In June's monthly AccessPrivacy call, Adam Kardash, partner, Privacy and Data Management, explored key aspects of Bill C-27, the Digital Charter Implementation Act, 2022. The recently proposed bill introduced a new federal private sector privacy statute (the CPPA) that would replace the personal information protection framework under PIPEDA. If passed, the bill would also enact two other new statutes, (a) establishing an administrative tribunal to review matters arising from the new privacy framework, and (b) creating a risk-based approach to regulating trade and commerce in artificial intelligence systems.
Key aspects of the proposed CPPA, as discussed by Adam in the AccessPrivacy webinar, include
- Administrative monetary penalties of up to 3% of global revenue or $10 million CAD for non-compliant organizations
- an expanded range of offences for certain serious contraventions of the law, subject to a maximum fine of 5% of global revenue or $25 million CAD
- provisions granting the Privacy Commissioner of Canada broad order-making powers
- the creation of a private right of action for losses or injuries arising from contraventions of the CPPA
- a requirement for organizations to implement a privacy management program
- a re-enforcement of consent (especially express consent) as the primary authority for organizations to process personal information, and more prescriptive consent requirements
- clarifications and additional "exceptions to consent" authorities for the collection, use, or disclosure of personal information, for certain defined standard "business activities". The CPPA also includes an authority for collection or use without consent for "legitimate interests", subject to an organization conducting a prior assessment and fulfilling certain other conditions
- provisions relating to "de-identified" data and "anonymized" data
- provisions requiring organizations, under certain circumstances, to dispose of personal information upon an individual's request
- algorithmic transparency provisions that would provide individuals the right to request that businesses explain how a prediction, recommendation or decision — which could have a "significant impact" on the individual — was made by an automated decision-making system and explain how the information was obtained
- provisions granting individuals data mobility rights by allowing them to direct the transfer of their personal information from one organization to another
- a provision enabling organizations to request that the Privacy Commissioner of Canada approve codes of practice and certification systems setting out rules for how the CPPA could apply to certain activities, sectors or business models, and assist with demonstrating compliance
- a special status for personal information of minors
Adam also compared the proposed CPPA to the former Bill C-11, which died on the order paper before last fall's federal election.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.