Canada’s federal government has introduced Bill C-27 to the House of Commons on June 17, to introduce the most important changes to Canada’s federal privacy regime in 20 years.
PIPEDA, the Personal Information Protection and Electronic Documents Act, was introduced in 2001, and at the time was regarded as providing a principles-based approach to privacy protection that was balanced and innovative. However, it was developed prior to the advent of the internet and social media and many of the innovations that have subsequently impacted personal information use and collection. Except for inclusion of mandatory breach notification in 2018, there has been no substantive update.
Last year the federal government introduced a proposed change, but this did not advance due to a federal election; it was subject to considerable criticism. Now, the Digital Charter Act (Bill C-27) has been introduced to create a Consumer Privacy Protection Act (CPPA), the Personal Information and Data Protection Tribunal Act, and the Artificial Intelligence and Data Act.
Canada’s federal privacy law currently applies to ‘federal works, undertakings and businesses’ as will CPPA. This includes areas under the federal jurisdiction, such as banks, aeronautics, and telecommunications. The federal law applies within provincial jurisdiction if the province has not passed its own privacy law, which is substantially similar; currently this includes Quebec, Alberta, and British Columbia. The federal privacy law does not address privacy of employees of companies, however, unless under directly under the federal jurisdiction. CPPA will however expressly apply to interprovincial or international data flows, so may have concurrent application with provincial privacy laws.
CPPA, like PIPEDA, will cover organizations engaging in commercial activities processing personal information, which is very broadly defined to include information relating to an identifiable individual. The requirement of commercial activities excludes non-profit organizations and political parties; also it excludes public sector, which federally is subject to the Privacy Act.
CPPA represents a balance between the interests of the individual and business efficacy. The initial attempt to update the law last year met with a great deal of criticism from privacy advocates for the large number of confusing exceptions to consent, which left a great deal of discretion for businesses. Consent is still an important requirement, but this version attempts to balance the interest of the organization against potential adverse effects on the individual. In addition, all minors’ data is considered sensitive, addressing another objection to the prior bill.
CPPA requires that the processing of personal information be both “reasonable and appropriate,” taking into account the sensitivity of the data, the purposes, the means, and whether the loss of privacy is proportionate. It also introduces an obligation to dispose of personal data when the purpose for its processing has been fulfilled, as well as an individual right to request data disposal. It mandates organizations maintain a privacy management program, led by a privacy officer, which must be made available on demand to the OPC to ensure accountability.
The bill still must go through several stages in Canada’s Parliament before it is enacted into law. After that, there will be a period of time, likely 18 months, to allow organizations to become compliant. Organizations should monitor the progress of the law, as well as any changes or amendments, and be prepared to act accordingly.
An accurate, up-to-date data inventory is the foundation of compliance with privacy regulations. Get some tips on how to get started from this recent Exterro whitepaper.
Download the PDF version of this Data Privacy Alert here.