential liability/risk profile or significantly raises the regulatory burden.

The good

CPPA provision

Summary of the proposed rule change

Implications for startups

Service provider exemption

This exemption now allows accountable organizations to transfer personal information to a service provider (now a defined term2) without individual knowledge or consent. However, as the accountable party3 the organization is required to impose controls (contractual or otherwise) on service providers to ensure equivalent protections4.

This new exemption recognizes that as businesses go digital, they need to be able to seamlessly outsource functions to service providers and share data across borders.

It is good news for startups that are service providers since it adds clarity to a previous area of regulatory uncertainty and will permit accountable organizations to share personal information with its vendors and affiliated business more efficiently.

Business operations exemption

This new consent exemption permits companies to collect and use personal information if it is:

  • within the reasonable expectation of the individual;
  • not for the purposes of influencing the individual's behavior or decisions (i.e., not for marketing or profiling); and
  • for limited, prescribed activities such as service delivery, safety, risk mitigation or cybersecurity.

If your startup is already established and compliant with PIPEDA, in practice it is unlikely that your business will see an expanded ability to process personal information without consent given that many of these activities are already permissible as a condition of service or with implied consent under PIPEDA.

Data portability

Individuals will have a new right to request that an organization transfer the personal information it has collected from them to another organization. However, the details and scope of application will be set out in a data portability framework regulation.

Data mobility will be a boon to startups. In addition to creating a more level-playing field, innovative startups will benefit from access to data in greater volumes. At the same time, startups will need to develop processes and implement data hygiene best practices to ensure they are efficiently able to de-lineate between the information they directly collected from the individual versus data (and IP) the organization created.

CPPA's reference to the creation of a data portability framework combined with the technical and data security issues that need to be addressed in regulations indicates that the right will be implemented sectorally. Given the federal government's ongoing open-banking discussions, we anticipate that the right to data portability will be first rolled out in financial sector, making fintechs the first beneficiaries.

 

The bad

CPPA provision

Summary of the proposed rule change

Implications for startups

De-identification

CPPA introduces a few de-identification related provisions:

  • concept of 'de-identified information': CPPA's definition of "de-identification" is broad enough to cover a spectrum of de-identified information, from the rigorous concept of anonymized information to the less onerous concept of pseudonymized information;
  • de-identification exemption: this allows organization to convert an individual's personal information into "de-identified information" without their knowledge or consent;
  • limited use of de-identified information: under CPPA, de-identified information can only be used without consent for the following purposes: i) internal research and development; and ii) socially beneficial purposes. Additionally, organizations must not use de-identified information to identify an individual, except in order to test the effectiveness of security safeguards used to protect the information; and
  • technical and administrative requirements: organizations will be required to ensure that any technical and administrative measures applied to "de-identified information" are proportionate to the purpose for which the information is de-identified and the sensitivity of the personal information.

Even though the CPPA settles a long-standing ambiguity by allowing organizations to de-identify information without consent, it limits the use of de-identified information to a few purposes (internal R&D and socially beneficial purposes). Such an approach to "de-identification" has the effect of expanding the law's jurisdiction beyond personal information.

This could impact B2B AI and data analytics-based organizations' ability to use their customer's end-user "de-identified information" for their own purposes, for example, to develop or improve their AI or analytics product or service.

Right to disposal5

Individuals can request that an organization delete their personal information, subject to legal retention obligations or where it can't be severed from others' personal information. This right is limited to information collected from the individual (i.e., not information created by the organization, such as inferential data, or obtained from third parties).

CPPA also imposes an obligation on the accountable organization to ensure that service providers have deleted the information as well.

Given the requirement to ensure that service providers permanently delete personal information, this requirement will not only impact organizations that directly collect information from individuals for their own purposes but also startups that work along the data processing and management supply chain. In addition to implementing processes to ensure they can give effect to such requests, organizations will need to keep up-to-date data inventories to make sure they are able to delete all of the personal information in their possession or under their control.

It is currently unclear whether the 'permanent deletion' requirement would: extend to some or all forms of de-identified information (e.g., pseudonymized versus anonymized information).

Algorithmic transparency

CPPA's new algorithmic transparency requirement has two components:

  • disclosure: explain in plain language if the organization uses any automated systems that make predictions, recommendations or decisions about individuals that could have significant impacts on them; and
  • broad right to explanation: in conjunction with individual's right to access and amend personal information, the CPPA also provides a right to an explanation of a "prediction, recommendation or decision" made using an automated decision system, and how their information was used to make such a determination.

CPPA does not include a right to object to or opt out of the use of such automated tools.

It is important to note that the right to an explanation does not contain the "significant impact" qualifier included in the disclosure requirement. This means, organizations will need to be able identify, track and document all automated systems that use an individual's personal information to make determinations and to be able explain in plain language how their information was used to make a "prediction, recommendation or decision".

The requirements are general enough that we don't anticipate companies being compelled to disclose proprietary information about how their algorithms work or to explain the inexplainable (e.g., the "hidden layer" in an artificial neural network).

Business transaction exemption

PIPEDA permits organizations to share personal information without consent for due diligence purposes in a business transaction. CPPA proposes to add a new requirement that the seller de-identify personal information before sharing it with a potential buyer.

If passed in its current form, this would have significant impacts on investment diligence and deal process by adding time and expense for the startup to de-identify information critical to evaluating the transaction (e.g., information about key customers or (for limited federal entities) employees).

 

The ugly

CPPA provision

Summary of the proposed rule change

Implications for startups

Scalable privacy management program

Organizations must take into consideration the volume and sensitivity of personal information under their control when developing privacy management programs.

This requirement will significantly impact data-intensive startups. Any organization—irrespective of size or stage of development—that handles large volumes of personal information and/or processes sensitive information will be required to implement robust privacy practices. This means startups will need to allocate significant resources to privacy management from the get-go.

Penal regime and investigation powers

CPPA proposes to give the OPC the following supplemental powers:

  • order making powers: authority to compel an organization to comply with the statute, cease or modify its practices and to publish those steps. Additionally, the OPC will have the power to make interim orders in the midst of an investigation or audit; and
  • recommend penalties: authority to recommend6 that the Tribunal impose administrative monetary penalties of up to $10 million or 3% of an organization's gross global annual revenue for contravention of processing provisions and certain security safeguard provisions7.

This will increase the burden of regulatory investigations on businesses, because their data processing activities may be interrupted even before the OPC has decided if the company is offside the new law. The ability to force an organization to change its business model and recommend a financial penalty will heighten the impact of a negative OPC finding beyond the current name and shame regime.

Fines

For more egregious contraventions8 of the CPPA an organization could face a criminal conviction and be fined up to 5% of annual global revenue or $25 million, whichever is greater. These offences would be prosecuted by the Attorney General of Canada.

Fines under the new regime will raise multiple related risks for companies, such as whether such costs can or will be insured or indemnified, the business and reputational impact of a criminal conviction as opposed to a regulatory finding, and shareholder or consumer litigation arising from findings of intentional misconduct.

Private right of action

CPPA introduces a private right of action in court following a finding of non-compliance by the OPC or the Tribunal. Unlike in some international regimes, CPPA does not propose statutory damages—rather claimants must prove loss or injury.

Businesses may see increased litigation activity in cases where the OPC has found they violated CPPA but the facts wouldn't otherwise support a damages award under common law causes of action such as privacy torts, negligence or breach of contract. For example, it may be easier in a data breach case for consumers to prove breach of the statutory requirement to implement appropriate safeguards than that criminal hacking was a violation of a duty the company owed to consumers which in turn caused them to suffer loss.

 

Next steps

Even though the CPPA is subject to changes as it winds its way through the parliamentary review process (and is a couple years away from being enforced), it is important to understand how the CPPA impacts your company and develop plans to address gaps in compliance. This is especially critical since investors and potential buyers will, as part of their due diligence, soon begin to ask questions relating to the proactive steps you have taken to comply with CPPA, just like they did prior to the implementation of EU's GDPR and California's CCPA.

Footnotes

1. Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5

2. Under CPPA, 'service providers' include parent corporations, subsidiaries, affiliates as well as third-party vendors.

3. CPPA deems personal information collected, used or disclosed on behalf of an organization by a service provider to be under the control of the organization (not the service provider) if the organization determines the purposes of collection, use or disclosure.

4. Additionally, under CPPA, service providers are generally exempt from the direct application of the CPPA when processing data for another organization. However, service providers will be required to notify accountable organizations of any data breaches.

5. CPPA defines "disposal" as the permanent and irreversible deletion of personal information.

6. However, OPC cannot recommend that a penalty be imposed on an organization for a contravention of the CPPA, if the OPC is of the opinion that, at the time of the contravention, the organization was in compliance with the requirements of an approved certification program.

7. Organizations may rely on a due diligence defence which, if successful, prevents the Tribunal from imposing a penalty.

8. Such fines are available when an organization knowingly contravenes CPPA provisions relating to breach reporting or record keeping, using de-identified information to identify an individual, failing to adequately retain information subject to an access request, denying whistleblower protections or obstructing OPC proceedings.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.