Newsletter December 2020

GDPR-Like Privacy Rights May Get a Little Closer to Home

December 2020

Privacy in Focus®

On November 17, 2020, the Canadian Minister of Innovation, Science and Industry introduced Bill C-11, the Digital Charter Implementation Act, which proposes a new privacy law called the Consumer Privacy Protection Act (CPPA). The CPPA would overhaul Canadian privacy law and heighten the privacy obligations for businesses, including U.S.-based business, that are engaged in commercial activity in Canada and collect, use, or disclose the personal information of individuals in Canada. Canadian government officials estimate 18 months for the CPPA to make its way through committee and become law. While there may be changes to the proposed legislation as it works its way through committee, businesses with Canadian-based customers will need to carefully assess their privacy compliance programs to account for proposed changes in the law.

The CPPA would introduce significant changes to Canadian privacy law to keep pace with global privacy regimes such as the European Union’s General Data Protection Regulation (GDPR). The bill would repeal provisions of the country’s 20 year-old privacy framework, the Personal Information Protection and Electronic Documents Act (PIPEDA). Influenced by the GDPR and the California Consumer Protection Act, the proposed legislation proposes to expand consumer rights, strengthen enforcement, and impose stiff fines for noncompliance.

Under the CPPA, the federal Privacy Commissioner would be granted broad rulemaking, investigative, and enforcement authority. The legislation would subject businesses to steep penalties on a tiered scale. The fine is set at the greater of $10 million or up to 3% of an organization’s global revenue for lesser offenses, and the greater of $25 million or up to 5% of global revenue for more serious offenses. If enacted into law, these penalties would set the CPPA apart as having the highest financial penalties among G7 nations. The CPPA also introduces a private right of action, adopts new consent rules, and requires algorithmic transparency and data portability. It also creates a new administrative agency to monitor and enforce the law. 

Specifically, the new privacy framework would include:

Expanded Consumer Rights: The legislation would adopt new GDPR-inspired consumer rights including algorithmic transparency, data portability, and the right of deletion, subject to limited exceptions. Specifically, the CPPA requires:

  • Algorithmic Transparency. New transparency rules would require businesses to provide explanations when automated decision-making systems such as algorithms and artificial intelligence are used in significant predictions, recommendations, or decisions about individuals. Unlike the GDPR, the bill would not confer the right to object or opt out of automated tools.
  • Data Portability. An individual would be able to request that a business transfer their personal information from one organization to the next.
  • Right of Deletion. Subject to limited exceptions, individuals would also be allowed to request that an organization delete their personal information.

Existing consent rules would also be strengthened, requiring businesses to provide plain-language disclosures about the processing of personal information in connection with obtaining “meaningful consent.”

Data Minimization and Data Retention: The legislation would require organizations to retain information used for decision-making for enough time period to permit individuals to make a request to access or amend that information. The legislation provides rules governing the context under which de-identified information derived from personal information may be created, used, and shared. The legislation also requires businesses to de-identify information prior to sharing it with parties in the context of a proposed business transaction.

New Administrative Tribunal: The CPPA would create a new administrative tribunal – the Personal Information and Data Protection Tribunal (“Tribunal”) – that would impose penalties and hear appeals of decisions issued by the Office of the Privacy Commissioner of Canada. Under the CPPA, the Privacy Commissioner would make a recommendation to the Tribunal to impose penalties for CPPA violations. The Tribunal may then either rely on either the recommendation presented or its own findings.

Private Right of Action: Individuals have the right to bring suit against an organization within two years after the Privacy Commissioner issues a finding of a privacy violation that is upheld by the Tribunal.

Given the wide scope of the proposed law, it is important for businesses engaged in commercial activity in Canada to play close attention to potential compliance obligations. Business should be prepared to honor the enhanced consumer rights of individuals located in Canada and implement operational safeguards to comply with the CPPA’s obligations, including data minimization and retention requirements.

Wiley’s Privacy, Cyber & Data Governance team has helped entities of all sizes from various sectors proactively address risks and address compliance with emerging privacy regimes around the globe. Please reach out to any of the authors with questions.

© 2020 Wiley Rein LLP

Read Time: 4 min
Jump to top of page

Wiley Rein LLP Cookie Preference Center

Your Privacy

When you visit our website, we use cookies on your browser to collect information. The information collected might relate to you, your preferences, or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. For more information about how we use Cookies, please see our Privacy Policy.

Strictly Necessary Cookies

Always Active

Necessary cookies enable core functionality such as security, network management, and accessibility. These cookies may only be disabled by changing your browser settings, but this may affect how the website functions.

Functional Cookies

Always Active

Some functions of the site require remembering user choices, for example your cookie preference, or keyword search highlighting. These do not store any personal information.

Form Submissions

Always Active

When submitting your data, for example on a contact form or event registration, a cookie might be used to monitor the state of your submission across pages.

Performance Cookies

Performance cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.

Powered by Firmseek