In Canada, there has been talk for almost two years of initiating major legal reform of the country’s data protection landscape. The process was accelerated recently in June this year with the introduction of a bill to pass the Digital Charter Implementation Act. This is a sweeping piece of legislation that would enact not only a new privacy law (referred to as the Consumer Privacy Protection Act/CPPA), but also legislation to create a Privacy Court and regulate artificial intelligence (AI) development. The bill is expected to remain pending for the next year or two as it must go through the remainder of the legislative process and then be subject to a waiting period for organizations to create compliance initiatives. If passed as proposed, it would join the ranks of the GDPR with some tougher regulations and hefty fines, so it’s important to monitor the process and start preparing now.
The old law
Canada has relied on the Personal Information Protection and Electronic Documents Act (PIPEDA) to regulate privacy for over twenty years. During this time, the world has changed drastically in terms of electronic communications and data sharing. Almost everything is now digital, making PIPEDA extremely outdated and putting Canadian consumer data at risk. The large gaps that exist under PIPEDA present greater opportunities for data misuse and an increased risk of breaches. These include the lack of enhanced consumer controls – such as a firm right to erasure – and a lack of oversight requirements to prevent unnecessary processing or prolonged storage of personal data.
The new law
If the Digital Charter Implementation Act is passed, the CPPA would effectively replace PIPEDA and give Canadian consumers more control over their data. The law applies to data processing at the federal level, which is necessary as some provinces such as Quebec have already modernized their data protection landscape. A federal standard will provide clearer guidance for organizations operating in multiple jurisdictions, and will also serve as a model for future provinces wishing to create their own legislation.
In addition to data processing related to commercial activity, the law also applies to data processed for federal employees or job applicants. Employee data in the private sector is not specifically delimited, which is the norm in other data protection laws around the world.
Here are some important CPPA provisions to be aware of:
- Key consumer rights include erasure, access, removal, rectification and portability. These rights generally appear in most new data protection laws.
- Individual consent is required before an organization can lawfully collect data. Exceptions are data processing activities for the following purposes: public interests such as a health emergency; publicly available information; anonymized personal data; Investigation of a breached agreement under federal, state, or security law; when there is a reasonable expectation that information will be collected for a business purpose; and to a service provider when equal protection is established, which is often through a contract. These exceptions are intended to provide a better balance between consumer rights and an organization’s interests in using the data. This list is incomplete.
- Before collecting data, organizations must determine and record the purpose. Balancing interests with consumer rights is part of this process, which is similar to GDPR impact assessments.
- Organizations must designate an individual or team to oversee compliance efforts. If organizations have already appointed a data protection officer for GDPR compliance, the obligations will undoubtedly overlap.
- Organizations must create a data protection management program that takes into account all CPPA obligations. If one already exists, the compliance team must prepare an audit to identify gaps in policies or processes. For example, the CPPA clearly instructs data subjects to delete personal data once the intended use is fulfilled. This may require changes to existing retention programs.
- The ability to collect and process data for minors will be restricted as the CPPA clearly classifies this information as sensitive. This was heavily debated in the previous version of the bill.
Penalties and Enforcement
- Assigned penalties are the greater of: five percent of an organization’s worldwide gross revenue or $25 million for criminal or egregious offenses; three percent or 10 million CAD for administrative. This is important as the maximum penalties imposed under the GDPR are lower. The Data Protection Court can hear appeals against fines imposed by the Data Protection Officer.
- The data protection officer can also issue compliance orders, order third-party audits, approve internal certification programs and, if necessary, enforce the exchange of information with other supervisory authorities.
It is important to consider the AI component of the Digital Charter Implementation Act as this seems to be a trending topic. If passed, this law would, among other things, oblige operators of high-impact AI systems to mitigate the risk associated with bias and accelerate transparency to the public. There will be a list of prohibited conduct and a separate officer to conduct enforcement. The EU and UK have also proposed legislation related to certain AI regulations, so it will be interesting to see the differences as legislation is passed in different regions of the world.
The protections outlined above illustrate how the new Canadian law aims to strike a balance between business interests and consumer rights, while maintaining strong protections provided by laws such as the GDPR. Monitor any changes or interpretive guidance as the legislative process continues. It will be particularly interesting to see how the penalty system plays out, as there could be record-breaking fines. Staying current helps organizations proactively create compliance roadmaps and be better prepared when the law goes into effect. Finally, get legal advice before making any decisions.