Canada renews its private-sector privacy law

Canada is about to go through a major reform in its private-sector privacy legislation. The newly proposed Consumer Privacy Protection Act - CPPA will repeal PIPEDA and enhance rights of consumers in Canada.

Privacy Laws in Canada

In Canada, there are 2 federal privacy laws - the Privacy Act which is applicable to how the federal government handles personal information, and the Personal Information Protection and Electronic Documents Act, or PIPEDA which applies to private sector organizations.

PIPEDA applies to for-profit organizations across Canada. It also applies to the personal information of employees of federally-regulated businesses such as banks, airlines and telecommunications companies.

Even though PIPEDA is a federal law, it does not apply in certain provinces. Namely, the provinces of Quebec, Alberta and British Columbia have their own private-sector privacy laws which have been deemed substantially similar to PIPEDA. Organizations in these provinces are generally exempt from PIPEDA regarding collecting, using, or disclosing personal information within that province. 

What is PIPEDA?

The private-sector federal privacy law of Canada has been in effect since 2000, a long time before the boom of the massive data processing we witness today. It has been through several amendments to adjust to the most recent technology and the new data collection and processing methods. 

According to Section 3 of PIPEDA, this law aims to establish rules for collecting, using, and disclosing personal information to ensure the protection of personal information of people.

PIPEDA fulfills its purpose by setting out the following 10 PIPEDA principles. 

1. Accountability
2. Identifying Purposes
3. Consent
4. Limiting Collection
5. Limited Use, Disclosure, and Retention
6. Accuracy
7. Safeguards
8. Openness
9. Individual Access
10. Challenging Compliance

The principles are embedded throughout the PIPEDA and are reflected in various provisions of the law. Businesses that need to comply with PIPEDA are obliged to take these principles into account and embed them into their privacy practices.

New Privacy Law in Canada

In order to keep pace with the technological developments and bring its privacy law into harmony with other major laws in the world such as the GDPR, Canada started a process of renewing its privacy legislation in 2020. A new legislative initiative called Bill C-11 was introduced to replace PIPEDA in 2020. However, Bill C-11 never made it into law. In 2022, another legislative initiative called Bill C-27 was introduced that retained the main elements of Bill C-11. Just like its predecessor, Bill C-27 introduces a new privacy legislation, called Consumer Privacy Protection Act (CPPA) and repeals PIPEDA. It also introduces the Personal Information and Data Protection Tribunal Act ("PIDPTA"), which establishes an administrative tribunal to hear appeals of certain decisions made by the Privacy Commissioner of Canada under the CPPA. 

The regulatory reform in Canada aims to put Canada into the map of countries and regions with robust, comprehensive data protection and privacy laws. The CPPA is very similar to the GDPR in Europe and aims to enhance the protections under PIPEDA to further protect residents. The new law does not affect the governing principles of PIPEDA. However, it will establish new rules about how businesses can collect, use, and disclose personal information.

What are the differences between PIPEDA and CPPA?

Here are the main differences between PIPEDA and CPPA:

1. Penalties

The monetary penalties set out under the CPPA are much higher compared to those of PIPEDA. According to the CPPA, businesses may be subject to a fine of 10,000,000 CAD or 3% of their gross global revenue in its financial year before the one in which the fine was imposed, whichever is higher. Besides, there are more severe offenses under the CPPA which are punishable in the amount of 25,000,000 CAD or 5% of their gross global revenue in its financial year before the one in which the fine was imposed, whichever is higher. Monetary fines under the PIPEDA were quite less (up to 100,000 CAD) compared to the new legislative initiative. 

2. Enhanced Rights of Data Subjects

Under the CPPA, consumers will have enhanced rights compared to their existing rights under the PIPEDA. For example, CPPA will grant consumers the right to request deletion of their data, as well as the right to data portability. 

3. Automated Decision Making

Under the CPPA, if businesses use automated decision-making systems that could impact individuals, they are required to provide information about this. Furthermore, the businesses must be able to explain how personal information was used to make the decision. This is similar to the provision of the GDPR related to automated decision-making systems and was not enshrined under the PIPEDA.

4. Express consent for Minors’ Data

The CPPA considered personal information of minors as sensitive data and requires businesses to obtain explicit consent to collect, use, and disclose personal information of minors.

5. Legitimate Interests

Like the GDPR, businesses will be able to rely on their legitimate interests in order to collect, process and disclose personal information. The CCPA sets out that organizations may collect and use personal data without consent if it is for a business activity in which the organization has a legitimate interest, provided that the legitimate interests outweigh the potential adverse effect on individuals resulting from that collection or use of data.

Final Notes

It must be underlined that the CPPA is not yet passed into law. However, it would not be unrealistic to expect it to be enacted as a law any time soon. Organizations already must start thinking about the new legislation in Canada as the new law is not far away.