On November 17, 2020, the Canadian government proposed new legislation to the House of Commons, Bill C-11, which includes enacting the Consumer Privacy Protection Act (CPPA) to reform Canada’s privacy legislation.
Introduced by the Minister of Information Science and Economic Development, Bill C-11 would reform Canada’s federal privacy legislation (PIPEDA), most notably by enacting the CPPA. The CPPA aims to protect individuals’ personal information and regulate how organizations collect, use, and disclose personal information across their activities. The bill would also introduce the Personal Information and Data Protection Tribunal Act (the Tribunal Act), establishing an administrative tribunal to hear appeals of decisions made by the Office of the Privacy Commissioner of Canada (OPC) and facilitate the issuing of penalties.
What Are the CPPA’s Proposed Requirements?
The CPPA aims to protect personal data while also governing how organizations collect and that data., what does this look like in practice? A factsheet detailing key aspects of the bill, has been shared, outlining the impact that the Digital Charter Implementation Act, 2020 could have:
- Consent: Organizations would need to get meaningful consent, ensuring that plain language is used, so that users can make an informed choice about the use of their personal information.
- Data Mobility: The CPPA would improve the control that individuals have over the right to transfer their data from one organization to another, e.g., transferring information from their bank to another financial institution.
- Deletion: Individuals would have the right to request their personal information be deleted should they withdraw their consent.
- Transparency: Organizations would have to be transparent about any automated decision-making algorithms they use. Individuals would have the right to request an explanation of how a decision was made using an automated system and how the information was obtained.
- De-identified information: This would require organizations to remove direct identifiers, such as names, from the personal information they hold. The legislation will also clarify the circumstances in which this information can be used without an individual’s consent.
What Penalties Would the CPPA Introduce?
The introduction of the CPPA would allow the OPC to make recommendations to the Personal Information and Data Protection Tribunal on the imposition of penalties. The CPPA would include a provision for fines of 5% of global revenue or CAD 25 million for the most severe circumstances.
To find out more about Canada’s proposed privacy reforms register for our webinar Canada Federal Privacy Bill: Reaction & Analysis. For more information on how OneTrust can help your organization request a demo or visit onetrust.com today!
Further CPPA reading:
- DataGuidance News: Bill to reform Canada’s privacy law introduced, provides for enactment of Consumer Privacy Protection Act
- Government of Canada: Fact Sheet: Digital Charter Implementation Act, 2020
Next steps on CPPA:
- Sign up for the webinar: Canada Federal Privacy Bill: Reaction & Analysis