Wednesday, February 24, 2021

Are You Ready for a New Canadian Privacy Law?

As if we weren’t already confused by COPPA, CCPA, and CPRA, we may soon welcome CCPA as the newest addition to the “A-C-P” alphabet soup of data privacy laws.

Here is a primer to avoid confusion:

COPPA = Children’s Online Privacy Protection Act 

CCPA = California Consumer Privacy Act

CPRA = California Privacy Rights Act 

CPPA = Consumer Privacy Protection Act 

On Nov. 17, 2020, Canada’s federal government introduced a bill to enact new legislation to strengthen data privacy protections for individuals. The proposed legislation, known as the Consumer Privacy Protection Act (CPPA), would be the first major overhaul of Canada’s privacy laws since the Personal Information Protection and Electronic Documents Act (PIPEDA) became effective in April 2000. If passed, CPPA will provide data privacy rights to individuals similar to those afforded under the European Union’s General Data Protection Regulation (GDPR), the CCPA, and CPRA. 

CPPA will bring significant changes to PIPEDA including:

Enhanced Individual Rights: The CPPA would expand the rights of Canadian consumers in relation to how organizations collect and process their data. Similar to GDPR, consumers will have the right to request deletion of their personal data and to withdraw consent for any further use of their information. Consumers will also have the right to request transfer of their data from one organization to another. Businesses will be required to transparently describe to individuals any use of an automated decision system — such as algorithms and artificial intelligence — to make predictions, recommendations, or decisions about individuals that could have a significant impact on them. Individuals will also have the right to request an explanation as to how information about them was obtained as well as how any prediction, recommendation, or decision was made by an automated decision-making system.  

Privacy Policies and Procedures: The CPPA would require a privacy management program that includes policies and procedures related to how personal information is protected, how  privacy complaints are handled, and employee training. 

New Tribunal: The CPPA would create a new Personal Information and Data Protection Tribunal. This Tribunal would be empowered to issue penalties and fines under the CPPA upon recommendations from the Office of the Privacy Commissioner of Canada. The Tribunal would also adjudicate appeals from the Commissioner orders.

Administrative Penalties: Perhaps the biggest change from PIPEDA is the new power of the Commissioner to order a company to cease processing activities and to levy fines or penalties for non-compliance. Penalties can be imposed as high as 5% of a company’s global revenue, or $25 million, whichever is greater. 

Private Right of Action: The CPPA includes a private right of action for those who claim the use of their data contravenes their CPPA rights. Individuals can sue for “damages for loss or injury” if the Commissioner has rendered a final finding that the organization failed to comply with the CPPA.   

If Canada enacts the CPPA it will be following many other jurisdictions that have strengthened and updated their privacy laws in recent years to create more rights for consumers and new compliance obligations for organizations, even entrepreneurial ones. If you are doing business with our neighbor to the North, it is a good time to review your current privacy policies and procedures. If your privacy management  program was already prepared for the GDPR and CCPA, you may be in pretty good shape and likely have a foundation to build on. You should however still consider conducting a compliance review identify any gaps to be addressed. If you have done nothing to prepare for GDPR or CCPA you should get your house in order now to avoid potential penalties and litigation.

We will continue to monitor progress of this Canadian legislation to see if it becomes a new addition to our already crowded list of data privacy acronyms.

No comments :

Post a Comment