On November 17, the Minister of Innovation, Science and Economic Development tabled a bill that will change the privacy landscape in Canada. Once passed, it is expected that businesses will have 18 months to adapt to the change
The legislation will be called the Consumer Privacy Protection Act (CPPA). It replaces the schedule to the Personal Information Protection and Electronic Documents Act that addresses data privacy. The legislation applies to interprovincial, cross border and in province data (except where a province has its own robust data protection legislation – currently BC, Alberta and Quebec have such legislation).
- Consent to collection must be meaningful, plain language information must be provided.
- An individual has the right (subject to regulations) to request the transfer of personal information. It is anticipated that we will first see this in relation to changing financial institutions.
- The right to be forgotten. Subject to legitimate needs, an organization must dispose of personal information that it has. Also, consent can be withdrawn.
- Implied consent to collection is now recognized. This should facilitate matters for both businesses and consumers.
- Systems like Artificial Intelligence when applied to automated decision making must be transparent. Individuals have the right to request how a prediction, recommendation or decision was made by and AI system, if it affects them.
- Anonymized or de-identified information (e.g. names removed), must be protected and can only be used in specific circumstances such as internal research and development.
Part of the bill creates the Data Protection Tribunal. The Privacy Commissioner can make an application to this tribunal for administrative monetary penalties. As under the Competition Act AMP’s do not require proof beyond a reasonable doubt and are not a finding of guilt, but they do represent a disincentive to disregard the legislation. AMPS can be up to 3% of global revenue or $10 million (whichever is higher). In the most severe cases, fines are possible. They can be as high as 5% of global revenue or $25 million (whichever is higher). The Tribunal must consider a number of factors including the nature and scope of the contravention, whether the organization has voluntarily compensated persons affected, and the organization’s history of compliance.
Directors and officers face personal liability for contraventions of the legislation
Organizations must implement a privacy management program. This must include policies and procedures to;
- designate a privacy officer,
- protect personal information,
- address how requests for information and complaints are dealt with,
- train staff on privacy, and
- develop materials to explain how obligations under the act are dealt with.
Codes of Practice and Certification
The bill recognizes that data protection is complex. The Commissioner can approve codes of practice and certification systems that apply within an industry, sector or business model. This will simplify application of the CPPA for all businesses and in particular small businesses. It can also provide a safe haven.
In fields such as public health, infrastructure and environmental protection, the disclosure of anonymized data to public entities for socially beneficial purposes will be permitted. Details of this will be developed as regulations are adopted.
It will be crucial for businesses to examine their privacy policies and practices before the legislation comes into effect. For businesses that are present in the EU, many of these principles are already found in GDPR and so they will have a head start.
At Simplex Legal we have the expertise to assist our clients in preparing for these changes.