On November 17, 2020, the Canadian government introduced sweeping new privacy legislation. Learn not only what the new Bill means for you, but also why you might want to act now, below.
With the introduction of the Consumer Privacy Protection Act (CPPA), last week marked the biggest shift in Canada’s privacy regulation landscape in over two decades. Data privacy protections were first enshrined federally with the 1996 Model Care for the Protection of Personal Information. Canada’s current privacy legislation – the Personal Information Protection and Electronic Documents Act (PIPEDA) – built upon these earlier guidelines and became law in 2000, updated again in 2015 and 2019.
At its inception, the PIPEDA aimed to govern private and public sector entities who collect and/or use personal information throughout their operations, but has long been seen as outdated and lacking real teeth by Canadian and international bodies alike. Federal Privacy Commissioner Daniel Therrien said in a press conference in October 2020 that the ongoing COVID-19 situation and subsequent greater reliance on technology has exposed further cracks in Canada’s privacy protection: “Privacy is considered by the government as a good practice, but not a legal requirement. How long can this go on?” Canada has long lagged behind its natural allies when it comes to protecting collected data; across the pond, the European Union passed sweeping privacy legislation five years earlier, and the United Kingdom implemented their own Data Protection Act in 2018.
With the Liberal’s tabling of the CPPA last week, the government showed it now intends to play catch-up (and make good on some 2019 election platform promises and mandate letter commitments). Parliamentary debate and ruling in upcoming months will determine whether the government is able to accomplish this goal – but the initial reading shows they are certainly trying. In fact, the best word to sum up the CPPA in relation to the PIPEDA might be “more”: more accountability, more enforcement, more transparency, and more individual rights.
Accountability and Enforcement
Under PIPEDA, the Privacy Commissioner of Canada has no power to make binding orders or to recommend monetary penalties. Under the CPPA, the Commissioner, aided by the proposed Personal Information and Data Protection Tribunal, can do both: after conducting an inquiry, the Commissioner can either directly impose an order (e.g., an order requiring a party to take measures to comply with the CPPA) or recommend that the Tribunal impose a monetary penalty. If a penalty is recommended, and depending upon the offence, the Tribunal has the discretion to impose a fine of up to the greater of $25,000,000 or 5% of the organization’s annual gross global revenue – the heaviest fines among the G7 nations’ privacy laws. The proposed legislation also introduces another new form of penalty: a private right of action for individuals affected by a contravention of the CPPA – opening the door for individual or class action litigation.
Should the CPPA pass in its current form, organizations governed by the legislation will also find themselves subject to increased transparency requirements. While PIPEDA did require organizations to implement certain privacy policies and programs, the CPPA goes one step further by creating a specific obligation for every organization to have a, producible upon request, “privacy management program” that details how the organization complies with the Act. Organizations will also find they may need to update consent language: the CPPA sets out certain information that organizations must provide, in “plain language,” to individuals in order for the consent to be valid. And, if an organization uses AI or other automated decision-making processes to make a decision, recommendation, or prediction about an individual, it must be able to provide information about that decision, recommendation, or prediction (and the personal information that went into that judgment) upon request.
In addition to the private right of action mentioned above, the CPPA as written awards a number of other individual rights. For example, individuals will be able to request that an organization dispose of their personal information. Individuals will also be able to request that organizations seamlessly transfer the personal information they have about that individual to another organization (“data mobility”).
In short, the CPPA proposes to introduce tough new requirements and obligations together with tough new consequences for non-compliance. Of course, these new features are dependent on the legislation passing in its current form – a far from certain outcome. Bill C-11 was tabled for first reading on November 17th, with debate in the House of Commons beginning on Nov 24th. The bill will be subject to several days of debate before voting at the second reading stage, at which point it will go to Committee for review. In Committee, like in the House, opposition parties will have a large say in any amendments proposed to the legislation as the Liberals lack a majority. Already, members of the opposition (and the Privacy Commissioner of Canada) have identified ways they believe the legislation should be strengthened or improved.
During this process, engaging with government, including Minister Bains’ office, as well as opposition critics and MPs on the applicable Committee, will be crucial to businesses and organizations whose operations centre on the collection of personal information. Any one wishing to engage with government in this manner is encouraged to contact McMillan Vantage: with a team of former senior advisors to Prime Ministers and Premiers, former Ministers of Finance, Foreign Affairs and International Trade, Deputy Ministers, and tenured consultants, we are proven experts in how and why governments make decisions. We understand how governments work, and how to make sure your voice is heard.
Our full service firm offers both government relations and communications counsel. Our communications team is uniquely positioned to communicate pending statutory requirements within your organization and to help develop internal and external materials and strategies to address the new burdens that the Act imposes. If there is a breach of the Act, our exceptional team of professionals can assist with litigation communication and crisis communication support. Supplementing our efforts, McMillan Vantage’s legal counter-part, McMillan LLP, offers a full-range of privacy-related legal services.
The foregoing provides only an overview and does not constitute legal advice. For help navigating the world of government or to receive McMillan Vantage’s tri-weekly COVID-19 updates, please contact firstname.lastname@example.org