On November 17, 2020, new privacy legislation was introduced in Canada’s Parliament. The bill, which includes the Consumer Privacy Protection Act (“CPPA”)¸ will replace most of the 20-year old Personal Information Protection and Electronic Documents Act (“PIPEDA”).
Below are six noteworthy aspects of the CPPA.
Application and Jurisdiction—The CPPA states that it applies in respect of personal information that is collected, used and disclosed in the course of commercial activity, including information that is collected, used and disclosed internationally. Based on the legislative text, the CPPA would apply to firms outside of Canada that collect personal information about individuals within Canada as part of commercial activity, such as a website operating in another country. Organizations not engaged in “commercial activities”, such as political parties or charities, are not subject to the act.
Mandatory reporting of a privacy breach—Under the CPPA, organizations are required to protect any personal information in their custody. Any breach of security safeguards that affects personal information and creates a risk of harm to individuals must be reported to the Privacy Commissioner. In addition, the organization must notify affected individuals. While a similar requirement existed under PIPEDA, the CPPA includes significant new penalties for non-compliance.
Commissioner can make orders—Under PIPEDA, the Privacy Commissioner could only make findings and recommendations. An order needed to be pursued in the Courts. This two-step process is eliminated under the CPPA. Under the CPPA the Privacy Commissioner can order an organization to: take measures to comply with the CPPA; cease doing something in contravention of the CPPA; follow a compliance agreement; or make public any corrective actions it must take to comply with the CPPA. Orders are enforceable as an order of the Federal Court of Canada if filed with that Court’s registry.
Privacy Tribunal—The bill creates a Personal Information and Data Protection Tribunal. The Tribunal will have jurisdiction to impose penalties following a recommendation by the Privacy Commissioner. The Tribunal will also have jurisdiction to hear appeals from orders and findings of the Commissioner. This specialized Tribunal will provide individuals and organization with a review mechanism that was unavailable under PIPEDA.
Administrative Penalties—The CPPA introduces significant administrative penalties that may be imposed by the Tribunal. These penalties are distinct from those that may be imposed by a Court following conviction of an offence under the CPPA. Actions that could result in an administrative penalty include using personal information for an improper purpose, requiring a person to consent to the use of their personal information as a condition of supplying a good or service, or retaining personal information for longer than necessary. The maximum administrative penalty under the CPPA is the greater of C$10 million or 3% of global revenue in the preceding year. To put this in
perspective, Alphabet and Facebook’s respective global revenues in the previous year are reportedly US$172 billion and US$79 billion. This would set the maximum administrative penalty for Alphabet at US$5.16 billion and for Facebook at US$2.4 billion.
Penalties for an indictable offence—Contravention of certain CPPA provisions may be prosecuted as an indictable offence. The maximum penalty upon conviction is C$25 million or 5% of global revenue in the previous year. Examples of indictable offences include failing to report a breach of security safeguards involving personal information, failing to retain personal information subject to a request, or using de-identified personal information to identify an individual.
If passed, the CPPA will significantly strengthen Canada’s federal privacy legislation. It will also impose significant regulatory requirements upon businesses subject to the Act and penalties for those that fail to comply. The CPPA’s protections for consumers are likely to be popular among Canadians. Businesses that collect, use and disclose personal information should prepare for the CPPA to become law by reviewing their policies and proactively identifying any potential exposure.