[co-author: Tawanna Lee]
On November 17, 2020, the Canadian Minister of Innovation, Science and Industry introduced Bill C-11, the Digital Charter Implementation Act, which proposes a new privacy law called the Consumer Privacy Protection Act (CPPA). The CPPA would overhaul Canadian privacy law and heighten the privacy obligations for businesses, including U.S.-based business, that are engaged in commercial activity in Canada and collect, use, or disclose the personal information of individuals in Canada. Canadian government officials estimate 18 months for the CPPA to make its way through committee and become law. While there may be changes to the proposed legislation as it works its way through committee, businesses with Canadian-based customers will need to carefully assess their privacy compliance programs to account for proposed changes in the law.
The CPPA would introduce significant changes to Canadian privacy law to keep pace with global privacy regimes such as the European Union’s General Data Protection Regulation (GDPR). The bill would repeal provisions of the country’s 20 year-old privacy framework, the Personal Information Protection and Electronic Documents Act (PIPEDA). Influenced by the GDPR and the California Consumer Protection Act, the proposed legislation proposes to expand consumer rights, strengthen enforcement, and impose stiff fines for noncompliance.
Under the CPPA, the federal Privacy Commissioner would be granted broad rulemaking, investigative, and enforcement authority. The legislation would subject businesses to steep penalties on a tiered scale. The fine is set at the greater of $10 million or up to 3% of an organization’s global revenue for lesser offenses, and the greater of $25 million or up to 5% of global revenue for more serious offenses. If enacted into law, these penalties would set the CPPA apart as having the highest financial penalties among G7 nations. The CPPA also introduces a private right of action, adopts new consent rules, and requires algorithmic transparency and data portability. It also creates a new administrative agency to monitor and enforce the law.
Specifically, the new privacy framework would include:
Expanded Consumer Rights: The legislation would adopt new GDPR-inspired consumer rights including algorithmic transparency, data portability, and the right of deletion, subject to limited exceptions. Specifically, the CPPA requires:
- Algorithmic Transparency. New transparency rules would require businesses to provide explanations when automated decision-making systems such as algorithms and artificial intelligence are used in significant predictions, recommendations, or decisions about individuals. Unlike the GDPR, the bill would not confer the right to object or opt out of automated tools.
- Data Portability. An individual would be able to request that a business transfer their personal information from one organization to the next.
- Right of Deletion. Subject to limited exceptions, individuals would also be allowed to request that an organization delete their personal information.
Existing consent rules would also be strengthened, requiring businesses to provide plain-language disclosures about the processing of personal information in connection with obtaining “meaningful consent.”
Data Minimization and Data Retention: The legislation would require organizations to retain information used for decision-making for enough time period to permit individuals to make a request to access or amend that information. The legislation provides rules governing the context under which de-identified information derived from personal information may be created, used, and shared. The legislation also requires businesses to de-identify information prior to sharing it with parties in the context of a proposed business transaction.
New Administrative Tribunal: The CPPA would create a new administrative tribunal – the Personal Information and Data Protection Tribunal (“Tribunal”) – that would impose penalties and hear appeals of decisions issued by the Office of the Privacy Commissioner of Canada. Under the CPPA, the Privacy Commissioner would make a recommendation to the Tribunal to impose penalties for CPPA violations. The Tribunal may then either rely on either the recommendation presented or its own findings.
Private Right of Action: Individuals have the right to bring suit against an organization within two years after the Privacy Commissioner issues a finding of a privacy violation that is upheld by the Tribunal.
Given the wide scope of the proposed law, it is important for businesses engaged in commercial activity in Canada to play close attention to potential compliance obligations. Business should be prepared to honor the enhanced consumer rights of individuals located in Canada and implement operational safeguards to comply with the CPPA’s obligations, including data minimization and retention requirements.