This comparative table highlights similarities and differences between private sector privacy laws in Canada and the General Data Protection Regulation (“GDPR”) in Europe. In the wake of the recent amendments tabled by the Canadian government in Bill C-27, the chart includes a comparison of the current Personal Information Protection and Electronic Documents Act (“PIPEDA”) and the proposed Consumer Privacy Protection Act (“CPPA”) in Bill C-27. The table also highlights the changes passed into law in Quebec in Bill 64, some of which will come into force on September 22, 2022 (learn more at “Resource Center - Bill 64”). The table is intended as a useful tool for privacy professionals dealing with Canadian privacy laws and the GDPR.
1. Effective date • January 1, 2001 (applies to any organization since January 1, 2004) • Not in force • Introduced by the Minister of Innovation, Science and Industry in the House of Commons on June 16, 2022 • September 22, 2022: In particular, requirements for appointment of privacy officer, mandatory incident reporting and authorized transfer in cases of business transactions [exhaustive list of sections coming into force: 3.1; 3.5-3.8; 18; 18.4; 21-21.02; 46; 52; 56; 58; 61; 63-65; 67; 80; 80.1; 81.1-81.3; 83; 83.1; 86; 87; 90]4 • September 22, 2023: Majority of provisions • September 22, 2024: A form of right to “data portability” • January 1, 2004 • January 1, 2004 • May 25, 2018 2. Responsible authority • Office of the Privacy Commissioner of Canada (OPC) [2; 11] • Office of the Privacy Commissioner of Canada (OPC) [2; 76] • Personal Information and Data Protection Tribunal 5 • Commission d'accès à l'information du Québec (CAI) [41.1; 54] • Office of the Information and Privacy Commissioner of Alberta (OIPC AB) [36] • Office of the Information and Privacy Commissioner for British Columbia (OIPC BC) [36] • Supervisory authority of each Member State (CNIL in France, etc.) [51] 1. On November 17, 2020, the Canadian government tabled substantial changes to Canadian privacy law in Bill C-11, the Digital Charter Implementation Act, 2020 (C-11). C-11 Act proposed to (i) enact the Consumer Privacy Protection Act to replace Part 1 of the Personal Information Protection and Electronic Documents Act (PIPEDA), which addresses privacy in the private sector; and (ii) enact the Personal Information and Data Protection Tribunal Act establishing the Personal Information and Data Protection Tribunal, which would hear recommendations of and appeals from decisions of the Privacy Commissioner of Canada (Commissioner). However, the dissolution of the government ended all work in progress in the Senate and in the House of Commons, including Bill C-11. 2. On June 16, 2022, the Canadian government tabled substantial changes to Canadian privacy law in Bill C-27, the Digital Charter Implementation Act, 2022. In addition to enacting the CPPA and the Data Protection Tribunal Act (versions of which were proposed in the last federal privacy reform effort in November 2020), C-27 also proposes to enact the Artificial Intelligence and Data Act (AIDA) to regulate “artificial intelligence systems” and the processing of data in connection with artificial intelligence systems. 3. References made to this Act in the present column are references to the Act as amended by Bill 64 (also known as “Act 25”). To better identify the effective dates of the amendments, see our version of the Act as amended by Bill 64. 4. The numbers in brackets refer to the section number of the referenced act. 5. Bill C-27 would also enact the Data Protection Tribunal Act, which would establish the Personal Information and Data Protection Tribunal. Comparative Table of Personal Information Protection Laws (Canada) 4 Personal Information Protection and Electronic Documents Act (PIPEDA) 1 Consumer Privacy Protection Act (CPPA), as proposed in Bill C-27 2 Act respecting the protection of personal information in the private sector, as amended by Bill 64 3 Alberta Personal Information Protection Act (PIPA AB) BC Personal Information Protection Act (PIPA BC) General Data Protection Regulation (GDPR) 3. Scope of application • Every organization that collects, uses or discloses personal information in the course of commercial activities in Canada or with a real and substantial connection to Canada6 [4] • Excluding government institutions to which the Privacy Act applies [4(2)] • Possibility of exclusion from the application of PIPEDA in certain provinces (Alberta, BC and Québec) [26(2)] • Only covers employees of, or applicants for employment with, an organization that collects, uses or discloses personal information in connection with the operation of a federal work, undertaking or business [4(1)(b)] • Every organization that collects, uses or discloses personal information in the course of commercial activities in Canada including: (1) interprovincially or internationally; or (2) within a province provided that the organization is not subject to an order under the CPPA stating that the organization is subject to provincial legislation that is substantially similar to the CPPA[6(1)(2); 122(1)] • Excluding government institutions to which the Privacy Act applies [6(4)(a)] • Possibility of exclusion from the application of CPPA in certain provinces having a “substantially similar law” (Alberta, BC and Québec private sector laws; Ontario, New Brunswick, Newfoundland and Labrador and Nova Scotia health information laws) [6(4)(e)] • Any “enterprise” which collects, holds, uses or communicates personal information, whether the information is kept by the enterprise or through the agency of a third person [1] • Excluding public bodies within the meaning of the Act respecting Access to documents held by public bodies and the Protection of personal information [3] • Any organization that collects, uses or discloses personal information [3] • Excluding “health information” to which the Health Information Act (Alberta) applies [4(3)] • Excluding personal information to which the Freedom of Information and Protection of Privacy Act (Alberta) applies (i.e., Alberta provincial public bodies) [4(3)] • Any organization that collects, uses, or discloses personal information [2] • Excludes personal information to which PIPEDA applies • Excludes personal information to which the Freedom of Information and Protection of Privacy Act (BC) applies (i.e., BC provincial public bodies) [3] • Establishment criterion: the controller or processor shall be established in the EU/EEA [3(1)] • Targeting criterion: the controller is established outside the EU/EEA but its processing activities are related to the offering of goods or services to individuals concerned in the EU/EEA or are related to the monitoring of the behaviour of individuals concerned in the EU/EEA [3(2)] • No distinction between the private and public sectors [4(7)] 4. Personal information (or “personal data”) • Any information about an identifiable individual [2] • Whatever the physical form or characteristics • Particular regime for “business contact information” (information that is used for the purpose of communicating or facilitating communication with an individual in • Any information about an identifiable individual [2] • Whatever the physical form or characteristics • “Personal information that the organization collects, uses or discloses solely for the purpose of communicating or facilitating communication with the individual • Any information which relates to a natural person and allows that person to be identified, directly or indirectly [2] • Whatever the nature of its medium and whatever the form (written, graphic, taped, filmed, computerized, or other) • Any information about an identifiable individual [1(1)(k)], including “personal employee information” • Excludes “business contact information” collected, used or disclosed for the purpose of enabling an • Any information about an identifiable individual, including “employees’ personal information” [1] • Excludes “contact information” and “work product information” [1] • Any information relating to an identified or identifiable natural person (including a name, an identification number, location data, an online identifier or a factor specific to the physical, physiological, genetic, mental, economic, cultural or social identity) [4(1)] 6. Canadian courts apply the “real and substantial connection” test to determine when Canadian courts may take jurisdiction, and in practice Commissioners have taken jurisdiction and applied Canadian privacy law where there are relatively minimal connecting factors to Canada. Comparative Table of Personal Information Protection Laws (Canada) 5 Personal Information Protection and Electronic Documents Act (PIPEDA) 1 Consumer Privacy Protection Act (CPPA), as proposed in Bill C-27 2 Act respecting the protection of personal information in the private sector, as amended by Bill 64 3 Alberta Personal Information Protection Act (PIPA AB) BC Personal Information Protection Act (PIPA BC) General Data Protection Regulation (GDPR) relation to their employment, i.e., name, position, title, work address, professional phone number, etc.) [4.01] in relation to their employment, business or profession” is excluded from the scope of the CPPA [6(4)(d)] • Also covers employees and job applicants • Particular regime for “personal information concerning the performance of duties within an enterprise by the person concerned, such as the person’s name, title and duties, as well as the address, email address and telephone number of the person’s place of work” [1] individual to be contacted in relation to the individual’s business responsibilities [4(3)] • Whatever the medium/format 5. Anonymized information • No definition for anonymized information • However, anonymization provided as an alternative to destruction or erasure of personal information when it is no longer required [Sch.1 - 4.5.3] • Information is considered anonymized when it irreversibly no longer allows the person to be identified directly or indirectly [2] • Anonymization must be made according to generally accepted best practices [2] • Dispose means permanently and irreversibly deleting personal information or anonymizing it [2] • The CPPA does not apply to personal information that has been anonymized [6(5)] • Information is considered anonymized when it irreversibly no longer allows the person to be identified directly or indirectly [23] • Anonymization must be made according to generally accepted best practices [23] • Anonymization provided as an alternative to destruction of personal information when the purposes for which it was collected or used are achieved, provided that such anonymized information is used for serious and legitimate purpose [23] • No specific provision • No specific provision • Personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable; which processing is not subject to GDPR [recital 26] 6. De-identified information • No definition of “de-identified information” • Generally, de-identified information is personal information that has been modified so that an individual cannot be directly identified, though a risk of the individual being identified remains [2] • De-identified information is personal information that no longer allows the person concerned to be directly identified [12] • When using de-identified information, reasonable steps • No specific provision • No specific provision • Pseudonymized information: - Personal data processed in such a manner that it can no longer be attributed to a specific individual without the use Comparative Table of Personal Information Protection Laws (Canada) 6 Personal Information Protection and Electronic Documents Act (PIPEDA) 1 Consumer Privacy Protection Act (CPPA), as proposed in Bill C-27 2 Act respecting the protection of personal information in the private sector, as amended by Bill 64 3 Alberta Personal Information Protection Act (PIPA AB) BC Personal Information Protection Act (PIPA BC) General Data Protection Regulation (GDPR) • De-identified information is still considered personal information (with exceptions) [2(3), see 22(1); 39(1), 55; 56; 63(1); 71-75; 116] shall be taken to limit the risk of anyone identifying a natural person based on this deidentified information [12] of additional information kept separately, subject to technical and organizational measures [4(5)] ; consists of a security and privacy-bydesign measure [25; 32] 7. Sensitive information • No definition of “sensitive information” • Recommendation to ensure a level of security appropriate to the sensitivity of the information [Sch. 1 – 4.7] • Personal information of minors is considered to be sensitive information [2(2)] • Privacy management program must take into account sensitivity of the information [9(2); 62(1)] • Retention periods must consider the sensitivity of personal information [9(1); 53(2)] and, where applicable, must be made readily available with respect to sensitive personal information [62(2)(e)] • The sensitivity of the information must be taken into account in several other situations [see 12(2); 15(5); 22(b)(ii); 22(3)(a)(ii); 57(1); 58(8)(a); 74; 109(c)] • Information is considered “sensitive” if it entails a high level of reasonable expectation of privacy (including medical, biometric or otherwise intimate information) [12] • Security measures must be appropriate with respect to the sensitivity of the information [10] • Consent to the use or communication of sensitive personal information must be given expressly [12; 13] • Sensitivity of the information must be taken into account in several other situations [see 3.3; 3.7; 17; 28.1; 90.2; 92.3] • No definition of “sensitive information” • If implicit consent, then the collection, use or disclosure of personal information must be reasonable having regard to its sensitivity [8(3)] • No definition of “sensitive information” • If implicit consent, then the collection, use or disclosure of personal information must be reasonable having regard to its sensitivity [8(3)] • Particular regime for “special categories of personal data” (including racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health, sex life or sexual orientation) [9] • No separate regime for financial data 8. Consent • May be express or implied depending on the circumstances and the type of information, taking into account the reasonable expectations of the individual concerned [Sch. 1 – 4.3.5] • Should generally be express when processing sensitive information [Sch. 1 – 4.3.6] • Must be obtained at or before the time of the collection [15(1)(2)] • Must inform individuals, in plain language, of the type of personal information they collect, use, and disclose, and of the purposes, manner, consequences of such collection, use, and disclosure and the third parties to whom personal • Must be clear, free and informed and be given for specific purposes. It must be requested for each purpose, in clear and simple language [14] • If request for consent is made in writing, it must be presented separately from any other • May be express or implied, each subject to specified requirements and limitations [8] • May be withdrawn at any time on reasonable notice, unless withdrawing consent would frustrate • May be express or implied, each subject to specified requirements and limitations [7;8] • May be withdrawn at any time on reasonable notice, unless withdrawing consent would frustrate • Must be freely given, specific, informed and unambiguous, in an intelligible and accessible form, and is only valid for specified purposes [4(11)] • Must be “explicit” for the processing of special Comparative Table of Personal Information Protection Laws (Canada) 7 Personal Information Protection and Electronic Documents Act (PIPEDA) 1 Consumer Privacy Protection Act (CPPA), as proposed in Bill C-27 2 Act respecting the protection of personal information in the private sector, as amended by Bill 64 3 Alberta Personal Information Protection Act (PIPA AB) BC Personal Information Protection Act (PIPA BC) General Data Protection Regulation (GDPR) • May be withdrawn at any time, subject to legal or contractual restrictions and reasonable notice [Sch. 1 – 4.3.8] • An organization may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances. [5(3)] information will be disclosed [15(3)(4)] • Consent must be given expressly, except when it is “appropriate” to rely on implied consent, taking into account the reasonable expectations of the individual and the sensitivity of the personal information [15(5)-15 (6); 18] • May be withdrawn at any time, in whole or in part, subject to the CPPA, a federal or provincial law or to the reasonable terms of a contract [17] • An organization may collect, use or disclose personal information only in a manner and for purposes that a reasonable person would consider are appropriate in the circumstances, regardless of whether consent is required under the CPPA. [12(1)] information provided to the person concerned [14] • Such consent is valid only for the length of time needed to achieve the purposes for which it was requested [14] • Consent not given in accordance with the Act is without effect [14] • Consent to the use or communication of sensitive personal information must be given expressly [12;13] • Consent to the communication or use of personal information may be withdrawn [8(4)] • when addressing a person for commercial or philanthropic prospection, such person must be informed of their right to withdraw consent to the use of their personal information for prospection purposes [22] performance of a legal obligation [9] performance of a legal obligation [9] categories of personal data [9(2)(a)] • May be withdrawn at any time [7(3)] 9. Exceptions to consent Collection, use and disclosure • Not required when exceptions apply (for example, in the case of a “prospective business transaction”) [7.2] Collection, use and disclosure - Not required when exceptions apply, for example: - for the collection and use of personal information for certain business activities [15(6); 18] - for the collection and use of personal information for a legitimate interest, subject to multiple requirements, including the conduct of an assessment Use • Not required when exceptions apply, for example when it is used for purposes consistent with the purposes for which it was collected [12] Communication • Not required when exceptions apply, for example when it is necessary to conclude a commercial transaction [18.4] Collection, use and disclosure • Not required when exceptions apply (for example, in the case of a “business transaction”) [22] Collection, use and disclosure • Not required when exceptions apply (for example, in the case of a “business transaction”) [20] Processing • Another legal ground may apply, such as the necessity for the performance of a contract or the legitimate purposes of the controller [6(1)] Comparative Table of Personal Information Protection Laws (Canada) 8 Personal Information Protection and Electronic Documents Act (PIPEDA) 1 Consumer Privacy Protection Act (CPPA), as proposed in Bill C-27 2 Act respecting the protection of personal information in the private sector, as amended by Bill 64 3 Alberta Personal Information Protection Act (PIPA AB) BC Personal Information Protection Act (PIPA BC) General Data Protection Regulation (GDPR) and record keeping obligations [18(3)(4)(5)] - for public interest [29-39] - to transfer personal information to service providers [2; 19] - for de-identified personal information in certain cases, notably in the context of a prospective business transaction [2; 20-22] - for the use and disclosure of personal information, in the context of a business transaction where de-identification would undermine the objectives of the transaction and the organization has taken into account the risk of harm to the individual that could result from using or disclosing the personal information [22(2)] 10. Children • No minimum age in PIPEDA for minor consent, but OPC Guidance for obtaining meaningful consent states that the consent of a parent or guardian is generally required for children under the age of 13 • No minimum age in CPPA for minor consent • The personal information of minors is deemed sensitive personal information [2(2)] • Further limitations on the ability of organizations to refuse the disposal requests of minors [55(2)] • Parents are enabled to act on behalf of their children to protect their rights [4] • Minor is not defined in the CPPA. • Consent to the collection of personal information concerning a minor under 14 years of age must be given by the person having parental authority or the tutor, unless collecting the information is clearly for the minor’s benefit [4.1; 14] • For minors aged 14 and over, consent can also be given directly by the minor [14] • No minimum age for the consent of minors, but must be old enough to provide meaningful consent • No minimum age for the consent of minors, but must be old enough to provide meaningful consent • Minimum age for minors consent is 16 years old [8(1)] • Member States may provide for a lower age than 16 years, provided that such lower age is not below 13 years [8(2)] Comparative Table of Personal Information Protection Laws (Canada) 9 Personal Information Protection and Electronic Documents Act (PIPEDA) 1 Consumer Privacy Protection Act (CPPA), as proposed in Bill C-27 2 Act respecting the protection of personal information in the private sector, as amended by Bill 64 3 Alberta Personal Information Protection Act (PIPA AB) BC Personal Information Protection Act (PIPA BC) General Data Protection Regulation (GDPR) 11. Governance program • Organizations must have policies and practices with respect to the management of personal information [Sch. 1 – 4.8.1] • Organizations must make readily available to individuals specific information about their policies and practices relating to the management of personal information [Sch. 1 - 4.8 see section on “Transparency”] • Every organization must implement and maintain a privacy management program that includes the policies, practices and procedures the organization has put in place to fulfill its obligations under the CPPA, including policies, practices and procedures respecting: - the protection of personal information - how requests for information and complaints are received and dealt with - the training and information provided to the organization’s staff respecting its policies, practices and procedures and - the development of materials to explain the organization’s policies and procedures [9; 62]. • Organizations must make readily available, in plain language, information that explains the organization’s policies and practices [62(1), see section on “Transparency”] • Every enterprise must establish and implement governance policies and practices regarding personal information that ensure the protection of such information [3.2] • Such policies and practices must, in particular, provide a framework regarding: - the keeping and destruction of the information; - the roles and responsibilities of the members of its personnel throughout the life cycle of the information and - the process for dealing with complaints regarding the protection of the information [3.2]. • Enterprises must publish detailed information about these policies, in clear and simple language, on its website [3.2] • Every organization must develop and follow policies and practices that are reasonable for the organization to meet its obligations under the PIPA AB [6(1)] • Every organization must: - develop and follow policies and practices that are necessary for the organization to meet the obligations of the organization under PIPA BC [5] - develop a process to respond to complaints that may arise respecting the application of the PIPA BC [5]. • Controller shall implement appropriate data protection policies [24(2)] • Data protection officer (see “privacy officer” section) shall monitor the policies of the controller in relation to the protection of personal data, including: - assignment of responsibilities; - awareness-raising - training of staff involved in the processing operations; and - the related audits [39(1)]. 12. Rights of access • Yes, subject to certain exceptions to and prohibitions on disclosure. Exceptions include where information is subject to solicitorclient privilege or where the information contains references to third parties or cannot be disclosed for legal, security or commercial reasons [9; Sch.1-4.9] • Yes, subject to certain exceptions to and prohibition on disclosure. Exceptions include where giving access would reveal confidential commercial information, or doing so would threaten the life or security of another individual [70(7)] • Yes, subject to certain exceptions, including in cases of litigation or if it may seriously harm a third person [27; 37 and ss] • Written request for access addressed to the person in charge of the protection of • Yes, subject to certain exceptions, including where the information is protected by legal privilege or disclosure could reveal personal information about or threaten the life or • Yes, subject to certain exceptions, including where the information is protected by solicitorclient privilege or disclosure could reveal personal information about or threaten the • Yes, subject to certain exceptions, including for legal or security reasons [15; 23] • Where there are reasonable doubts concerning the identity of the individual concerned, it is possible to Comparative Table of Personal Information Protection Laws (Canada) 10 Personal Information Protection and Electronic Documents Act (PIPEDA) 1 Consumer Privacy Protection Act (CPPA), as proposed in Bill C-27 2 Act respecting the protection of personal information in the private sector, as amended by Bill 64 3 Alberta Personal Information Protection Act (PIPA AB) BC Personal Information Protection Act (PIPA BC) General Data Protection Regulation (GDPR) • Request for access in writing [8(1)] • Response within 30 days (this period may be extended by up to 30 days in certain cases) [8(3)] • A charge may be required subject to certain conditions [8(6)] • An organization shall assist any individual who requests assistance [8(2)] • Written request for access [64(1)] • Response within 30 days (this period may be extended by up to 30 days in certain cases) [67] • A charge may be required, subject to certain conditions [68] • An organization shall assist any individual who requests assistance [64(2)] personal information with proof of identity [30] • Response in writing within 30 days, no possibility to extend the 30-day delay [32] • The enterprise has an obligation to provide assistance [27; 29; 30] • Free of charge (a reasonable charge may be required on certain conditions) [33] • In case of refusal, the person in charge of the protection of personal information must give the reasons for such refusal and indicate the provisions of law on which the refusal is based, remedies that are available and specify the time limit for exercising them. Must also help to understand the refusal [34] • Specific obligations for computerized personal information [27]7 • The enterprise must inform the person of his right of access when his personal information is collected [8] security of another individual [24] • Request for access in writing • Response within 45 calendar days (this period may be extended) • A charge may be required subject to certain conditions • An organization must make every reasonable effort to assist each applicant health or safety of another individual [23] • Request for access in writing • Response within 30 business days (this period may be extended) • A charge may be required subject to certain conditions • An organization must make a reasonable effort to assist each applicant request confirmation of his/her identity [12(6)] • Response given in writing or orally (when requested by the individual concerned) [12(1)] • Response shall be given without undue delay and in any event within one (1) month (this period may be extended) [12(3)] • Free of charge (a reasonable charge may be required, subject to certain conditions) [12(5)]: - Obligation to facilitate the exercise of rights of access [12(2)]. 7. The right to “data portability” will come into force on September 22, 2024. Comparative Table of Personal Information Protection Laws (Canada) 11 Personal Information Protection and Electronic Documents Act (PIPEDA) 1 Consumer Privacy Protection Act (CPPA), as proposed in Bill C-27 2 Act respecting the protection of personal information in the private sector, as amended by Bill 64 3 Alberta Personal Information Protection Act (PIPA AB) BC Personal Information Protection Act (PIPA BC) General Data Protection Regulation (GDPR) 13. Right to correct (or to rectify) • Yes, if the information is inaccurate or incomplete [Sch. 1 – 4.9.5] • Yes, if the individual demonstrates that the information is not accurate, up-to-date or complete, the organization must amend the information [71(1)] • The organization must, if it is appropriate to do so, transmit the amended information to any party that has access to the information [71(2)] • Yes, if the information is inaccurate, incomplete or equivocal, or if collecting, communicating or keeping it is not authorized by law [28] • Rights of access requirements apply with the necessary changes • Yes, if there is an error or omission in the personal information [25] • Request for correction in writing • Must correct information as soon as reasonably possible • No fee may be charged • Yes, if there is an error or omission in the personal information [24] • Request for correction in writing • Must correct information as soon as reasonably possible • No fee may be charged • If correction not agreed to, must annotate the record • Yes, if the data is inaccurate or incomplete [16] • Rights of access requirements apply with the necessary changes 14. Right to erasure (or “right to be forgotten”) • No • A form of this right is contemplated by the CPPA, specifically to dispose of an individual’s personal information under the organization’s control (subject to certain conditions and exceptions) and to request that the organization inform any service provider to which it has transferred the information of the request and ensure that the service provider has disposed of the information [55] • No express right to de-index or reindex a hyperlink at the individual’s request • Yes, to cease dissemination of the information, de-index or reindex any hyperlink attached to the name of the person concerned that provides access to the information by a technological means [28.1] • Only if the dissemination contravenes the law or if certain conditions are met [28.1] • Written request for access addressed to the person in charge of the protection of personal information with proof of identity [30] • Response in writing within 30 days [32] • The enterprise has an obligation to provide assistance [30] • No • No • Yes (subject to certain conditions) [17] Comparative Table of Personal Information Protection Laws (Canada) 12 Personal Information Protection and Electronic Documents Act (PIPEDA) 1 Consumer Privacy Protection Act (CPPA), as proposed in Bill C-27 2 Act respecting the protection of personal information in the private sector, as amended by Bill 64 3 Alberta Personal Information Protection Act (PIPA AB) BC Personal Information Protection Act (PIPA BC) General Data Protection Regulation (GDPR) • In case of refusal, the person in charge of the protection of personal information must give the reasons for any refusal and indicate the provision of law on which the refusal is based, remedies available and specify the time limit for exercising them. Must also help to understand the refusal [34] 15. Other rights of individuals • Right to address a challenge concerning non-compliance with PIPEDA to the organization [Sch. 1 – 4.10] • Right to file a complaint with the OPC [11(1)] • Right to file a complaint with the organization [73] • Right to file a complaint with the OPC [82] • Right to be informed if an automated decision system made a prediction, decision or recommendation that has a significant impact on the individual [63(3)] • Right to personal data portability where both organizations are subject to a “data mobility framework” [72;123] • Right to file a complaint with the enterprise [3.2] • Right to file a complaint with the CAI [81] • Right to submit an application to the CAI for the examination of a disagreement [42] • Right to be informed if a decision based exclusively on an automated processing of personal information is made to, notably, submit observations and ask for a revision of such decision [12.1] • Right to obtain personal information in a structured, commonly used format, and to have the information communicate, at the applicant’s request, to any person or body authorized by law to collect such information [27] • Right to file a complaint with the OIPC AB or to request a review of a decision by an organization regarding an individual’s request respecting personal information [36] • Right to make a complaint to the organization [46] • Right to file a complaint with the OIPC BC or to request a review of a decision by an organization regarding an individual’s request to access or correct personal information [47] • Right to lodge a complaint with the competent supervisory authority [77] • Right to restriction of processing of personal data [18] • Right to personal data portability [20] • Right to object to processing of personal data [21] • Right not to be subject to a decision based solely on automated processing [22] 16. Privacy Officer • Obligation to designate an individual who is accountable for compliance • Obligation to designate one or more individuals to be responsible • The person with the highest authority is responsible to • Organization must designate one or more individuals to be • Organization must designate one or more individuals to be • Obligation to designate a “data protection officer” in certain circumstances, Comparative Table of Personal Information Protection Laws (Canada) 13 Personal Information Protection and Electronic Documents Act (PIPEDA) 1 Consumer Privacy Protection Act (CPPA), as proposed in Bill C-27 2 Act respecting the protection of personal information in the private sector, as amended by Bill 64 3 Alberta Personal Information Protection Act (PIPA AB) BC Personal Information Protection Act (PIPA BC) General Data Protection Regulation (GDPR) with PIPEDA and to disclose such individual’s identity [Sch. 1 – 4.1] for the organization’s compliance with CPPA [8(1)] • The designated individual(s) business contact information must be provided to anyone who requests it [8(1)] • The designated individual(s) is(are) not necessarily the one(s) to whom complaints and requests under the CPPA are made [62(2)(g) read with 8(1)] ensure the Act is implemented and complied with [3.1] • This function may be delegated, in writing, to any person [3.1] • This person must approve the policies and practices of the enterprise [3.2] • This person must be consulted for any assessment of the privacy-related factors [3.3] • This person may suggest any personal information protection measures applicable to a project of acquisition, development or redesign of an information system [3.4] • This person must be consulted in assessing the risk of injury to a person whose personal information is concerned by a confidentiality incident [3.7] • This person is in charge of the access, rectification or “erasure” requests [28.1; 30; 32; 34; 35] responsible for compliance with PIPA AB [5(3)] responsible for compliance with PIPA BC, and must make available the position name or title and contact information for each such individual [4(3)] including the processing on a large scale of special categories of data or the processing operations that require regular and systematic monitoring of the individuals concerned on a large scale [37] 17. Transparency • Organizations must make readily available to individuals, in a form that is generally understandable, the policies and practices relating to the management of personal information [Sch. 1 – 4.8] • Organizations must make readily available, in plain language, information that explain their policies and practices [9; 62(1)], including: • Enterprises must publish detailed information about their policies and practices in simple and clear language [3.2] • If personal information is collected through technological means, the enterprise must • Organizations must make information available on request about its policies and practices for compliance with PIPA AB, including • Organizations must make information available on request about its policies and practices for compliance with PIPA BC, and about its process for • Organizations must provide to the individual concerned a wide variety of information at the time when the data are obtained (purposes of the processing, legal grounds, recipients, transfer Comparative Table of Personal Information Protection Laws (Canada) 14 Personal Information Protection and Electronic Documents Act (PIPEDA) 1 Consumer Privacy Protection Act (CPPA), as proposed in Bill C-27 2 Act respecting the protection of personal information in the private sector, as amended by Bill 64 3 Alberta Personal Information Protection Act (PIPA AB) BC Personal Information Protection Act (PIPA BC) General Data Protection Regulation (GDPR) • Organizations must inform the individual of the type of personal information held by the organization, including a general account of its use, with any additional details [Sch. 1 – 4.8] • Organizations must be able to explain to individuals the purposes for which the information is being collected [Sch. 1 – 4.8] - a description of the type of personal information under its control - a general account of how the organization uses the personal information and of how it applies consent exceptions - a general account of its use of automated decision-making that could have a significant impact on them - whether it carries out interprovincial or international transfers or disclosures that may have reasonably foreseeable privacy implications - retention periods applicable to sensitive information - disposal and access rights or - the contact information of the individual to whom complaints or requests for information may be made [62(2)]. • To obtain a valid consent, organizations must inform individuals in plain language, before or at the time of the collection, of: - the purposes for the collection, use or disclosure of personal information - the manner in which personal information is to be collected, used or disclosed - any reasonably foreseeable consequences of the collection, publish a confidentiality policy in clear and simple language on its website [8.2] • To obtain valid consent [8.3], enterprises must inform individuals, before or when collecting personal information, of: - the purposes for which the information is collected - the means by which it is collected - their rights to access and rectification - their right to withdraw consent - the name of the third person for whom the information is being collected (if any) - the names of the third persons or the categories of third persons to whom communication is necessary - the possibility that the information may be communicated outside Québec [8] and - the use of a technology that includes functions of identification, location or profiling and inform him of the means available to activate those functions [8.1]. • No later than at the time a person is informed of a decision made exclusively with automated decision-making, information about its use of services providers outside Canada to collect, use, disclose or store personal information [6] responding to complaints [5] of data, period of storage, applicable rights, contact details of the controller or the data protection officer, etc.) [13] • Where personal data have not been obtained from the data subject, information including the identity of the controller, the recipients of the personal data, etc. [14] • Provide any information in a concise, transparent, intelligible and easily accessible form, using clear and plain language [12(1)] Comparative Table of Personal Information Protection Laws (Canada) 15 Personal Information Protection and Electronic Documents Act (PIPEDA) 1 Consumer Privacy Protection Act (CPPA), as proposed in Bill C-27 2 Act respecting the protection of personal information in the private sector, as amended by Bill 64 3 Alberta Personal Information Protection Act (PIPA AB) BC Personal Information Protection Act (PIPA BC) General Data Protection Regulation (GDPR) use and disclosure of personal information - the specific type of personal information that is collected, used or disclosed; and - the names of third parties or types of third parties to which the organization may disclose personal information [15(3)]. enterprises must inform individuals about the use of such technology accordingly [12.1] • Enterprises must publish the title and contact information of the privacy officer on its website or, if the enterprise does not have a website, be made available by any other appropriate means [3.1] • Enterprises must inform the public of the place where, and manner in which, access to personal information may be granted [29] • When personal information is used for commercial or philanthropic prospection purposes, the person must identify himself and inform the person concerned of their right to withdraw their consent to the use of their personal information for such purposes [22] 18. Security measures • Organizations must implement security measures, including physical, organizational and technological measures, depending on the sensitivity of the information, the amount, distribution, and format of the information, and the method of storage [Sch. 1 – 4.7] • Obligation to make employees aware of the importance of • Organizations must protect personal information through physical, organizational and technological security safeguards. The level of protection provided by those safeguards must be proportionate to the sensitivity of the information [57] • Enterprises must implement security measures necessary to ensure the protection of the personal information that are reasonable given the sensitivity of the information, the purposes for which it is to be used, the quantity and distribution of the information and the medium on which it is stored [10] • Organizations must make reasonable security arrangements against such risks as unauthorized access, collection, use, disclosure, copying, modification, disposal or destruction [34] • Organizations must make reasonable security arrangements to prevent unauthorized access, collection, use, disclosure, copying, modification, disposal or similar risks [34] • Organizations must implement technical and organizational measures to ensure a level of security appropriate to the risk (including pseudonymisation and encryption of data, as appropriate) [32] Comparative Table of Personal Information Protection Laws (Canada) 16 Personal Information Protection and Electronic Documents Act (PIPEDA) 1 Consumer Privacy Protection Act (CPPA), as proposed in Bill C-27 2 Act respecting the protection of personal information in the private sector, as amended by Bill 64 3 Alberta Personal Information Protection Act (PIPA AB) BC Personal Information Protection Act (PIPA BC) General Data Protection Regulation (GDPR) maintaining the confidentiality of personal information [Sch. 1 – 4.7.4] 19. Breach definition • A breach of security safeguards means the loss of, unauthorized access to, or unauthorized disclosure of personal information resulting from a breach of an organization’s security safeguards [2(1)] • A breach of security safeguards means the loss of, unauthorized access to or unauthorized disclosure of personal information resulting from a breach of an organization’s security safeguards [2(1)] • A confidentiality incident means: - access not authorized by law to personal information - use not authorized by law of personal information - communication not authorized by law of personal information - loss of personal information or - any other breach of the protection of such information [3.6]. • An incident means one that involves the loss of or unauthorized access to or disclosure of the personal information [34.1] • N/A • A personal data breach means a breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed [4(12)] 20. Breach notification • Mandatory notification to the OPC, as soon as feasible, of any breach that creates a “real risk of significant harm” [10.1] • Mandatory notification to individuals, as soon as feasible, of any breach that creates a “real risk of significant harm” [10.1(3)] • Mandatory notification to any other organization, government institution or part of a government institution that could reduce the risk [10.2] • Keep a record of every data breach and, on request, provide the OPC with access to the record [10.3] • Mandatory notification to the OPC as soon as feasible of any breach that creates a “real risk of significant harm” [58] • Mandatory notification to individuals, as soon as feasible, of any breach that creates a “real risk of significant harm” for them [58] • Mandatory notification to any other organization, government institution or part of a government institution that could reduce the risk [59] • Requirement to keep and maintain a record of every breach and, on request, provide the OPC with access to the record [60] • Mandatory notification to the CAI of any incident that presents a risk of serious injury [3.5] • Mandatory notification to any person whose personal information is concerned by the confidentiality incident that presents a risk of serious injury, unless doing so could hamper an investigation [3.5] • Optional notification to any person or body that could reduce the risk [3.5] • Requirement to keep and maintain a register of confidentiality incidents for five years after the incident, and on • Mandatory notification to the OIPC AB as soon as feasible of any unauthorized access to or disclosure of personal information that creates a “real risk of significant harm” [34.1] • OIPC AB may require notification to individuals for whom there is a “real risk of significant harm” [Personal Information Protection Act Regulation] • No requirement • Optional notification to OIPC BC • Mandatory notification to the supervisory authority without undue delay and, where feasible, not later than 72 hours after having become aware of the incident in certain circumstances [33] • Communicate with the individual concerned without undue delay where the data breach is likely to result in a high risk to rights and freedoms, subject to certain conditions [33] Comparative Table of Personal Information Protection Laws (Canada) 17 Personal Information Protection and Electronic Documents Act (PIPEDA) 1 Consumer Privacy Protection Act (CPPA), as proposed in Bill C-27 2 Act respecting the protection of personal information in the private sector, as amended by Bill 64 3 Alberta Personal Information Protection Act (PIPA AB) BC Personal Information Protection Act (PIPA BC) General Data Protection Regulation (GDPR) • Service providers must notify every breach to the organization that controls the personal information [61] request, provide the CAI with access to the register [3.8] • A regulation determines the content and terms of the notices and of the register of confidentiality incidents [3.5; 3.8] • If an enterprise believes that a confidentiality incident occurred, it must take reasonable measures to reduce the risk of injury and prevent new incidents of the same nature [3.5] 21. Transfer to foreign jurisdictions permitted • Outside Canada • Yes, by way of contract or otherwise, provided that a comparable level of protection is provided for the personal information [4.1.3] • The individuals must be informed that their information may be sent to a foreign country for processing purposes and that it may be accessible to the courts and the law enforcement and national security authorities of that jurisdiction [according to the Processing Personal Data Across Borders Guidelines] • Under specific conditions, the OPC may disclose information to any • Outside Canada • Yes, as long as the organization informs the individuals that they carry out an international or interprovincial transfer of personal information that may have reasonably foreseeable privacy implications [62(2)(d)] • To a “service provider” [2], without knowledge or consent of the individual, if the organization ensures, by contract or otherwise, that the service provider provides a level of protection of the personal information equivalent to that which the organization is required to provide under the CPPA [7; 11] • Outside Québec • Yes, after the conduction of a privacy impact assessment (“PIA”), taking into account: - the sensitivity of the information; - the purposes for which it is to be used - the protection measures, including contractual ones, that would apply and - the legal framework applicable in the State in which the information would be communicated, in particular the data protection principles applicable in the foreign State [17]. • Outside Alberta • Yes, but if organization uses a service provider outside Canada to collect, use, disclose or store personal information, then the privacy policy must disclose information regarding: - the countries outside Canada in which the collection, use, disclosure or storage may occur and - the purposes for which the service provider outside Canada has been authorized to collect, • Outside British Columbia • Yes, but disclosure in privacy policy recommended by OIPC BC • Outside the EU/EEA • Yes, if there is an “adequacy decision” or other appropriate safeguards under the GDPR, such as standard contractual clauses approved by the European Commission, binding corporate rules, adherence to a code of conduct or certification mechanism [44 to 47] • Prior to the appropriate safeguards, transfer risk assessments [Schrems II] • Obligation to designate a “representative” in an extraterritorial context, if no establishment in the EU, Comparative Table of Personal Information Protection Laws (Canada) 18 Personal Information Protection and Electronic Documents Act (PIPEDA) 1 Consumer Privacy Protection Act (CPPA), as proposed in Bill C-27 2 Act respecting the protection of personal information in the private sector, as amended by Bill 64 3 Alberta Personal Information Protection Act (PIPA AB) BC Personal Information Protection Act (PIPA BC) General Data Protection Regulation (GDPR) person or body under the legislation of a foreign state [23.1] • The OPC may disclose information to a foreign state under specific conditions [120] • The information may be communicated if the assessment allows to conclude that the information would receive an adequate protection under generally accepted privacy principles [17] - The communication must be the subject of a written agreement [17] use or disclose personal information [6(2)]. but targeting the EU market [27] • Some derogations to the requirements for adequacy decision and appropriate safeguards for specific situations [49] 22. Privacy by design • No express requirement. However, an organization may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances. [5(3)] • Collection, use and disclosure of personal information shall be limited to that which is necessary for the purposes identified by the organization [Schedule 1, 4.4, 4.5] • No express requirement. However, an organization may collect, use or disclose personal information only in a manner and for purposes that a reasonable person would consider are appropriate in the circumstances, regardless of whether consent is required under the CPPA. [12(1)] • An organization may only collect personal information that is necessary for the purposes that the organization has determined and recorded prior to collection, and must not use or disclose personal information except for those purposes, with the further valid consent of the individual, or in the circumstances set out in the CPPA [13; 14] • If the enterprise offers technological products or services to the public that have privacy parameters, those parameters must, by default, provide the highest level of confidentiality (except for the privacy settings of cookies) [9.1] • No express requirement. However, an organization may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances. [2, 3] • No express requirement. However, an organization may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances. [2] • The controller must implement appropriate technical and organizational measures, such as pseudonymisation, designed to implement data-protection principles, such as data minimization, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of the GDPR and protect the rights of data subjects [25(1)] 23. New projects involving personal information • No specific requirement for a PIA • Recommended by the OPC • No specific requirement for a PIA • Recommended by the OPC • Enterprises must conduct a PIA for any project of acquisition, development and redesign of an information system [3.3] • No specific requirement for a PIA • Recommended by the OIPC AB • No specific requirement for a PIA • Recommended by the OIPC BC • Data-protection impact assessment required in certain circumstances [35] Comparative Table of Personal Information Protection Laws (Canada) 19 Personal Information Protection and Electronic Documents Act (PIPEDA) 1 Consumer Privacy Protection Act (CPPA), as proposed in Bill C-27 2 Act respecting the protection of personal information in the private sector, as amended by Bill 64 3 Alberta Personal Information Protection Act (PIPA AB) BC Personal Information Protection Act (PIPA BC) General Data Protection Regulation (GDPR) 24. Audits • The OPC may, on reasonable notice and at any reasonable time, audit the personal information management practices of an organization if it has reasonable grounds to believe that the organization has contravened a provision of Division 1 or 1.1 or is not following a recommendation set out in Schedule 1 [18-19] • The OPC may, on reasonable notice and at any reasonable time, audit the personal information management practices of an organization if it has reasonable grounds to believe that the organization has contravened, is contravening or is likely to contravene the CPPA’s part 1 (obligations of organizations) [97- 99] • The CAI may, by a formal demand notified by any appropriate method, require any person to file, within a time specified in the demand, any information or document to verify compliance with the law [81.3] • This applies to enterprises as well [83.1] • The OIPC AB may conduct an investigation to ensure compliance with any provision of PIPA AB [36(1)(a)] • The OIPC BC may, whether a complaint is received or not, initiate investigations and audits to ensure compliance with any provisions of PIPA BC, if the commissioner is satisfied there are reasonable grounds to believe that an organization is not complying with PIPA BC [36(1)(a); 38; 41(2)(3)] • Each supervisory authority may, in the form of data protection audits, carry out investigations [58] 25. Retention of information • For such time as is necessary for the purposes identified or to allow the individual to exhaust any recourse provided by law [8(8)] • Maintain personal information as accurate, complete, and up to date as is necessary for the purposes for which it is to be used [Sch. 1 – 4.6] • For a period no longer than necessary to fulfill the purposes for which the information was collected, used or disclosed or to comply with applicable laws [53(1)] • When determining the retention period, the organizations must take into account the sensitivity of the information [53(2)] • When making a decision about an individual, the organization must retain the personal information used to make the decision for a sufficient period of time to allow the individual to make a request for access [54;63;69] • As long as necessary to exhaust any recourse an individual has under the CPPA [63;69] • At the individual’s request, the organization must dispose of their • For such time as is necessary for the purposes identified to be achieved [23] • If a request of access or rectification is denied: for such time as is necessary to allow the person concerned to exhaust the recourses provided by law [36] • Ensure that any personal information held on another individual is up to date and accurate when used by an enterprise to make a decision in relation to the individual concerned. Following that decision, the information used is kept for at least one year [11] • Organizations must provide a framework for the keeping and destruction of the information in • For only as long as the organization reasonably requires the personal information for legal or business purposes [35(1)] • The organization must then (a) destroy the records containing the personal information, or (b) render the personal information nonidentifying so that it can no longer be used to identify an individual [35(2)] • Must destroy its records containing personal information, or remove the means by which the personal information can be associated with particular individuals, as soon as it is reasonable to assume that (a) the purpose is no longer being served by retention of the personal information, and (b) retention is no longer necessary for legal or business purposes [35] • If an organization uses an individual’s personal information to make a decision that directly affects the individual, the organization must retain • For such time as is necessary but limited to a strict minimum [r. 39] • Records of processing activities required, except for an organization employing fewer than 250 persons, subject to certain conditions [30] Comparative Table of Personal Information Protection Laws (Canada) 20 Personal Information Protection and Electronic Documents Act (PIPEDA) 1 Consumer Privacy Protection Act (CPPA), as proposed in Bill C-27 2 Act respecting the protection of personal information in the private sector, as amended by Bill 64 3 Alberta Personal Information Protection Act (PIPA AB) BC Personal Information Protection Act (PIPA BC) General Data Protection Regulation (GDPR) personal information (with exceptions) [55] • Maintain personal information as accurate, up-to-date and complete as is necessary for the purposes [56] its governance policies and practices [3.2] that information for at least one year [35] 26. Statutory penalties Monetary penalties • N/A Monetary penalties • Upon the OPC’s recommendations, the Tribunal may impose a penalty up to: - $10 million or 3% of the organization’s annual gross global revenue, whichever is greater [95]. Monetary administrative penalties • A person appointed by the CAI may impose administrative penalties for a contravention of the provisions of the law [as described at 90.1] up to: - $50,000, if the contravener is an individual - $10 million or 2% of worldwide turnover for the preceding fiscal year, whichever is greater, in all other cases [90.12]. • Possibility to avoid a penalty if the enterprise enters into an undertaking with the CAI [90.1] • The amount of the penalty is determined according to different factors [90.2] • No administrative penalty may be imposed on a person if a statement of offence has already been served on the person for the same reasons [90.11] Monetary penalties • N/A Monetary penalties • N/A Monetary administrative fines • A supervisory authority may impose administrative fines of, depending on the nature of the offence: - up to €10 million or 2% of the worldwide annual turnover; or - up to €20 million or 4% of the worldwide annual turnover (whichever is higher) [83]. Comparative Table of Personal Information Protection Laws (Canada) 21 Personal Information Protection and Electronic Documents Act (PIPEDA) 1 Consumer Privacy Protection Act (CPPA), as proposed in Bill C-27 2 Act respecting the protection of personal information in the private sector, as amended by Bill 64 3 Alberta Personal Information Protection Act (PIPA AB) BC Personal Information Protection Act (PIPA BC) General Data Protection Regulation (GDPR) Penal provisions • Where an organization knowingly contravenes provisions listed in section 28, it is liable to a fine: - up to $100,000 on indictment; or - up to $10,000 (summary conviction) [28]. Penal provisions • Where an organization knowingly contravenes provisions listed in section 128 it is liable to a fine: - up to $25 million or 5% of its annual gross global revenue, whichever is greater (on indictment); or - up to $20 million or 4% of its annual gross global revenues, whichever is greater (on summary conviction) [128]. Penal provisions • Anyone who contravenes section 91 is liable to a fine: - up to $100,000, if the offender is an individual or - up to $25 million or 4% of their worldwide turnover for the preceding fiscal year, whichever is greater, in all other cases [91]. • Fines for subsequent offences are doubled [92.1] • The sentence is determined according to different factors [92.3] Penal provisions • Anyone who contravenes section 59 is liable to a fine: - up to $10,000 for individuals; and - up to $100,000 for persons other than individuals [59(2)]. Penal provisions • Anyone who contravenes section 59 is liable to a fine: - up to $10,000 for individuals; and - up to $100,000 for persons other than individuals [56]. Penal provisions • Member States shall lay down the rules on other penalties applicable to infringements of this GDPR in particular for infringements which are not subject to administrative fines [84] 27. Remedies from regulatory authority • Remedies available from the OPC [12] • Remedies available from the OPC [82] • Orders by the OPC [93] • Remedies available from the courts [including 104;105;106] • Remedies available from the CAI [81] • Orders by the CAI [83] • Orders by the OIPC AB on the completion of an inquiry [52] • Orders by the OIPC BC on the completion of an inquiry [52] • Remedies available from the competent supervisory authority [77] 28. Private right of action • After receiving the OPC’s investigation report or notification that its investigation has been completed or discontinued, a complainant may apply to court to seek damages (potentially by way of a class action) [14-16] • Where the Commissioner or Tribunal has found that an organization has contravened the CPPA, an individual has a cause of action against the organization in damages for loss or injury [107] • An individual may apply directly to a civil court to seek damages for loss or injury resulting from a breach of the law (including by way of a class action) [Civil Code of Québec] • Where the infringement is intentional or results from gross negligence, the court awards punitive damages of not less than $1,000 [93.1] • Where the OIPC AB has made a final order, an individual may apply to a court to seek damages for loss or injury resulting from a breach of PIPA AB [60] • Where the OIPC BC has made a final order, an individual may seek damages for actual harm resulting from a breach of PIPA BC [57] • Any person who has suffered material or nonmaterial damage as a result of an infringement of the GDPR shall have the right to receive compensation from the controller or processor for the damage suffered (including by way of a collective action) [82] Comparative Table of Personal Information Protection Laws (Canada) 22 Personal Information Protection and Electronic Documents Act (PIPEDA) 1 Consumer Privacy Protection Act (CPPA), as proposed in Bill C-27 2 Act respecting the protection of personal information in the private sector, as amended by Bill 64 3 Alberta Personal Information Protection Act (PIPA AB) BC Personal Information Protection Act (PIPA BC) General Data Protection Regulation (GDPR) 29. Statutory certification programs • N/A • While it remains subject to its obligations under the CPPA [80], an organization may seek the approval of the OPC for a: - Code of practice: provides for substantially the same or greater protection of personal information as some or all of the protection provided under the CPPA [76] and - Certification program: a program that meets the criteria set out in the regulations (to come) [77]. • N/A • N/A • N/A • Code of conduct or certification mechanism to facilitate monitoring of privacy compliance [40 to 43]
