Oh Canada! – Your Privacy Act is Calling: Canada to Reform its Approach to Consumer Privacy Protection
April 19, 2021
On Nov. 17, 2020 the government of Canada introduced Bill C-11, also known as the Digital Charter Implementation Act, 2020 (the Act). The Act would create the Consumer Privacy Protection Act (CPPA), not to be confused with California’s Consumer Privacy Act (CCPA), with the intent to modernize Canada’s existing private sector privacy law. The goal of the Act is to significantly increase privacy protections for Canadians by giving them more control over their personal data and greater transparency with respect to company use of their personal data. If the Act is passed, it would replace a portion of the Personal Information Protection and Electronic Documents Act (PIPEDA) and rename it to CPPA. The Act is expected to pass sometime in 2021. Below are several important aspects of CPPA that companies should keep in mind as it nears enactment.
CPPA in its current form would be applicable globally. The act’s language does not limit the definition of commercial activities to just those activities within Canada, and it explicitly states that it applies internationally. CPPA states that it applies to “every organization” that collects, uses or discloses personal information in the course of commercial activities. Further, it states that it applies to personal information that is collected, used or disclosed both interprovincially or internationally by an organization.
Increased Individual Rights
CPPA introduces some familiar individual rights that have been seen under both the European General Data Privacy Regulation (GDPR) and California’s CCPA. This includes the right to data mobility, which is very similar to GDPR’s right to data portability. This gives individuals the right to direct the transfer of their personal information from one organization to another. Further, CPPA establishes the right of disposal, which is similar to GDPR’s right to erasure (sometimes referred to as the right to be forgotten) and CCPA’s right to be forgotten. Under this right, individuals will be able to request that companies dispose of personal information and withdraw consent for the use of their information. However, like GDPR and CCPA, this is not without exceptions. For instance, where retention is required by law, it is prevented by “reasonable terms of a contract” or where it would delete the personal information of another individual, the right of disposal may not be available.
CPPA also maintains the data subjects’ rights already under PIPEDA, namely the right to access personal information and the right to correct personal information.
Consent-Centric Law Remains
PIPEDA was often viewed as a consent-centric law. However, it has shortfalls including consent fatigue and disagreements about the role of implied consent. CPPA aims to simplify consent, while still keeping it central to Canadians’ data privacy rights. Unlike GDPR, CPPA does not create separate legal bases for processing data, consent will remain central to processing.
CPPA essentially codifies the Office of Privacy Commissioners of Canada (OPC) guidance from 2018 concerning consent. The OPC is Canada’s compliance mechanism concerning PIPEDA. Consent will still be required for collection, use and disclosure of personal information. The validity of the consent now requires that information about processing be provided in plain language. For example, the purpose of collecting the data must be explained in plain language. Further, consent will have to be expressly obtained unless a company can establish that implied consent was appropriate. However, CPPA expands exceptions to the consent requirement including for certain business activities, research and development, and transfers to service providers.
Increased Enforcement Powers and Private Rights of Action
Currently, the OPC has very limited rights and is unable to levy fines for noncompliance with the law. The CPPA changes this by both introducing significant monetary penalties and increasing enforcement powers. Under CPPA, OPC will have the power to launch official inquiries and will render actual decisions that are subject to legal challenge. The OPC will also be able to recommend monetary penalties to the new Tribunal. The Tribunal will be the appeal board for decisions made by the OPC and will be the decisionmaker concerning penalties.
The new penalties under CPPA are significant. The administrative monetary penalties that may be levied in an amount of 3% of global revenue or C$10 million, whichever is greater. For more serious offenses, such as failing to report a breach, the maximum fine would be 5% of global revenue or C$25 million, whichever is higher.
Like PIPEDA, there will continue to be a private right of action under CPPA. However, CPPA restricts claims to only those for which the OPC or the Tribunal have found involve a breach of the CPPA or where the organization was convicted of an offense.
There has not been significant movement with respect to enacting this Act since its introduction. However, projections have this law being passed sometime in 2021. Although there has not been much movement concerning this bill since its introduction, updated privacy laws appear to be an important issue for Canada’s federal government to resolve. If the federal government does not step in, then other local legislation will take over, similar to what is happening in the United States (see both the California and Virginia Privacy Laws). For example, in June of 2020 Quebec introduced Bill 64, An Act to Modernize Legislative Provisions Respecting the Protection of Personal Information. This bill, which is currently working its way through committee, pulled influence from both PIPEDA and GDPR. Further, although Canada has maintained its adequacy status to continue data transfers between Canada and the EU, that could easily change in the wake of the Schrems II decision without updated privacy laws.