On November 17, 2020, the federal government proposed dramatic changes to how Canada will enforce privacy law, forming in a new legal board to protect individuals’ personal information – and to regulate organizations’ privacy practices. Bill C-11: the Digital Charter Implementation Act creates the Consumer Privacy Protection Act (CPPA) to replace the federal Personal Information and Electronics Documents Act (PIPEDA), and codify in law an organizations’ obligations in regards to the collection, use, and disclosure of personal information. The proposal would modernize, and in certain respects toughen, Canadian private sector privacy law by enhancing transparency and control over personal information held by businesses, and imposing new, harsher sanctions for non-compliance. We have prepared a detailed analysis which focuses on the key differences between the federal government’s current privacy framework (PIPEDA) and what it could mean for your online business. Check it out!
Broaden Powers of Commissioner
The CPPA broadens the order-making powers of the Commissioner. Under the CPPA, the Commissioner may order an organization to:
- Take new measures to comply with the CPPA;
- Stop doing something that is contrary to the CPPA;
- Comply with the terms of a compliance agreement that has been entered into by the organization; or
- Make public any measures taken or proposed to be taken to correct the policies, practices, or procedures that the organization has put in place to fulfil its obligations under the CPPA.
Furthermore, as mentioned above, the Commissioner may recommend that the Tribunal issue a fine or penalty on an organization for violating certain provisions in the CPPA.
The CPPA will create a new Personal Information and Data Protection Tribunal (the “Tribunal”). The Tribunal is empowered to issue penalties and fines under the CPPA upon recommendations from the Office of the Privacy Commissioner of Canada (the “Commissioner”). The Tribunal will also adjudicate appeals from the Commissioner’s orders.
There will be significant penalties for non-compliance with the CPPA. It authorizes administrative monetary penalties and fines of up to 5% of global revenue or $25 million (whichever is higher) for the most serious offences. Currently, PIPEDA only authorizes penalties for breach of the Digital Privacy Act, and those are markedly lower than those under the CPPA. Currently under the PIPEDA the maximum fine for breaching the Digital Privacy Act is $100,000 per violation (if there were multiple violations the fines could add up).
PIPEDA was insufficient in addressing modern automated or algorithmic decision-making. The CPPA provides for algorithmic transparency, and the right of individuals to require an explanation of how automated decisions about them were made.
Data Portability and Deletion
With the CPPA, individuals would be given the right to transfer their data from one organization to another. Individuals can also require that an organization delete the personal information it’s collected about them, subject to some limitations, in what appears to be a limited form of the “right to erasure”.
Clarifies Rules for Consent to Data Sharing
To obtain valid consent under the CPPA, an organization must provide individuals with certain information before the individual can agree to having his or her data collected. Specifically, the information that organizations must provide includes the purpose(s) of the collection, use, and disclosure, the “reasonably foreseeable consequences of the collection, use or disclosure,” the types of personal information involved, and the “names of any third parties or types of third parties to which the organization may disclose the personal information. ”
Steps Your Business Can Take to Prepare
While companies can expect a transition period to bring their practices in line with the new legislation, we recommend companies take the following steps:
- Affirm the company’s commitment to ensuring consumer data privacy by reminding employees that data should not be misused under any circumstances (or there may be legal consequences), and emphasize that current privacy measures should be taken seriously.
- Organize a team to review the current state of the company’s consumer data collection practices and privacy measures.
- Identify where current practices and measures may be falling short of current requirements (PIPEDA), and where improvements can be made to enhance consumer data privacy and reduce the risks of data privacy breaches.
- Develop a plan to rectify any non-compliance with current the requirements and improve current practices and measures.
- Implement rectification and improvement plans.
- Prepare current procedures for additional changes by regularly monitoring and periodically revising consumer data collection practices and privacy measures.
Private sector companies in Canada should pay close attention to changes to the CPPA draft legislation as it moves through Parliament. Though it remains to be seen which aspects of the draft legislation will be adopted, what is clear is that Canadian privacy law is changing, and most companies will find it necessary to change their consumer data collection practices and enhance privacy measures in light of the stricter requirements and harsher penalties included in the CPPA.