New legislation is regularly introduced to respond to emerging technology and resulting gaps in existing laws. One example of this is the government’s desire to better regulate how organizations handle privacy and consumers’ personal information. And, while the emphasis is typically on for-profit corporations, charitable organizations should also be mindful.
In this blog, I’ll examine the current privacy framework, a recent attempt to address some legislative deficiencies, and what’s on the horizon.
The Current Framework
The existing federal privacy legislation, Personal Information Protection and Electronic Documents Act (“PIPEDA”), applies to all organizations engaging in ‘commercial activities’. This may leave charities with the impression that it does not apply to them at all, but that’s not necessarily the case. Instead of taking a broad look at the nature of an organization – a for-profit business and commercial activities go hand-in-hand, but the same ought not be said for charitable organizations – PIPEDA considers a particular activity’s nature.
This means that PIPEDA’s standards and regulations do apply charitable organizations if they engage in commercial activities. So, what exactly are commercial activities?
PIPEDA and the Office of the Privacy Commissioner of Canada define commercial activities as “…any particular transaction, act or conduct or any regular course of conduct that is of a commercial character…”. This government resource makes it clear that determining ‘commercial activity’ is the most important consideration for determining if PIPEDA applies. When discussing non-profits, it specifically includes “the selling, bartering or leasing of donor, membership or other fundraising lists”.
Charities will want to ask themselves if how they use or share these lists could constitute a ‘commercial activity’ under PIPEDA.
The Well-Intentioned, Never-Finished Update to PIPEDA
Bill C-11 was first introduced in November 2020. It was the government’s initial attempt to update PIPEDA and other data privacy legislation for consumers. Partly due to the federal election in 2021, the Bill was abandoned and did not get through second reading (learn more about how a bill becomes a law here).
However, the basic framework in C-11 was re-introduced in June of 2022 as Bill C-27. It is currently under consideration in committee in the House of Commons, having made it through second reading on April 24, 2023. This Bill includes a number of privacy considerations all organizations will need to be aware of, even if some of those considerations don’t apply to them.
New Legislation Incoming
While not identical, Bill C-27 bears a strong resemblance to its predecessor. Its short title, the Digital Charter Implementation Act, 2022 (“Digital Charter”) means its subject matter is broader than privacy considerations under PIPEDA, and we will continue to monitor its other implications as they relate to charities. For our purposes, it’s important to note that Part 1 of the Digital Charter enacts the Consumer Privacy Protection Act (“CPPA”, or the “Act”), which will replace Part 1 of PIPEDA and introduce additional privacy considerations.
Until it’s enacted and a judge interprets the new Act, we won’t know if there are more or markedly different privacy considerations than those currently under PIPEDA. However, whether or not an organization is engaged in commercial activities will continue to be a central consideration under the CPPA privacy regime. We know this because section 6(1) of CPPA states that the Act applies to every organization in respect of personal information that the organization “collects, uses or discloses in the course of commercial activities”, including charitable organizations.
In trying to explain section 6(1), section 6(2)(a) states that “for greater certainty,” the
Act will apply to personal information that an organization “collects, uses or discloses interprovincially or internationally”. This will likely mean that if a charity possesses personal information that it then shares with organizations – even affiliated ones, like two offices of the same denomination – outside of the province where the information is collected, used, or disclosed for a “commercial activity” purpose, that charity will have to follow the CPPA’s privacy requirements.
Some of these privacy requirements include:
- Have a designated individual, like a Privacy Officer, who is responsible for the organization’s obligations under the Act – s. 8(1)
- Implement and maintain a privacy management program that outlines the relevant polices and procedures – s. 9(1)
- Collect, use, and disclose personal information in a manner that a “reasonable person” would consider appropriate in a given circumstance – s. 12(1)
- Obtain valid consent for collecting, using, or disclosing an individual’s personal information – s. 15(1)
What Should You Do?
What does all of this mean? Bill C-27, including the CPPA, is not currently law, so no immediate changes are required. For now, it’s an encouragement to review your internal privacy controls and what you do with your donor and fundraising lists. Carefully consider any action that could be considered selling, bartering, or leasing those lists. Next, even if PIPEDA – or any succeeding legislation – does not apply to your organization, they often represent best practices. Consider if implementing any of the proposed privacy requirements could benefit your organization. To that end, you should ensure that you have a publicly available privacy policy; that you’ve obtained valid consent to obtain or share certain information; and that you only share as much personal information as required in a given situation – with these situations set out in the policy.
We will continue to monitor the progress of Bill C-27 and any changes to Canada’s privacy regime that impact charities. For more information on the Digital Charter, see our previous blog post: https://www.cccc.org/news_blogs/legal/2022/07/29/a-new-privacy-regime-proposed-in-bill-c-27/
Share this post
