Society of Corporate Compliance and Ethics (SCCE)

Report on Supply Chain Compliance 3, no. 23 (December 10, 2020)

The Canadian government introduced a bill into Parliament Nov. 17, the Digital Charter Implementation Act of 2020,[1] that makes a number of changes and clarifications to Canada’s existing data privacy regulatory framework. The bill would establish a new privacy law (the Consumer Privacy Protection Act) and create the Personal Information and Data Protection Tribunal. The Consumer Privacy Protection Act lays out the changes to existing law, while the Tribunal acts as an enforcer of the law and an interlocutor between private enterprise, the government and private citizens.

The act applies[2] to any organization in respect of personal information:

  • That collects, uses or discloses such information “in the course of commercial activities.”

  • That is “about an employee of, or an applicant for employment with, the organization and that the organization collects, uses or discloses in connection with the operation of a federal work, undertaking or business.”

  • That is “collected, used or disclosed interprovincially or internationally.”

  • That is “collected, used or disclosed by an organization within a province, to the extent that the organization is not exempt from the application of this Act under an order made under paragraph 119(2)‍(b).”

The proposed act defines personal information as “information about an identifiable individual.” This is the same as the definition found in the GDPR. The GDPR also goes into detail[3] regarding the meaning of an “identifiable” individual, and companies should refer to those definitions to gain a deeper understanding of the regulatory burden under this proposed law.

The critical requirements for companies to be aware of are the privacy management program and the designated individual allocation. The law requires that companies put together a compliance program specifically tailored toward data security. All of the standard elements of a compliance program may be a part of the privacy management program, including policies and procedures, training and education, and auditing and monitoring. The designated individual is essentially the go-to person for data security in the event of a complaint, breach or other action.

[View source.]