I struggled to come up with something to write since there was virtually no privacy news this week (wink).
And … what a week it’s been for privacy in Canada, eh?
After many years of trying to get the federal government to modernize our beloved PIPEDA, it would appear that we have finally begun the process. The Trudeau government tabled draft legislation Tuesday that would make significant changes to the federal private sector privacy landscape. Bill C-11, the Digital Charter Implementation Act, would replace Part 1 of PIPEDA with the Consumer Privacy Protection Act, create the Personal Information and Data Protection Tribunal Act, and make minor amendments to several other laws.
The CPPA encapsulates the most fundamental aspects of Part 1 of PIPEDA, as it remains focused on providing individuals with control over how their personal information is collected, used and disclosed by organizations in the course of commercial activity. However, there are several important changes in terms of both form and substance.
First, the federal privacy law would exist in a standalone act, no longer bound to other, unrelated parts dealing with electronic documents. And, although the CPPA remains rooted in the ten privacy principles we’ve all come to know and love, unlike PIPEDA, it does not incorporate wholesale and build on the Canadian Standards Association Model Code for the Protection of Personal Information (which was an unusual way to draft a law anyway).
In terms of substance, here are some of the most important changes:
- Privacy management program. Organizations would be required to maintain a privacy management program setting out policies and procedures to protect personal information, deal with privacy complaints, train personnel and develop materials to explain an organization’s policies, practices and procedures. The OPC would be authorized to demand access to these policies at any time.
- Appropriateness. The CPPA incorporates and builds on the “reasonable purposes” clause of PIPEDA with a more comprehensive standard for when it is appropriate to process personal information.
- Exceptions for business activities. The CPPA defines a list of “business activities” for which an organization can process personal information without consent.
- Transfers to service providers. The CPPA would firmly establish that knowledge and consent are not required to transfer personal information to a service provider. It also helpfully clarifies when an organization is considered to have control over personal information.
- Deidentified information. The CPPA defines circumstances in which deidentified information can be processed.
- Automated decision-making. If an organization uses an “automated decision system” to make a prediction, recommendation or decision about a person, the organization would be required to, on request, explain the prediction, recommendation or decision, as well as how the personal information used to make the prediction, recommendation or decision was obtained.
- Data mobility. Individuals would have the right to transfer their data between organizations if those organizations are subject to a “data mobility framework” defined in regulation.
- Disposal of data. The CPPA would provide individuals with an explicit right to request the deletion of their personal information.
- Revised OPC powers. The OPC would have the authority to make orders requiring compliance with the act and recommend penalties.
- The new Personal Information and Data Protection Tribunal would hear appeals from OPC orders. It would also have the ability to impose penalties if recommended by the OPC.
- The CPPA provides for maximum penalties of up to 3% of global revenue or C$10 million for most contraventions, and up to 5% of global revenue or C$25 million for certain offenses.
- Codes of practice and certification. The CPPA would allow for the creation of codes of practice and certification programs to facilitate compliance with the act, which would be subject to approval by the OPC.
- Private right of action. Individuals affected by contraventions of the law would have a right to sue for actual damages suffered. This right would only be available following an OPC finding that a contravention had occurred, which is not successfully appealed to the tribunal.
The DCIA would create the most significant change in Canadian privacy legislation in 20 years, aligning the federal private sector privacy law — which applies throughout the country except in Alberta, British Columbia and Quebec — more closely with the EU General Data Protection Regulation.
Now, I’ve seen the blogs and the listservs celebrating or challenging some of these changes. This will all ultimately play out, and the law that’s been presented may not be the one we end up with. But … we saw some important progress this week with a proposed new law that is more attuned to today’s reality. No one can argue that. And I would say it’s one that, because of its emphasis in certain areas, shows the sheer importance of protecting personal information. And, since we’re all in that business (because that’s why you’re reading this, right?), we’re in the right business.
The funny thing is … I don’t even have enough space to go on about what’s been happening with the Privacy Act, because there’s movement there, too (public consultations and super interesting questions!). Oh well, fodder for the next message perhaps.
Have a good weekend, and be safe.
If you want to comment on this post, you need to login.