There has been chatter in Canada for nearly two years about initiating comprehensive legislative reform to the country’s data privacy landscape. The process recently ramped up this June with the introduction of a bill to pass the Digital Charter Implementation Act. This is a comprehensive law that would not only enact a new data privacy law (referred to as the Consumer Privacy Protection Act/CPPA), but also laws to create a data protection tribunal and regulate artificial intelligence (AI) development. The bill is expected to remain pending for the next year or two, as it needs to go through the remainder of the legislative process and then is subject to a waiting period so organizations can create compliance initiatives. If passed as proposed it would join the ranks of the GDPR with some stricter provisions and heavy fines, so it is important to monitor the process and start preparing now.
The Old Law
Canada has relied on the Personal Information Protection and Electronic Documents Act (PIPEDA) to regulate data privacy for over twenty years. In that time, the world has changed drastically in terms of electronic communication and data exchanges. Almost everything is digital now, which renders PIPEDA extremely outdated and places Canadian consumer data at risk. The major gaps that exist under PIPEDA yield greater opportunity for data misuse and heightened breach risk. This includes the absence of enhanced consumer control – like a firm right to deletion – and lack of oversight requirements to eliminate unnecessary processing or prolonged storage of personal data.
The New Law
If the Digital Charter Implementation Act passes, the CPPA would effectively replace PIPEDA and provide Canadian consumers with more control over their data. The law applies to data processing at a federal level, which is needed as some provinces like Quebec have already modernized their privacy landscape. Having a federal standard will provide clearer guidance for organizations operating in multiple jurisdictions and also serve as a model for future provinces wishing to create their own legislation.
In addition to data processing surrounding commercial activities, the law also applies to data processed for federal employees or job applicants. Employee data in the private sector is not specifically delineated, which tends to be the norm with other privacy laws around the globe.
Here are some important CPPA provisions to note:
- Key consumer rights include erasure, access, disposal, correction, and portability. These rights generally appear in the majority of new data privacy laws.
- Individual consent is required before an organization can lawfully collect data. Exceptions include data processing activities for the following purposes: public interests such as a health emergency; publicly available information; anonymized personal information; investigating a breached agreement under federal law, provincial law, or security safeguards; when it would be reasonable to assume that information is being collected for business purposes; and to a service provider when equal protection is established, which is often via contract. These exceptions are meant to provide a better balance between consumer rights and an organization’s interests in using the data. This list is not exhaustive.
- Before collecting data, organizations must determine and record the purpose. Weighing interests with consumer rights is part of this process, which is similar to the GDPR’s impact assessments.
- Organizations must designate a single individual or team to oversee compliance efforts. If organizations already have a data protection officer appointed for GDPR compliance, obligations will undoubtedly overlap.
- Organizations must create a privacy management program accounting for all CPPA obligations. If there is already one in place, the compliance team needs to prepare an audit in order to identify any policy or process gaps. For example, the CPPA clearly directs subjects to delete personal data once the use purpose is fulfilled. This may require changes to existing retention programs.
- The ability to collect and process data for minors will be limited, as the CPPA clearly classifies this information as sensitive. This was highly debated in the bill’s previous version.
Penalties and Enforcement
- Allotted penalties will be the greater of the following amounts: five percent of an organization’s gross global revenue or 25 million CAD for criminal or egregious offenses; three percent or 10 million CAD for administrative ones. This is significant, as the top fines allotted under the GDPR are lower. The data protection tribunal will be able to hear appeals regarding fines that the Privacy Commissioner issues.
- The Privacy Commissioner can also issue compliance orders, mandate third-party audits, approve internal certification programs, and compel information sharing with other regulatory bodies when appropriate.
It is important to account for the AI component of the Digital Charter Implementation Act, as this seems to be a trending concern. If passed, among other things this law would require operators of high impact AI systems to mitigate risk associated with bias and accelerate transparency with the public. There will be a list of prohibited conduct and a separate commissioner to conduct enforcement. The EU and UK also have proposed laws relating to certain AI regulation, so it will be interesting to see the differences as laws pass in different areas of the world.
The protections outlined above illustrate how the new Canadian law aims to strike a balance between business interests and consumer rights, while still paralleling strict protections under laws like the GDPR. As it continues to move through the legislative process, monitor any amendments or interpretive guidance. How the penalty system plays out will be particularly interesting, as there could be record-breaking fines. Remaining informed will help organizations proactively create compliance roadmaps and be better prepared when the law becomes effective. Finally, make sure to obtain legal advice before making any decisions.