Privacy Web Series: A Primer on the Proposed Legislative Changes in Privacy Law

A long-awaited overhaul of privacy law is at hand to bring Canadian privacy legislation more in line with global standards, and address the challenges posed by new and evolving technologies. On November 17, 2020, the Canadian government tabled Bill C-11, the Digital Charter Implementation Act, 2020 (“Act”) which proposes to:

  • enact the Consumer Privacy Protection Act (“CPPA”) to replace Part 1 of the Personal Information Protection and Electronic Documents Act(“PIPEDA”), which is the part of PIPEDA that addresses privacy in the private sector; and
  • enact the Personal Information and Data Protection Tribunal Act establishing the Personal Information and Data Protection Tribunal, which would hear recommendations of and appeals from decisions of the Office of the Privacy Commissioner of Canada (“Commissioner”).

Over the coming months, we will be launching our new Privacy Web Series, “What Does the CPPA Mean For You?”. To watch a primer on the series, please click the “Watch Episode 1” button at the bottom of this page.

PIPEDA applies to private-sector organizations across Canada that collect, use, or disclose personal information during commercial activities. The core principle under PIPEDA is that organizations covered by PIPEDA must generally obtain an individual’s consent when they collect, use, or disclose that individual’s personal information. The CPPA continues to use a principles-based approach. The CPPA draws inspiration from Europe’s General Data Protection Regulation (“GDPR”) and California’s California Consumer Privacy Act (“CCPA”) and provides businesses with greater flexibility and clarity relative to the present privacy regime’s requirements. Most notably, it expands the powers of the Office of the Privacy Commissioner of Canada, with respect to mandatory orders and financial penalties. Under the CPPA, organizations that knowingly commit certain offences under the CPPA can face fines up to the greater of $25,000,000 and 5% of the organization’s gross global revenue, which is higher than the penalties under the GDPR and the CCPA. The CPPA will also include new obligations for businesses and new individual rights.

The Privacy Web Series will feature episodes on the following topics:

  • GDPR: Does Bill C-11 effectively usher in the GDPR regime to Canada?
  • Preparing Your Organization for Bill C-11: What should your privacy policy and breach response plan look like under Bill C-11? What are the consequences of non-compliance? How should organizations prepare for a privacy regime under Bill C-11?
  • Applicability and Exemptions: What organizations and types of information are captured under the CPPA? Who and what is exempt?
  • CPPA & AI: What are the implications of the CPPA on artificial intelligence technologies?
  • Business Transactions Exemption: PIPEDA sets out a regime for the use and disclosure of personal information, without knowledge or consent, by parties to a prospective “business transaction”. Under the CPPA, there is a new requirement that personal information be de-identified. How will this impact mergers and acquisitions?
  • Cross-Border Data Transfer & Outsourcing: How will the CPPA change cross-border data transfer and outsourcing requirements?
  • Individual Rights: The CPPA sets out new and amended individual rights, including the right to access, right to disposal, right to mobility, right of action, and right to algorithmic transparency. What do these new rights mean for individuals? What can organizations do to operationally give effect to these new rights?
  • Interaction with Provincial Legislation: In Ontario, the government launched a consultation process that closed on October 16, 2020, to create the province’s first-ever private sector privacy law. Quebec has also recently proposed a substantial overhaul of its privacy legislation in the form of Bill 64. Can the provincial privacy legislation be harmonized with the CPPA? What will be the compliance obligations for national organizations.

Stay tuned for more content on these changes throughout 2021. If you have specific questions regarding the applicability of Bill C-11 to your organization, or questions you would like answered in a subsequent video, please contact Ada Jeffrey or Wendes Keung. For more information about our privacy law practice click here.

 

The information and comments herein are for the general information of the reader and are not intended as advice or opinion to be relied upon in relation to any particular circumstances. For particular application of the law to specific situations, the reader should seek professional advice.

Related Categories
Core Areas