The Canadian CPPA is here and below is everything that you need to know about it.
The core of the data privacy law was laid out by the Minister of Science, Innovation and Economic Development, Navdeep Bains, in Canada. This was introduced on 17 November 2020. The bill C-11 for the Digital Charter Implementation Act, 2020 (‘DCIA’) which would enact the Consumer Privacy Protection Act (‘CPPA’) and the Personal Information and Data Protection Tribunal Act (‘PIDPTA’). This allows for new consequential and related amendments to other acts to take place.
The law will help reform private sector privacy legislation in Canada. The DCIA signals this act as one of the most significant reforms of the Personal Information Protection and Electronic Documents Act 2000 (‘PIPEDA’) in Canada, since its enactment two decades ago.
Key changes that will impact businesses include:
- modernised consent rules;
- data interoperability and algorithmic transparency provisions;
- modified privacy policy requirements;
- establishment of rights to erasure and data portability;
- expanded enforcement and oversight powers for the Office of the Privacy Commissioner of Canada (‘OPC’);
- increased penalty provisions;
- establishment of sector-specific codes and practices; and
- the creation of a tribunal system.
Some of the main principles that the bill is based on requires data collection to be obtained through meaningful consent and legitimate interests. It must showcase healthy practices when it comes to automated decision-making. The collection must be in a de-identified information format, there must be extra vigilance where data portability and mobility are concerned. The individuals or data subjects also reserve the right to erasure as is the case under the GDPR. The data protection officers reserve the right to enhanced enforcement and oversight to ensure compliance with these terms among others areas within the law.
The DCIA will have to make it through both Houses of Parliament for consideration before its implementation. The bill to reform Canada’s privacy law introduced new and stringent privacy compliance requirements for all businesses processing personal information and sensitive data of individuals at larger scales.
Schrems II and Canada
That decision did not touch on Canada’s adequacy but, clearly, the EU’s expectations since the General Data Protection Regulation (GDPR) came into place have increased, and the mandate for the European Data Protection Board is to review all adequacy findings.
The proposed changes will be implemented through the Digital Charter Implementation Act. It amends a number of pieces of legislation. First, Part 1 amends and renames PIPEDA, which will be known as the Consumer Privacy Protection Act. Part 2 establishes a specialized privacy and data protection tribunal through the Personal Information and Data Protection Tribunal Act.
Fines and penalties
Administrative monetary penalties may be ordered of up to 3% of global revenue for non compliant organizations. The draft legislation also contains an expanded range of offenses for certain serious contraventions of the law, subject to a maximum fine of 5% of global revenue.
Codes of practice and certification
The CPPA would permit the approval of codes of practice and certification for certain activities and sectors, as well as also provide certain protections to participants in relation to complaints and orders.
The EU adequacy will be determined once the bill and the law is much more refined. Many of the issues that “Schrems II” raised in relation to the EU-U.S. Privacy Shield agreement are not quite so serious for Canada to overcome but must still be addressed.
The Digital Charter Implementation Act was introduced to reform Canada’s privacy legislation. How far will the effect be? Perhaps, it is too soon to tell. You can read the complete bill here. If this takes on a more solid shape then the law is bound to change the privacy landscape in Canada within the next couple of months.