Canada introduces new privacy legislation. Here is what marketers need to know.
Earlier today, a bill to usher in a new Canadian privacy law was introduced. This is the first major attempt to change Canada's privacy law in decades, and in due course, marketers can expect Canada’s current Personal Information and Electronic Documents Act - PIPEDA - to be replaced.
Bill C-11, the Digital Charter Implementation Act (DCIA) would establish a new private sector privacy law for Canada, the Consumer Privacy Protection Act (CPPA), as well as a new Personal Information and Data Protection Tribunal.
The bill follows the federal government’s Digital Charter released in May last year, and their subsequent year and a half long consultation on PIPEDA reform that the CMA and other organizations were involved in.
What’s in the Bill?
The new bill includes some significant new changes to Canada’s privacy framework that marketers should be aware of. CMA members can access our preliminary overview of Bill C-11 for more details.
Of course, these proposals are subject to debate as the bill makes its way through the House of Commons (and eventually the Senate) in the coming months.
Like its predecessor PIPEDA, we’re glad to see the bill has remained principles-based and technologically neutral. It has a purpose statement that is balanced, recognizing both the individual right to privacy and the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances
Here are the highlights:
Enhanced Enforcement and Major Financial Penalties
More powers for the Office of the Privacy Commissioner of Canada (OPC)
The OPC, which currently makes recommendations and not orders, will have new authority to issue binding orders to organizations related to investigations, inquiries and audits. Orders are intended to force an organization to comply, or to order a company to stop collecting data or using personal information.
Highest financial penalties in the G7
The OPC will be able to recommend administrative monetary penalties (AMPs) to a newly created Personal Information and Data Protection Tribunal for certain contraventions of the law. AMPs can be up to 3% of global revenue or $10 million for non-compliant organizations.
There will also be an expanded range of offences resulting in fines for certain serious contraventions of the law, subject to a maximum fine of 5% of global revenue or $25 million. Finally, a new private right of action will allow individuals to sue an organization, if certain conditions are met, for damages for loss or injury that the individual has suffered as a result of specific contraventions of the law.
More Control for Consumers
At present, consumers have the right to access personal information organizations hold about them, challenge its accuracy and have it amended. The bill proposes the following additional levers for consumer control, similar to what we see under the EU’s GDPR:
Requests for deletion and withdrawal of consent
Upon an individual’s request, an organization must dispose of the personal information a consumer provided to them, and, in most cases, permit individuals to withdraw consent for the continued use of their information. For example, Canadians can demand that their information be destroyed by social media platforms. The OPC will have the ability to order a social media company to comply, including order it to stop collecting data or using personal information. There are, however, some specific grounds by which an organization can deny a request.
Requests for data mobility
To enhance individual control, consumers would have the right to direct the transfer of their personal information from one organization to another. This would require the creation of new regulations, and would be incumbent on both organizations being subject to a sector or activity-specific framework under these regulations.
Upgrades to Consent Requirements
Marketers will be pleased that the CPPA preserves Canada’s model of express or implied consent, giving organizations the choice of which type of consent is most acceptable.
New exceptions to consent
The bill also proposes several new exemptions to consent for the collection, use or disclosure of personal information, including for: certain prescribed business activities, transfers to service providers, “socially beneficial purposes”, research and development, and for organizations that are parties to a prospective or completed business transaction (unless, of course, it’s a business transaction with the primary purpose or result being the purchase, sale or other acquisition or disposition, or lease, of personal information).
Marketers can still use publicly available information without consent as long as the specific categories of information they want to use are identified in regulations to the Act.
New Transparency Requirements
The bill contains some new transparency requirements marketers should be aware of. In particular, organizations are required to provide a general account of: any exemptions to consent they may be relying on, their use of automated decision systems, and whether or not the organization carries out any international or interprovincial data transfers that may have reasonably foreseeable privacy implications.
Algorithmic transparency provisions
The bill would provide individuals with the right to request that organizations explain how a prediction, recommendation or decision was made by an automated decision-making system and explain how the information was obtained. It stops short of a right to object to these types of decisions, like we see under the EU’s GDPR.
Enhanced Role for Privacy Codes and Certifications
To help organizations understand their obligations under the law and demonstrate compliance, the bill would allow organizations to ask the OPC to approve codes of practice and certification systems that set out rules for how the CPPA applies in certain activities, sectors or business models.
Of course, compliance with the requirements of a code of practice or a certification program would not relieve an organization of its obligations under the law.
De-identification of Personal Information
The bill recognizes the hugely important need for organizations to leverage de-identified data. It clarifies that de-identified information must be protected by technical and administrative measures, and that it can be used without an individual's consent only under certain prescribed circumstances.
Clarity on the Obligations of Service Providers
Finally, the bill provides welcome clarity that the law would apply to organizations regardless of whether the information is collected, used or disclosed by the organization itself or by a service provider on behalf of the organization. A service provider is only subject to all of the obligations under the Act if it collects, uses or discloses the information for any additional purpose besides those specified under contract.
Organizations are expected to be provided with around 18 months of lead time before the law would come into effect, once it’s passed.
In the meantime, the CMA will continue to engage with government as the bill undergoes further inspection and debate by the House of Commons, and will keep marketers updated on important developments.
Questions or comments? E-mail us - we want to hear from you.