Canadian Data Privacy Laws Are Changing. = Is Your=20 Business Ready to Keep Up?
DOWNLOAD PDF =- Walter,= =20 Carly J. Hulton,= Wendy=20 G. =20 =20
-
Industry Alerts =
=20
Introduction
On November 17, 2020, Canada=E2=80=99s federal government introduced = a bill to enact=20 n= ew=20 legislation that would strengthen protections for individuals from = privacy=20 loss due to the failures and limitations of corporate consumer privacy = measures.=20 The proposed legislation, known as the Consumer Privacy Protection = Act=20 (=E2=80=9CCPPA=E2=80=9D), would be the first major = overhaul of Canada=E2=80=99s=20 privacy law rules on the private sector since the Personal = Information=20 Protection and Electronic Documents Act = (=E2=80=9CPIPEDA=E2=80=9D) came=20 into force in April 2000.
If the CPPA passes into law, it will replace the PIPEDA, currently = the=20 leading federal privacy law governing federally-regulated corporations = and=20 private sector companies in Canadian provinces and territories that do = not have=20 their own privacy legislation. The bill to enact the proposed = legislation,=20 including the CPPA, is at first reading. The next step would be for it = to go to=20 second reading and then to a committee for further review and = recommendation,=20 before ultimately receiving royal assent and passing into law.
Key Changes Proposed to Canada=E2=80=99s Consumer Privacy=20 Framework
The CPPA proposes several key changes to Canada=E2=80=99s corporate = consumer privacy=20 rules
- First, the CPPA imposes administrative penalties = of up to=20 3% of global revenue or $10 million CAD for non-compliant = organizations. In=20 addition, the CPPA expands the range of privacy-related=20 offences; penalties for certain offences under the CPPA = subject=20 non-compliant organizations to a maximum fine of 5% of global revenue = or $25=20 million CAD.
- Second, the CPPA creates the Personal Information and Data = Protection Tribunal (the = =E2=80=9CTribunal=E2=80=9D). The Tribunal=20 is empowered to issue penalties and fines under the CPPA upon = recommendations=20 from the Office of the Privacy Commissioner of Canada (the=20 =E2=80=9CCommissioner=E2=80=9D). The Tribunal will = also adjudicate appeals=20 from the Commissioner=E2=80=99s orders.
- Third, the CPPA broadens the order-making powers of the=20
Commissioner. Under the CPPA, the Commissioner may order an=20
organization to: =20
- Take measures to comply with the CPPA;
- Stop doing something that is in contravention of the CPPA;
- Comply with the terms of a compliance agreement that has been = entered=20 into by the organization; or
- Make public any measures taken or proposed to be taken to = correct the=20 policies, practices, or procedures that the organization has put in = place to=20 fulfil its obligations under the CPPA.
Furthermore, as mentioned above, the = Commissioner=20 may recommend that the Tribunal issue a fine or penalty on an = organization for=20 violating certain provisions in the CPPA.
- Fourth, the CPPA clarifies the rules for valid consent to = data=20 sharing. To obtain valid consent under the CPPA, an = organization must=20 provide individuals with certain information before the individual can = consent=20 to having his or her data collected. Specifically, the information = that=20 organizations must provide includes the purpose(s) of the collection, = use, and=20 disclosure, the =E2=80=9Creasonably foreseeable consequences of the = collection, use or=20 disclosure,=E2=80=9D the types of personal information involved, and = the =E2=80=9Cnames of any=20 third parties or types of third parties to which the organization may = disclose=20 the personal information. =E2=80=9D Implied consent will be acceptable = in certain=20 circumstances, taking into account the individual=E2=80=99s reasonable = expectations=20 and the sensitivity of the personal information.
- Fifth, the CPPA enhances consumers=E2=80=99 control over = the personal=20 information organizations collect. Under the CPPA, = individuals are=20 allowed to request disposal of their personal information, and = individuals are=20 allowed to withdraw consent to the use of their information. = Individuals will=20 also be granted data mobility rights, namely the ability to transfer = their=20 personal information from one organization to another. However, it = should be=20 noted that in certain circumstances organizations will be = allowed to=20 use de-identified information without an individual=E2=80=99s = consent. For=20 example, the CPPA would allow organizations to disclose de-identified = data to=20 public entities in certain circumstances for =E2=80=9Csocially = beneficial=20 purposes.=E2=80=9D
- Sixth, the CPPA introduces new transparency rules for = =E2=80=9Cautomated=20 decision systems=E2=80=9D (aka algorithms) organizations = employ =E2=80=9Cto make=20 predictions, recommendations or decisions about individuals that could = have=20 significant impacts on them.=E2=80=9D The provisions provide = individuals the right to=20 request that organizations explain how a prediction, recommendation, = or=20 decision was made by an automated decision-making system and explain = how the=20 information was obtained.
Global Considerations
If the CPPA passes into law, Canada would be following many other=20 jurisdictions that have strengthened and updated their privacy laws in = recent=20 years, including the European Union.
In 2018, the European Union implemented the General Data Protection Regulation = (the=20 =E2=80=9CGDPR=E2=80=9D) to strengthen and modernize its = corporate consumer=20 privacy regulations. The rules and regulations contained in the GDPR = inspired=20 many of the recommendations in the House of Commons Standing Committee = on Access=20 to Information, Privacy and Ethics=E2=80=99 2018 report entitled Towards=20 Privacy by Design: Review of the Personal Information Protection and = Electronic=20 Documents Act (the = =E2=80=9CReport=E2=80=9D). In turn, the=20 Report influenced many of the new rules and regulations for corporate = consumer=20 privacy measures in the CPPA.
The GDPR=E2=80=99s influence on the CPPA is also relevant to the = extent that the CPPA=20 would harmonize between the corporate consumer privacy rules in the = European=20 Union and Canada. Since the European Union implemented the GDPR in April = 2018,=20 Canadian companies have faced l= egal=20 obstacles to doing business in the European Union. The GDPR imposes = strict=20 rules on corporate consumer privacy measures, and until now, most = Canadian=20 companies=E2=80=99 consumer privacy measures coincided with the = comparatively lower=20 standards in the PIPEDA. By bringing their measures in line with the = CPPA,=20 Canadian companies doing business in the European Union would likely = avoid many=20 of the legal obstacles posed by the GDPR=E2=80=99s standards.
Impact on Provincial Legislation
The impact of a new federal legal framework for assessing corporate = consumer=20 privacy measures on provincial data privacy legislation remains unclear = at this=20 point. In fact, many provinces are currently in the process of revising = their=20 own rules regarding consumer data privacy. Quebec has introduced Bill=20 64, which brings its private sector privacy law close to the GDPR. = Ontario=20 has conducted consultations=20 to establish privacy sector privacy protection laws that might be = stronger than=20 the PIPEDA, while British Columbia has started=20 a review on improving its private sector privacy law.
Steps Organizations Should be Taking Now
While companies can expect a transition period to bring their = practices in=20 line with the new legislation, we recommend companies take the following = steps:
- Affirm the company=E2=80=99s commitment to = ensuring consumer data=20 privacy by reminding employees that data should not be misused under = any=20 circumstances, and emphasize that current privacy measures should be = taken=20 seriously;
- Organize a team to review the current state of = the=20 company=E2=80=99s consumer data collection practices and privacy = measures;
- Identify where current practices and measures may = be=20 falling short of current statutory requirements, and where=20 improvements can be made to enhance consumer data privacy and reduce = the risks=20 of data privacy breaches;
- Develop a plan to rectify any non-compliance with = current statutory requirements and improve current practices = and=20 measures;
- Implement rectification and improvement plans; = and
- Prepare current procedures for additional changes = by=20 regularly monitoring and periodically revising consumer data = collection=20 practices and privacy measures.
Conclusion
Private sector companies in Canada should pay close attention to = changes to=20 the draft legislation as it moves through Parliament. Though it remains = to be=20 seen which aspects of the draft legislation will be adopted, what is = clear is=20 that Canadian privacy law is changing, and most companies will find it = necessary=20 to change their consumer data collection practices and enhance privacy = measures=20 in light of the stricter requirements and stiffer penalties included in = the=20 CPPA.
=20Related Practices
Contacts
Recent Insights
- Industry=20 Alerts = =20 While the Nation Focused on the Presidential Race, California Expanded = Its=20 Privacy Laws and =E2=80=9CYes=E2=80=9D Non-California Businesses Are = Likely Impacted =20
- Industry Alerts=20 CETA: A New Opportunity, and Challenge, for = Canadian=20 Companies
- February 2, 2021Webinars CUSBA = Presents 9th=20 Annual Cross-Border Economic Forecast = =20
- September 23, = 2020Industry=20 Alerts = DW=20 China Trade Update (35th Edition) | = =E8=BF=AA=E5=85=8B=E6=A3=AE=E5=BE=8B=E6=89=80=E4=B8=AD=E5=9B=BD=E5=9B=A2=E9= =98=9F=E7=AE=80=E6=8A=A5 (=E7=AC=AC=E4=B8=89=E5=8D=81=E4=BA=94=E6=9C=9F) = =20
- September 2020Blogs=E7=B1=B3=E5=9B=BD=E7=A7=BB=E6=B0=91= =E5=B1=80=E3=81=AE=E4=BA=88=E7=AE=97=E5=8D=B1=E6=A9=9F=E3=81=A8=E7=B1=B3=E5= =9B=BD=E7=A7=BB=E6=B0=91=E5=88=B6=E5=BA=A6=E3=81=B8=E3=81=AE=E6=BD=9C=E5=9C= =A8=E7=9A=84=E5=BD=B1=E9=9F=BF | The USCIS=20 Budget Crisis and Its Potential Impact on the U.S. Immigration System = =20
- August 19, 2020Webinars Strategies = for Easing=20 Non-Essential Travel Restrictions at the Canada-US Border = =20
- August 2020Industry=20 Alerts=E3=82=BF=E3=82=A4=E3=83=A0=E3=83=AA= =E3=83=BC=E3=81=ABEAD=E3=82=AB=E3=83=BC=E3=83=89=E3=81=8C=E7=99=BA=E8=A1=8C= =E3=81=8C=E3=81=95=E3=82=8C=E3=81=AA=E3=81=84=E3=81=9F=E3=82=81I-9=E3=82=92= =E5=AE=8C=E4=BA=86=E3=81=A7=E3=81=8D=E3=81=AA=E3=81=84=E3=81=93=E3=81=A8=E3= =81=AB=E3=81=A4=E3=81=84=E3=81=A6=E3=81=AE=E7=B1=B3=E5=9B=BD=E7=A7=BB=E6=B0= =91=E5=B1=80(USCIS)=E3=81=AE=E5=AF=BE=E5=BF=9C=20 | USCIS Accommodation on I-9 Completion Due to its Inability to Issue = Timely=20 EAD Cards
- July 9, 2020Webinars Preparing = for USMCA=20 Day: Episode VI - Environmental Considerations and the Path Forward to = a=20 =E2=80=9CLiving=E2=80=9D USMCA =
- July 8, 2020Webinars Vietnam and = the Great=20 Supply Chain Realignment =