Introduction

On November 17, 2020, Canada’s federal government introduced a bill to enact new legislation to strengthen protections for individuals from privacy loss due to the failures and limitations of corporate consumer privacy measures. The proposed legislation, known as the Consumer Privacy Protection Act (“CPPA”), would be the first major overhaul of Canada’s privacy law rules on the private sector since the Personal Information Protection and Electronic Documents Act (“PIPEDA”) came into force in April 2000.

Key Changes Proposed to Canada’s Consumer Privacy Framework

The CPPA proposes several key changes to Canada’s corporate consumer privacy rules.

  • First, the CPPA imposes administrative penalties of up to 3% of global revenue or $10 million CAD for non-compliant organizations. In addition, the CPPA expands the range of privacy-related offences; penalties for certain offences under the CPPA subject non-compliant organizations to a maximum fine of 5% of global revenue or $25 million CAD.
  • Second, the CPPA creates the Personal Information and Data Protection Tribunal (the “Tribunal”). The Tribunal is empowered to issue penalties and fines under the CPPA upon recommendations from the Office of the Privacy Commissioner of Canada (the “Commissioner”). The Tribunal will also adjudicate appeals from the Commissioner’s orders.
  • Third, the CPPA broadens the order-making powers of the Commissioner. Under the CPPA, the Commissioner may order an organization to:
    • Take measures to comply with the CPPA;
    • Stop doing something that is in contravention of the CPPA;
    • Comply with the terms of a compliance agreement that has been entered into by the organization; or
    • Make public any measures taken or proposed to be taken to correct the policies, practices or procedures that the organization has put in place to fulfil its obligations under the CPPA.

Furthermore, as mentioned above, the Commissioner may recommend that the Tribunal issue a fine or penalty on an organization for violating certain provisions in the CPPA.

  • Fourth, the CPPA clarifies the rules for valid consent to data sharing. To obtain valid consent under the CPPA, an organization must provide individuals with certain information before the individual can consent to having his or her data collected.
  • Fifth, the CPPA enhances consumers’ control over the personal information organizations collect. Under the CPPA, individuals are allowed to request disposal of their personal information and individuals are allowed to withdraw consent to the use of their information. Individuals will also be granted data mobility rights, namely the ability to transfer their personal information from one organization to another. However, it should be noted that in certain circumstances organizations will be allowed to use de-identified information without an individual’s consent.
  • Sixth, the CPPA introduces new transparency rules for “automated decision systems” (aka algorithms) organizations employ to “to make predictions, recommendations or decisions about individuals that could have significant impacts on them.” The provisions provide individuals the right to request that organizations explain how a prediction, recommendation or decision was made by an automated decision-making system and explain how the information was obtained.

Conclusion

Private sector companies in Canada should pay close attention to changes to the draft legislation as it moves through Parliament. While companies can expect a transition period to bring their practices in line with the new legislation, they should be prepared to review their consumer data collection practices and privacy measures. In many cases, it will be necessary to change these practices and measures in light of the stricter requirements and stiffer penalties under the CPPA.

 

ABOUT THE AUTHORS

Wendy G. Hulton is a Partner in Dickinson Wright’s Toronto office. She can be reached at 416-777-4035 or WHulton@dickinsonwright.com

Carly J. Walter is an Associate in Dickinson Wright’s Toronto office. She can be reached at 416-646-6877 or CWalter@dickinsonwright.com.

Dan A. Poliwoda is a Student at Law in Dickinson Wright’s Toronto office.