Ensuring eSignature Lawfulness for Business Ethics and Conduct Disclosure Statement in Canada

How to eSign a document: eSignature lawfulness for Business Ethics and Conduct Disclosure Statement in Canada

finally the government of canada has tabled its long-awaited privacy law intended to completely overhaul canada's private sector privacy law and rocket the country to the front of the pack for protecting privacy not quite but in this video i'll give you an overview of what it says hi my name is david fraser i'm a privacy internet and technology lawyer with the canadian law firm mcginnis cooper i also teach internet and media law at the schulich school of law at dalhousie university in this channel i try to provide educational and informative content about canadian privacy and technology law you should check out the full disclaimer below but you should know that i'm about to give you a high level overview of the bill that was just introduced and my opinions on the topic these opinions should not be attributed to my firm or any of its clients on june 26 2022 the industry minister francois philippe champagne finally tabled in the house of commons bill c27 called the digital charter implementation act 2022 this is the long-awaited privacy bill that is slated to replace the personal information protection and electronic documents act which has regulated the collection use and disclosure of personal information in the course of commercial activity in canada since 2001. pipita contrary to administer champagne said at the press conference later that day has been updated a number of times but there really has been a broad consensus that it was in need of a general overhaul the bill is very similar to bill c-11 which was tabled in 2019 as the digital charter implementation act 2019 and which languished in parliament until dying when the federal government called the last election this new bill creates three laws the first is the consumer privacy protection act which is the main privacy law the second is the personal information and data protection tribunal act and the third is the artificial intelligence and data act that last one i'm going to have to leave to another episode i don't plan to do a deep dive into the bill in this video as i want to spend more time pouring over its detailed provisions we can't just do a line-by-line comparison with pipita as the bill is a completely different animal than pipita you may recall that pipa included a schedule taken from the canadian standards association model code for the protection of personal information the statute largely said follow that and there were also a bunch of provisions in the body of the act to modify those standards or to set out how the law is overseen this statute is different the most significant difference is what many privacy advocates have been calling for the privacy commissioner is no longer an ombudsman the law includes order making powers and punitive penalties the bill also creates a new tribunal called the personal information and data protection tribunal which replaces the current role of the federal court under pipa with greater powers other than order making powers i don't see much of a difference between what's required under the new cppa and what diligent privacy-minded organizations have been doing for years under pipa so this is a high-level overview of what's in bill c27 and i'll certainly do deeper dives into its provisions in later videos pipa applied to the collection use and disclosure personal information in the course of commercial activity and to federally regulated workplaces that hasn't changed but a new section 6 sub 2 says that the act specifically applies to personal information that is collected used or disclosed interprovincially or internationally the privacy commissioner had in the past asserted that this was implied in pipa but it was never written into that act well now it will be two things about this are slightly problematic the first it is not expressly limited to commercial activity so there's an argument that could be made that it would apply to non-commercial or even employee personal information just because it crosses borders the second dumb thing is that this means that a company with operations in british columbia and alberta when it moves data from one province to the other not only has to comply with the substantially similar privacy laws of each province now they have to comply with the consumer privacy protection act that seems very redundant the new bill also includes the same car votes for government institutions under the privacy act personal or domestic use of personal information journalistic artistic and literary uses of personal information and business contact information we really could have benefited from a clear extension of the act of personal information that is imported from europe or other jurisdictions so we can have confidence that the adequacy finding from the eu present and future really applies across the board when that information is processed in canada the cppa also has an interesting approach to anonymous and de-identified data it officially creates these two new categories it defines anonymize as to irreversibly and permanently modify personal information in ance with generally accepted best practices to ensure that no individual can be identified from the information whether directly or indirectly by any means so there effectively is no reasonable prospect of re-identification to de-identify data means to modify personal information so that an individual cannot be directly identified from it though a risk of the individual being identified remains so you're essentially using data with the direct identifiers from you removed now the legislation does not regulate anonymous data because there is no reasonable prospect of re-identification it does regulate de-identified data and generally prohibits attempts to re-identify it the law also says that in some cases de-identified data can be used or even has to be used in place of fully identifiable personal information so what happened to the csa model code when you look at the cppa you'll immediately see that it is very different it's similar in structure to the personal information protection acts of alberta and british columbia in that the principles of the csa model code are not in a schedule but are in the body of the act and the language of these principles has necessarily been modified to the more statutory language rather than the sort of language that you see in industry standards documents the 10 principles themselves largely haven't changed and this should not be a surprise though written in the 1990s they were based on the oecd guidelines and we see versions of all the 10 principles in all modern privacy laws around the world what has changed is the additional rigor that organizations have to implement or more detail that's been provided about how they have to comply with the law for example principle 1 of the csa model code required that an organization implement policies and practices to give effect to the csa model code principles the cppa explicitly requires that an organization have a privacy management program it says specifically every organization must implement and maintain a privacy management program that includes the policies practices and procedures the organization has put in place to fulfill its obligations under this act including policies practices and procedures respecting the protection of personal information how requests for information and complaints are received and dealt with the training and information provided to the organization's staff respecting its policies practices and procedures and the development of materials to explain the organization's policies and practices it then says in developing its privacy management program the organization must take into account the volume and sensitivity of the personal information under its control this privacy management program has to be provided to the privacy commissioner on request with respect to consent organizations expressly have to record and document the purposes for which any personal information is proposed to be collected used or disclosed this was implied in the csa model code but it's now expressly spelled out in the act section 15 lays out in detail what is required for consent to be valid essentially it requires not only identifying the purposes but also communicating in plain language how information will be collected the reasonably foreseeable consequences of that what types of information are collected and who to whom the information may be disclosed have to save digging into the weeds on these principles for another episode one change compared to pipita that will delight some and enrage others is the circumstances under which an organization can collect and use personal information without consent section 18 allows collection and use without consent for certain business activities where it would reasonably be expected to provide the service for security purposes for safety or other prescribed activities notably this exception cannot be used where the personal information is to be collected or used to influence the individual's behavior or decisions there's also a legitimate interest exception which requires any organization to document any possible adverse effects on the individual mitigate them and finally weigh whether the legitimate interest outweighs any adverse effects now it's unclear in the statute how adverse effects would be measured like pipita an individual can withdraw consent subject to similar limitations that were in pipa but what's changed is that an individual can require that their information be disposed of now notably disposal includes deletion or rendering it anonymous on my first review it doesn't look like there are many other circumstances where an organization can collect user disclosed personal information compared to those that were allowed under section 7 of pipa in my view it's very interesting that the exceptions that can apply when the government or the cops come looking for personal information have not changed at all from section seven sub three of pipa for example the provision of that the supreme court of canada in the spencer case said was meaningless is essentially reproduced in full section 44 says an organization may disclose an individual's personal information without their knowledge or consent to a government institution or part of a government institution that has made a request for the information identified as lawful authority to obtain the information and indicated the disclosure is requested for the purpose of enforcing a federal or provincial law or law of a foreign jurisdiction carrying out an investigation related to the enforcement of any such law or gathering intelligence for the purpose of enforcing any such law now the supreme court of canada and spencer essentially said what the hell does lawful authority mean and the government has made no effort to do so or explain it in bill c-27 but you know that's just as well since companies should always say come back with a warrant even if they're allowed to disclose it they can still require a government agency or the cops to come back with a court order the big changes in bill c-27 are with respect to the role of the privacy commissioner the commissioner is no longer an ombudsman with a focus on nudging companies to compliance and solving problems for individuals it has veered strongly towards enforcement now as with pipa enforcement starts with a complaint by an individual or the commissioner can initiate one of his own there are more circumstances under the cppa where the commissioner can decline to investigate however now after the investigation the matter can be referred to an inquiry inquiries seem to have way more procedural protections for fairness and due process than under the existing ad-hoc pipetta system for example each party is guaranteed a right to be heard and to be represented by council they've always done this to my knowledge but this will now be baked into the law also the commissioner has to develop rules of procedure and evidence that have to be followed and these rules have to be made public at the end of the inquiry the commissioner can issue orders ordering the organization to take measures to comply with the act or to stop doing something that's in contravention of the act the commissioner can continue to name and shame violators as happens under pipa but notably the commissioner does not have the power to levy any penalties instead the commission can recommend that penalties be imposed by the new privacy and data protection tribunal this tribunal is created under the legislation as a new specialized tribunal which hears cases under the cppa it's expected that its jurisdiction will likely grow to include more matters for example the online harms consultation that took place last year or in the last year anticipated that certain questions would be determined by this tribunal as well compared to c11 the new bill requires that at least three of the tribunal members have expertise in privacy when c11 was introduced in 2019 it was only one member with that expertise the role of the tribunal is to determine whether any penalties recommended by the privacy commissioner are appropriate and to order them it also hears appeals from the commissioner's findings appeals of interim or final orders of the commissioner and appeals of any decision by the commissioner not to recommend that any penalties be levied currently under pipetta complainants and the commissioner can seek a hearing in the federal court after the commissioner has issued his finding that hearing is de novo so that the court gets to make its own findings of fact and determinations of law based on the submissions of the parties this tribunal in contrast has a standard overview that is correctness for questions of law and palpable and overriding error for questions of fact or questions of mixed law and fact these decisions can be subject to limited judicial review before the federal court so what about these penalties they're potentially huge and i have a feeling that the big numbers were pulled out of the air in order to support the political talking points that they are the most punitive of the g7 the maximum administrative monetary penalty that the tribunal can impose in one case is the higher of 10 million dollars or 3 percent of the organization's gross global revenues for the financial year before the one in which the penalty is imposed the act also provides for quasi-criminal prosecutions which can get even higher the crown prosecutor can decide whether to proceed as an indictable offense with a fine not exceeding the higher of 25 million dollars and 5 percent of the organization's gross global revenue or by summary offense with a fine not exceeding the higher of 20 million dollars and four percent of the organization's gross global revenue now if it's a prosecution then the usual rules of criminal procedure and fairness apply like the presumption of innocence and proof beyond a reasonable doubt i'll definitely have more videos with a deeper dive into the provisions of bill c27 in the coming weeks and months i hope this has been of interest to you if you want to see more videos like this please hit like and subscribe so that they'll show up in your feed and of course feel free to share this with anybody for whom it may be useful if you have questions or comments about this topic please feel free to leave them below i read and reply to all of them also if you have any topics you'd like to see covered in a future video please let me know thank you very much for tuning in