The CPPA or the Consumer Privacy Protection Act is included under the Digital Charter Implementation Act, 2019. After the EU’s GDPR and California’s CPPA were passed, the CPPA likewise updates Canada’s data privacy laws, bringing them in line with new international norms.
On June 16, 2022, the federal government took a second shot at a complete overhaul of the private sector privacy law regime that both protects individuals’ personal information and regulates organizations’ privacy practices. Bill C-27: Digital Charter Implementation Act, 2022 will implement the Consumer Privacy Protection Act (CPPA) to replace the federal Personal Information Protection and Electronic Documents Act (PIPEDA), which has regulated the collection, use and disclosure of personal information in the course of commercial activity in Canada since 2001. While updated a number of times since it took effect, the broad consensus is that PIPEDA is in need of a general overhaul. The government’s first shot to do so was the 2019 Bill C-11: Digital Charter Implementation Act, 2019. However, Bill C-11 languished in Parliament, ultimately dying with the federal October 2019 federal election. The consensus at the time was that Bill C-11 required revision before it was passed in any event (though it did give organizations a sense of what to expect).
Powers of the Privacy Commissioner under the CPPA
Under the CPPA the Privacy Commissioner may:
Request the production of records
Enter private places to examine records
Share relevant information with federal regulatory bodies
Share information with provincial authorities and foreign states
Consumer rights under the CPPA
Under the CPPA, individuals would have “private right of action”, which enables them to sue organizations under certain circumstances if privacy violations are upheld by the Privacy Commissioner after investigation. Individuals can claim damages for loss (financial or otherwise) and/or injury suffered as a result of the violation. The offending organization may also be subject to administrative fines levied by the Privacy Commissioner.
Individuals have the right to access their personal information, and request amendments to it if it is incorrect or outdated. Organizations that receive such requests are then legally required to respond within 30 days of receipt. Any inaccurate, outdated, or incomplete information must be amended to the individual’s satisfaction. Individuals can also request the deletion or transfer of their information to another organization at any time (data portability) and the company has to ensure that necessary safeguards for the data remain in place for that process.
Responsibilities of businesses and foreign companies under the CPPA
Companies would not be any more restricted from transferring data outside of Canada under the CPPA, though they do have to enable user data to be deleted or transferred elsewhere upon request, and to appropriately safeguard the data at all points. They would also be less restricted in how long they can keep data than under PIPEDA, which stipulated data could only be kept for as long as needed to fulfill the purpose for which it was collected. Organizations do not have to enable users to opt out of automated decision-making that’s done using their data, but they do have to be able to provide an explanation about that usage and how it’s done, upon request.
In the event of a breach, companies would have more accountability obligations under the CPPA, especially regarding notifications and sending them as quickly as possible, as well as recordkeeping related to any breaches. Organizations would also need to implement and maintain a privacy management program and perform privacy assessments, as a matter of regular operations and not just when there was a breach.
With the private right of action that individuals would receive under the CPPA, companies would either have to prove that a breach did not occur if accused of a violation and sued for it, or reasonably disprove that damages or injury occurred. As we have seen with lawsuits to date resulting from the CCPA in California, it has been difficult to achieve that. Under the CPPA companies would also be at risk of far higher penalties than under PIPEDA if a violation is upheld.
Appropriate purposes for data processing
Under the CPPA, Section 12(2), organizations may only collect, use or disclose personal information in “appropriate” circumstances, relating to:
(a) the sensitivity of the personal information;
(b) whether the purposes represent legitimate business needs of the organization;
© the effectiveness of the collection, use or disclosure in meeting the organization’s legitimate business needs;
(d) whether there are less intrusive means of achieving those purposes at a comparable cost and with comparable benefits; and
(e) whether the individual’s loss of privacy is proportionate to the benefits in light of any measures, technical or otherwise, implemented by the organization to mitigate the impacts of the loss of privacy on the individual.
Potential contraventions of the CPPA by businesses, separate from violations themselves, which are punishable by fine, include:
Re-identifying personal information that has been de-identified
Contravening any order issued by the Privacy Commissioner following an enquiry
Obstructing the investigation of a complaint or the conduct of an audit
Penalties and enforcement
Noncompliance penalties under the CPPA would be significant. Most fines would be up to 3 percent of a company’s total global revenue for the previous year, or CA $10 million (whichever is higher). For the highest tier offenses, fines could be up to 4 percent of a company’s total global revenue for the previous year, or CA $25 million (whichever is higher).