Top 10 highlights from the Consumer Privacy Protection Act (CPPA)

Introduction

On November 17, 2020, the Minister of Innovation, Science, and Industry, Navdeep Bains, introduced Bill C-11. The bill attempted to modernize and, in some ways, toughen Canadian private sector privacy law by increasing efficiency and transparency over personal information stored by firms, as well as establishing new, potentially harsh penalties for non-compliance. This bill, called the Consumer Privacy Protection Act (CPPA), is set to replace its predecessor Personal Information Protection and Electronic Documents Act. This article highlights 10 important aspects of the CPPA and a few other factors for start-ups to keep in mind when dealing with the CPPA. 

Top Highlights from the Bill:

1. Big Penalties

Non-compliance with the CPPA will result in severe fines. For the most serious offenses, it allows for administrative monetary penalties and fines of up to 5% of global revenue or $25 million, whichever is greater. Currently, PIPEDA only allows for penalties for violations of the Digital Privacy Act, which are significantly less severe than those under the CPPA: the maximum fine for a violation of the Digital Privacy Act is $100,000. (though if there were multiple violations, which would not be uncommon, the fines could add up).

2. Powers of the Privacy Commissioner

The CPPA grants the federal Privacy Commissioner broad powers to issue orders against corporations and recommend penalties to a new “Personal Information and Data Protection Tribunal,” which is a departure from the traditional ombudsman approach. The Privacy Commissioner’s authority under PIPEDA is limited to making recommendations to a violating entity.

3. New Tribunal

A new “Personal Information and Data Protection Tribunal” will review appeals from the Privacy Commissioner’s decisions and determine and levy any penalties – which will have the same effect as a court order.

4. Global Application

This new law takes a broad approach to application, stating that it applies to all personal information that an organization collects, uses, or discloses, including information that is shared across provinces or worldwide. This represents the global economy’s rising digitization and globalization, which recognizes no borders and has been hastened by the COVID-19 Pandemic.

5. New Right of Action

It establishes a new legal claim for privacy breach. If the Privacy Commissioner finds that an organization has breached a person’s privacy under the CPPA and the Personal Information and Data Protection Tribunal agrees, the individual can sue the organization for compensation (within two years).

6. Data Portability and Deletion

It sets new individual data portability and deletion rights. Consumers can demand that one organization transmit their data to another (subject to yet-to-be-released restrictions), which is likely to be a boon to open banking. In what appears to be a restricted form of the “right to erasure,” individuals can request that an organization delete the personal information it has gathered about them, subject to certain conditions.

7. Algorithmic Transparency

It demands algorithmic openness. Consumers would now be able to demand that a company explain how an automated decision-making system arrived at a prediction, suggestion, or judgment.

8. Consent Exceptions

It “simplifies” consent requirements for organizations by allowing some (potentially broad) exceptions to when an organization must obtain an individual’s consent to collect, use, or disclose personal information, such as when the use of personal information is essential to the delivery of a product or service. This could have an impact on the information that an organization must disclose in a privacy policy, for instance.

9. Data De-Identification

It establishes new standards for data de-identification, such as permitting businesses to use an individual’s personal information without their agreement to de-identify their data, but it appears to restrict further uses of de-identified data. Organizations can also reveal de-identified data to public entities and governmental agencies for socially beneficial reasons in certain instances.

10. Codes of Practice

The concept of “Codes of Practice” is introduced. The CPPA allows private companies to create a “code” and internal certification programs for complying with the law, which must be approved by the Privacy Commissioner. The “code” will effectively establish the organization’s legal compliance requirements once it is authorized.

Will this legislation limit innovation?

For start-ups that work on providing the world with innovation, this is a question that might bother them. Since the legislation tends to come at par with the privacy legislation of the European Union, the UK and the USA one might think that innovation will be limited due to these legislations.

However, there are a few factors of the CPPA that support business innovation:

i. Simplifying Consent:

In the digital economy, the use of personal information is often core to the delivery of a product or service, and consumers can reasonably expect that their information will be used for this purpose. Currently, organizations are required to seek consent for such uses, making privacy policies longer and less accessible and creating a burden. The legislation would remove the burden of having to obtain consent when that consent does not provide any meaningful privacy protection.

ii. Data for Good:

Greater data sharing and access between the public and private sectors can help to solve some of our most important challenges in fields such as public health, infrastructure, and environmental protection. The legislation would allow businesses to disclose de-identified data to public entities (under certain circumstances) for socially beneficial purposes.

iii. Recognition of Codes of Practice and Certification Systems:

To help organizations understand their obligations under the CPPA and demonstrate compliance, the legislation would allow organizations to ask the Privacy Commissioner to approve codes of practice and certification systems that set out rules for how the CPPA applies in certain activities, sectors, or business models.

Conclusion

Along with such changes in the data privacy legislation of Canada, a few questions still remain unanswered regarding a few aspects of the bill:

• What does “plain language” mean?
• Will the private right of action survive?
• Will CASL get an overhaul?
• How will provincial privacy legislation be affected?

Though unanswered, it has been seen that it is only through time and usage that are we really able to comprehend and answer the unanswered questions regarding legislation, which seems to be the same in the case of CPPA. This long-awaited law is more than a PIPEDA update; it is a reset – and a fascinating one. There is a lot to consider, and there will undoubtedly be debate among stakeholders about the scope and language of a number of sections. However, this is a significant and legitimate move to bring data security in the private sector in Canada in line with the digital and data society.

This article has been written by Ayush Sahay.