Publication
An update on Alberta’s Bill 26: Health Statutes Amendment Act
Alberta’s Bill 26 seeks to continue the government’s restructuring of healthcare in Alberta and introduces prohibitions on the treatment of minors for gender dysphoria.
Canada | Publication | August 16, 2022
The House of Commons recently introduced Bill C-27, which introduces three new acts: the Consumer Privacy Protection Act (CPPA), the Personal Information and Data Protection Tribunal Act, and the Artificial Intelligence and Data Act (AIDA), which would replace the current Personal Information Protection and Electronic Documents Act (PIPEDA). Bill C-27 is the successor to Bill C-11, which died on the docket when Parliament was dissolved in the fall of 2021.
For more information on the AIDA, please see our recent update on the matter.
In this update, we take a closer look at the key elements businesses should know about the proposed requirements under CPPA and provide practical tips for complying with these requirements.
While certain broad themes of PIPEDA are reproduced and clarified in the CPPA, many best practices suggested by the Office of the Privacy Commissioner of Canada have been codified. Given the increased enforcement and sanction powers proposed by Bill C-27, businesses should carefully revise their privacy programs to comply with these new obligations.
As under PIPEDA, businesses remain accountable for information under their control. What constitutes “control” has been clarified under the CPPA – a business will have control of personal information when it (1) decides whether or not to collect it, and (2) determines the purposes for the collection, use or disclosure.
To this effect, the CPPA introduces the notion of “service provider,” a third party that processes personal information on behalf of another business. It is important to note that generally speaking, the CPPA obligations will not directly apply to service providers, but rather to the controlling businesses.
Proposed next step for businesses: Identify and catalog the types of personal information the business collects, uses, discloses or stores to identify and differentiate between circumstances whereby the business acts as a service provider versus controller.
One of Bill C-27’s most significant changes is the obligation for businesses to implement and maintain a privacy management program. This program must include the policies, practices and procedures put in place by a business to comply with statutory requirements, including for protecting personal information, processing requests and complaints made by individuals and employee training procedures. When developing their program, businesses will need to consider the volume and sensitivity of personal information the business controls.
An addition introduced by the CPPA is the possibility for the Office of the Privacy Commissioner of Canada (OPC) to request access to a business’ privacy management program and provide guidance and corrective measures. This change appears to be aimed at providing the OPC with enhanced enforcement powers.
Proposed next steps for businesses:
The CPPA requires a business to ensure any service providers engaged to process personal information on the business’ behalf provide an equivalent level of protection as required of the business itself. While this is commonly recommended by the OPC to ensure compliance with PIPEDA, the specific requirement is now included as a requirement under the CPPA.
Proposed next steps for businesses:
As a customer,
As a service provider,
The CPPA is very clear on retention periods – businesses can only keep personal information for as long as is required to fulfill the purposes for which it was collected, or to comply with statutory requirements. Furthermore, businesses must be able to justify why personal information should be retained for the proposed period of time.
Businesses will be required to consider the sensitivity of personal information when determining its retention period. As soon as feasible after this period of time, personal information must be destroyed – either by permanently and irreversibly deleting information, or anonymizing it. Personal information should be anonymized as well as permanently and irreversibly anonymized in such a way that no individual can be identified from the information.
Proposed next steps for businesses:
As under PIPEDA, businesses must use appropriate physical, organizational and technological security safeguards to protect personal information under their control. The CPPA introduces a new requirement, in that businesses must have a way of authenticating an individual to whom personal information relates. Further guidance regarding manner of required authentication is not currently included.
PIPEDA’s requirements on reporting to the OPC and notifying affected individuals of breaches of these security safeguards remain generally unchanged, and the real risk of significant harm test (RROSH test) still applies when considering whether notification obligations have been triggered.
An important addition under CPPA, however, is that service providers will be required to notify controlling businesses of a breach of their security safeguards affecting personal information processed on behalf of such businesses.
Proposed next steps for businesses:
Businesses need to make information regarding the steps taken to comply with the CPPA available to the public. Most businesses can comply with this requirement by providing a detailed privacy policy, including elements such as the types of personal information under their control and how they are used, whether or not any interprovincial/international data transfers occur, and retention periods. This publicly available information should be provided in “plain language,” meaning it must be reasonably expected to be understood by regular individuals.
Proposed next steps for businesses:
Publication
Alberta’s Bill 26 seeks to continue the government’s restructuring of healthcare in Alberta and introduces prohibitions on the treatment of minors for gender dysphoria.
Subscribe and stay up to date with the latest legal news, information and events . . .
© Norton Rose Fulbright LLP 2023