Bill C-11 marks the first update to Canadian privacy law since the Personal Information Protection and Electronic Documents Act (PIPEDA) came into effect in 2000. If passed, the Bill would enact the Consumer Privacy Protection Act (CPPA) and bring about significant changes to private-sector privacy law. Of particular interest is a provision that would require organizations to delete personal information upon request. This article briefly explores this new “right to be forgotten” and what it might mean for organizations doing business in Canada.
Is CPPA replacing PIPEDA?
If enacted, CPPA would replace PIPEDA in its entirety. Consequently, any organization who collects, uses, or discloses personal information in the course of commercial activity would be governed by CPPA. Although many aspects of PIPEDA would carry over to the new legislation, CPPA would contain many substantive and procedural changes including larger penalties,[1] a stronger enforcement regime,[2] a new tribunal,[3] and even a new cause of action.[4]
Amongst the proposed changes is a provision that would give individuals the express right to have their personal information permanently deleted.[5] Section 55 of the Bill provides that if an organization receives a request from an individual to dispose of information, then the organization must comply in all but two cases:
- if deleting the data would cause other non-severable data to be deleted; or
- if the reasonable terms of a contract required the data to be kept.
A right to be forgotten: PIPEDA vs. CPPA
In contrast, PIPEDA provides only limited means for individuals to bring data deletion requests, and several means for organizations to avoid them. Presently, individuals can make a request on the basis that the information is inaccurate or out of date, or that it is no longer being used for the purposes for which it was collected.[6] Depending on the situation, the organization may delete, anonymize, or merely update the data. Adding a level of uncertainty to the mix is a provision that categorically prohibits organizations from unnecessarily retaining data,[7] but merely recommends its disposal or anonymization.[8] In any event, as long as an organization is compliant with PIPEDA, data subjects wanting to be “forgotten” are out of luck.
CPPA would therefore appear to give individuals significantly more power because it would require organizations to dispose of personal information even if it is being used for the purposes for which it was collected. Additionally, while PIPEDA permits either disposal or anonymization, CPPA would permit only disposal.[9] This would mean that organizations could no longer implement automatic data anonymization policies as an alternative to handling costly data deletion requests. Finally, the language of Section 55 is clearer than the patchwork of obligations and recommendations found in PIPEDA.
Notably, CPPA would still contain a provision prohibiting organizations from unnecessarily retaining data but, unlike PIPEDA, CPPA would require its deletion.[10]
Exceptions to the right to be forgotten
Despite the apparent strength of the proposed right to be forgotten, it would not be absolute. First, Section 55(1)(a) would exempt from deletion request any personal information that is non-severable from other personal information. Non-severability of this nature could be merely incidental to, say, data aggregation systems, or it could be the result of a more intentional effort. This would benefit organizations who presently collect data in ways that render it non-severable and may even incentivize others to start doing so.
Second, Section 55(1)(b) would exempt from deletion request any data which is contractually required to be retained. Of course, this would not permit an organization to include an indefinite data retention clause in its terms of service, as that would not be “reasonable”, but it would likely permit other types of data retention agreements; particularly ones made with commercial third parties. Many organizations may already have contracts in place that require data to be retained or used for a specified term. These organizations should consider seeking legal advice regarding the “reasonableness” of their existing contracts.
Conclusion: the CPPA’s “right to be forgotten” will impact data collection and storage
In summary, CPPA would provide data subjects with a conditional right to have their personal information deleted. While this new Canadian “right to be forgotten” will be far from absolute, it will have a substantial impact on how private-sector businesses collect, use, and store data. Organizations would therefore be well-advised to review their policies in advance of the upcoming changes.
Should you have any questions or comments, you can reach out to the authors Peter Dillon, head of Siskinds’ privacy, cyber & data group, at [email protected] or Mason Arthur, summer law student, at [email protected].
For a discussion on CPPA in the context of class actions, see Stefani Cuberovic’s blog post on the matter.
This article was written in collaboration with lead co-author Mason Arthur, summer law student.
[1] See CPPA ss 94(4), 125, 23(1), 28, 51.
[2] See CPPA ss 89, 92.
[3] Ibid at s 35.
[4] Ibid at s 106.
[5] See CPPA s 55(1).
[6] Personal Information Protection and Electronic Documents Act, SC 2000, c 5, Schedule 1, LC 2000, ch 5, annex 1.
[7] Ibid.
[8] PIPEDA s 5(2) defines “should” as indicating “a recommendation and does not impose an obligation”.
[9] CPPA s2 defines disposal as “the permanent and irreversible deletion of personal information”.
[10] See CPPA s53.