This publication has been updated as at October 15, 2021.

On November 17, 2020, the federal government proposed dramatic changes to how Canada will enforce privacy law, ushering in a new legal regime to protect individuals’ personal information – and to regulate organizations’ privacy practices. Bill C-11: The Digital Charter Implementation Act  creates the Consumer Privacy Protection Act (CPPA) to replace the federal Personal Information and Electronics Documents Act (PIPEDA), and codify in law organizations’ obligations respecting the collection, use and disclosure of personal information rather than merely rely on the Canadian Standard Association (CSA) Model Code. Though the Digital Charter was an important part of the current federal government’s 2019 election platform, it was not one of the key issues in its 2021 election platform. It’s not yet clear whether or when the Bill will become law. However, Quebec’s recent adoption of Bill 64 introducing new standards for individual privacy rights inspired by the EU’s General Data Protection Regulation (GDPR) helps keep top of mind the need to update Canada’s federal privacy laws.

The current consensus seems to be that it’s necessary to revise the Digital Charter, including the CPPA, before it’s passed. But the current form of the Digital Charter still gives organizations a sense of what to expect, and the necessary compliance processes they could be looking at, if the CPPA (or some form of it) passes. Here are 10 ways the Consumer Privacy Protection Act, in its present form, will impact organizations’ Canadian privacy practices.

1. Big Penalties. There will be significant penalties for non-compliance with the CPPA. It authorizes administrative monetary penalties and fines of up to 5% of global revenue or $25 million, whichever is higher, for the most serious offences. Currently, PIPEDA only authorizes penalties for breach of the Digital Privacy Act, and those are markedly lower than those under the CPPA: the maximum fine for breaching the Digital Privacy Act is $100,000 per violation (though if there were multiple violations, which would not be uncommon, the fines could add up).

2. Privacy Commissioner Powers. In a move away from the traditional ombudsman model, the CPPA gives the federal Privacy Commissioner broad power to make orders against organizations and to recommend penalties to a new “Personal Information and Data Protection Tribunal”. Under PIPEDA, the Privacy Commissioner only has the power to make recommendations to a breaching organization.

3. New Tribunal. A new “Personal Information and Data Protection Tribunal” will determine and levy any penalties – which will have the effect of a court order – and hear appeals from orders of the Privacy Commissioner.

4. Global Application. The new law takes an expansive approach to applicability, expressly applying to all personal information an organization collects, uses or discloses, including interprovincially or internationally. This reflects the increased digitization and globalization of the global economy, which knows no border, and which the COVID-19 Pandemic has accelerated.

5. New Right of Action. It creates a new privacy breach legal claim. Where the Privacy Commissioner decides an organization violated an individual’s privacy under the CPPA, and the Personal Information and Data Protection Tribunal upholds that finding, that individual can sue the organization (within 2 years) for compensation for the violation.

6. Data Portability & Deletion. It provides for new individual rights of data portability and deletion. Consumers can require an organization to transfer their data to another organization (subject to regulations that aren’t yet available), likely to be a boon to open banking. Individuals can also require that an organization delete the personal information it’s collected about them, subject to some limitations, in what appears to be a limited form of the “right to erasure”.

7. Algorithmic Transparency. It requires algorithmic transparency. Consumers would now have the right to require an organization to explain how an automated decision-making system made a prediction, recommendation or decision.

8. Consent Exceptions. It “simplifies” consent requirements for organizations by making some (potentially broad) exceptions to when an organization must obtain an individual’s consent to the collection, use or disclosure of the individual’s personal information, such as where the use of personal information is core to the delivery of a product or service. This could impact, for example, the information an organization must communicate in a privacy policy.

9. Data De-Identification. It makes new rules around the de-identification of data – including allowing for organizations to use an individual’s personal information without their consent in order to de-identify their data, but appears to limit other uses of de-identified data. Under certain circumstances, organizations can also disclose de-identified data to public entities for socially beneficial purposes.

10. Codes of Practice. It introduces the concept of “Codes of Practice”. The CPPA allows private organizations to establish a “code” and internal certification programs for complying with the law that the Privacy Commissioner will approve. Once approved, the “code” will effectively establish the organization’s legal compliance obligations.

---

Please contact your McInnes Cooper lawyer or any member of the Privacy, Data Protection & Cyber Security Law Team @ McInnes Cooper to discuss how we can help you prepare for the new CPPA.

---

McInnes Cooper has prepared this document for information only; it is not intended to be legal advice. You should consult McInnes Cooper about your unique circumstances before acting on this information. McInnes Cooper excludes all liability for anything contained in this document and any use you make of it.

© McInnes Cooper, 2020. All rights reserved. McInnes Cooper owns the copyright in this document. You may reproduce and distribute this document in its entirety as long as you do not alter the form or the content and you give McInnes Cooper credit for it. You must obtain McInnes Cooper’s consent for any other form of reproduction or distribution. Email us at [email protected] to request our consent.