A look at Canada’s new data privacy law

In November, Bill C-11 for the Digital Charter Implementation Act, 2020 was introduced to the House of Commons as part of Canada’s updated privacy legislation, which will enact the Consumer Privacy Protection Act (CPPA).

If transcribed into law, the CPPA will replace the Personal Information Protection and Electronic Documents Act (PIPEDA) in most areas and will expand data privacy obligations and impose new enforcement mechanisms on businesses collecting users’ data.

Expanded rights

The CPPA maintains the ten core privacy principles of PIPEDA, including, accountability, consent and challenging compliance.

However, it expands consumers’ rights in certain areas, such as allowing individuals to request access and deletion of their data, with some exceptions and data portability rights.

Furthermore, the CPPA implements the concept of algorithmic transparency, which will enable consumers to receive an explanation as to why a certain algorithmic decision has been made about them upon request.

It must then inform any service provider to which it transferred the PI of the individual’s request and obtain confirmation that the service provider deleted the PI.

Consent

Under CPPA, businesses will have to meet extra requirements for obtaining valid consent. At the point of collection, organisations must provide consumers with the following information:

• The purposes of the collection, use, or disclosure of the PI, as determined and recorded by the organisation
• The way PI is to be collected, used, or disclosed
• Any reasonably foreseeable consequences of the collection, use, or disclosure of the PI
• The specific type of PI to be collected, used, or disclosed
• The names of any third parties or types of third parties to which the organization may disclose the PI

However, in a move away from PIPEDA, the new law will also provide exceptions in obtaining consent when de-identifying information.

Additionally, there are exceptions for obtaining consent if the collection or use is made for a business activity, such as providing or delivering a product or service that the individual requested or preventing or managing commercial risk. An organisation may also transfer an individual’s personal information to a service provider without the user’s knowledge.

Penalties

The CPPA includes significantly high penalties for non-compliance through the Personal Information and Data Protection Tribunal (PIDPTA), which will have the power to impose administrative penalties on businesses, who use personal information for an improper purpose, require a person to consent to the use of their personal information as a condition of supplying a good or service, or retain personal information for longer than needed.

The Tribunal can impose administrative penalties on recommendation by the Privacy Commissioner and will also be able to hear appeals of the Privacy Commissioner’s decisions and assist in administration of the CPPA.

The maximum administrative penalty under the CPPA is the greater of C$10 million or 3% of global revenue for the previous year. The maximum penalty for serious offences will be up to 5% of an organization’s global revenues or $25 million whichever is higher.

Privacy Commissioner (OPC)

The Commissioner will also receive greater order-making powers under the CPPA than PIPEDA. Notably, they can order a company to “take measures to comply with the CPPA; cease doing something in contravention of the CPPA; follow a compliance agreement; or make public any corrective actions it must take to comply with the CPPA.” Under PIPEDA, the Commissioner is only able to make recommendations.

The law will first become subject to committee review and public consultation before it can be passed. So far, no timelines for preparation have been drafted.

Hear more about the new legislation, and from Mark Sward, at Canada’s Proposed Updated Federal Privacy Law: What You Need to Know at 6pm on 23 March at PrivSec Global

Click here for more