Canada Introduces Legislation to Revamp Federal Privacy Landscape
The Canadian House of Commons introduced draft legislation that, if enacted, would align federal Canadian privacy law with the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). The existing federal law, the Personal Information Protection and Electronic Documents Act (PIPEDA) was originally implemented in 2004. The draft legislation, titled the Consumer Privacy Protection Act (CPPA), proposes significant advancements to the current legal regime governing personal data.
The draft legislation went through its first reading in the Canadian legislature on November 17, 2020. Here are some of the significant proposed changes:
- Privacy management program: The CPPA requires organizations to maintain a privacy management program that includes organizational policies and procedures related to, and for the protection of, personal information, how the organization deals with privacy complaints, how it trains its personnel, and how it communicates the same to individuals.
- Increased Penalties: The CPPA would provide the Commissioner the mandate to impose penalties for violations found upon investigation. These penalties can range as high as 5% of a company’s global revenue, or $25 million, whichever is greater. If the CPPA passes, the penalties would be the most significant among all G7 countries.
- Private Right of Action: Like the GDPR, the CPPA would provide a private right of action for those who contend the use of their data contravenes the rights and obligations of a company under this law. This is a significant development in Canadian law, which presently does not consider financial injury as an actual injury under its laws.
- Consent-Based Determinations: PIPEDA is predicated on a consent-based system for processing of personal data. The CPPA would codify the guidance issued by the privacy commissioners for the last 16 years. This means that consent will only be required when it has actual privacy implications for the data subject. Consistent with the GDPR, consent would not be needed to transfer data to third-party service providers. Additionally, the CPPA would not require consent when the company can demonstrate a legitimate purpose for which consumer consent would be expected, such as delivering the requested service or for the company’s own protection. The legislation would also allow companies to process “deidentified information” without consent of the data subjects.
- Expanded Consumer Rights: The CPPA would expand the rights of consumers in relation to how companies collect and process their data. First, when a company uses automated decision-making in connection with the processing of consumer data, the consumer will have a right to an explanation of how the algorithm makes processing determinations. Furthermore, the CPPA will provide consumers the right to transfer their data from one organization to another. Finally, the CPPA will provide consumers with the right to request that companies delete their data and allow consumers to withdraw consent from company use of their information.
There are two prevailing issues concerning the passage of this federal legislation. First, it remains unclear how the new measures will fit into an adequacy decision under the GDPR following the “Schrems II” decision. This is especially significant as a key goal in enacting PIPEDA was to facilitate the flow of data from the EU after it had passed the original Privacy Directive (prior to GDPR). Second, it is unclear how the provinces of British Colombia, Ontario, and Alberta will handle this legislation at the provincial level as each province has introduced and tabled their own privacy legislation in the recent years.
The CPPA, if enacted, will substantially alter Canada’s federal privacy landscape. We will continue to monitor developments in the progress of this legislation as they occur. Subscribe to this blog to receive email alerts when new posts go up.
**Please consider nominating our national Data Privacy & Cybersecurity Team for the 2021 Advisen Cyber Risk Awards in any or all of the following categories: Cyber Risk Event Response Team of the Year, Cyber Risk Pre-Breach Team of the Year, and Cyber Law Firm of the Year. Nominations close Friday, February 26. Submit your nominations for Lewis Brisbois here.**