Personal data is the new oil. Yet, the commoditization and uses of personal data in innovative and other ways often collides with the individual and public interest in observing reasonable expectations of privacy. Privacy has been at the crossroads in Canada; our existing privacy law is over 20 years old – in digital terms – over 140 years old. After much consultation the government introduced a new bill to catch us up with the somewhat long name An Act to enact the Consumer Privacy Protection Act and the Personal Information and Data Protection Tribunal Act and to make consequential and related amendments to other Acts.
The bill includes many of the provisions in PIPEDA, plus a lot more. It gets rid of the CSA Model Code and now includes them, with changes, as part of the law. The bill has substantial teeth. There is a new tribunal that can impose substantial penalties (the greater $10,000,000 and 3% of the organization’s gross global revenues), even steeper fines for offenses, and a new private right of action that can brought based on findings made by the Commissioner or the new tribunal. The Commissioner also has much greater powers including the ability to recommend penalties, to make orders, and to demand demonstrable accountability, in certain circumstances.
The rules related to consent have changed. There are a host of new exceptions. There are new rights for data mobility and new rules related to automated decision making and de-identifying and making use of de-identified personal information.
Make no mistake, if this bill is passed, it will require all organizations to review their privacy practices and agreements with users and business partners. The bill will need to be assessed against other standards and evolving provincial laws for compatibility and interoperability. There will undoubtedly be many suggestions for changes including technical changes to better implement the intended government policies. We should expect many industry and other organizations will want to thoroughly vet the new bill and identify areas of concern or which need clarification.
For background you may want to review:
I also refer you to the McCarthy Tetrault blog post, Hello CPPA & PIDPT: The Federal Government Proposes Dramatic Evolution of PIPEDA.
