The global health crisis has transformed how everybody lives, works, accesses information, and connects and the rest of the world. Digital technology and its integral role in our lives have newfound importance in the COVID-19 economy. With a sudden surge in reliance on digital technology, the concern for the privacy of personal data increased even further.
Laws like Europe’s General Data Protection Regulation (GDPR) have already been setting new standards when it comes to the protection of personal data. The Government of Canada is also stepping up to the proverbial plate to ensure a better level of protection to Canadians in the changing dynamics of the world.
A New Proposed Canadian Privacy Regulation
The Canadian Privacy Protection Act (CPPA) is a new law that was proposed by the Canadian Minister of Innovation, Science and Industry, the Honorable Navdeep Bains. The federal minority government released draft legislation to update and modernise the existing federal private sector privacy legislation in the country.
The present law is called the Personal Information and Electronic Documents Act (PIPEDA). It was initially passed in 2001, and it came into effect in 2004. The almost two-decade-long can see some significant amendments made to it to improve on the existing legislation.
The proposed changes will be implemented through the Digital Charter Implementation Act that addresses several pieces of legislation. Part 1 aims to amend and rename PIPEDA to the Consumer Privacy Protection Act. Part 2 aims to create a specialised privacy and data protection tribunal using the Personal Information and Data Protection Tribunal Act.
For those already aware of the California Consumer Privacy Act implemented in the US, the CPPA’s title may bear some resemblance. Navdeep Bains directly referred to the regulation and cited that the proposed law, if implemented, will be far more robust than the one already implemented in Canada.
Let’s take a closer look at some of the key features of the reforms proposed in the CPPA that is still before parliament.
Privacy Management Program
The Privacy Management Program in Section 9 of CPPA mandates businesses and organisations to maintain a privacy management program. The program should set procedures and policies that organisations must enact to protect the personal information of Canadians and address complaints regarding privacy.
It also mandates training personnel at the company regarding these actions and to develop materials to explain their policies and procedures. The privacy management program also allows for on-demand access to the Office of the Privacy Commissioner of Canada with regard to these policies.
Meaningful Consent
Another crucial aspect of the CPPA is meaningful consent. The existing PIPEDA is already a consent-based regulation. However, the new proposed act will modify the regulations regarding consent based on guidance from privacy commissioners.
The privacy commissioners will ensure the enactment of meaningful consent that reflects closely the approach to consent taken by the GDPR.
It will also remove the time-taking and complex aspect of obtaining consent in situations where it will not be effective in providing meaningful privacy protection.
Appropriateness
There are no provisions that clearly address privacy risk assessment or privacy by design. However, Section 12 clearly outlines factors that can identify the appropriateness of processing and calls to assess the proportionality of the loss of privacy against the advantages as mitigated by organisational measures. It introduces a greater level of accountability with regard to the appropriateness of information that an organisation collects, uses, or discloses.
Legitimate Interests
Section 18 of the proposed act gives a proper structure to circumstances that can alleviate an organisation from relying on consent. Section 18 defines the list of activities that can allow organisations to collect and use the information without seeking consent, including:
- An activity that’s necessary to deliver a product or service that an individual requested from the company,
- An activity carried out in the exercise of due diligence to reduce or prevent the organisation’s commercial risk,
- An activity essential for the organisation’s protection of its information, network security, or system,
- An activity to ensure the safety of a product or service offered by the organisation,
- An activity in which it would be impractical to try and gain an individual’s consent.
Data Portability/Mobility
Perhaps one of the most significant changes proposed by the act is the ability to choose which organisation uses individuals’ data. It will allow individuals to have the right to transfer their data from one organisation to another. Additionally, there is also a concept of data mobility frameworks that can provide secure mechanisms for data mobility.
Right to Erasure
Another critical aspect of CPPA that was discussed during Bains’ briefing is enhanced control for the individual regarding their data. If an individual no longer wants organisations to use their data, the CPPA permits individuals to require organisations, including social media platforms, to delete data entirely. Individuals can also completely withdraw their consent for the use of their information if they choose.
Building a Foundation of Trust
The proposed act can build a foundation of trust and transparency between individuals, organisations, and the government. Ideally, it will also ensure that businesses and innovators can benefit from the modernised framework with clearly defined rules and regulations.
CPPA ensures strong fines among G7 privacy laws that can include fines of up to 5% of revenue or $25 million, based on whichever is greater, for the most serious offences. It remains to be seen if and how the new legislation could integrate with provincial laws.
This could very well be just the beginning of serious discourse regarding how privacy and data control will be structured in Canada to meet CPPA’s goals. One thing we can be certain about is that the implementation of CPPA will drastically change the privacy landscape across the country.
More about Irish Tech News
Irish Tech News are Ireland’s No. 1 Online Tech Publication and often Ireland’s No.1 Tech Podcast too.
You can find hundreds of fantastic previous episodes and subscribe using whatever platform you like via our Anchor.fm page here: https://anchor.fm/irish-tech-news
If you’d like to be featured in an upcoming Podcast email us at [email protected] now to discuss.
Irish Tech News have a range of services available to help promote your business. Why not drop us a line at [email protected] now to find out more about how we can help you reach our audience.
You can also find and follow us on Twitter, LinkedIn, Facebook, Instagram, TikTok and Snapchat.