The federal government has proposed legislation that would overhaul Canada's data privacy laws, bringing them more in line with international standards.
In addition to providing individuals more control over their data and increasing transparency on how organizations use this data, the proposed reforms broaden the authorities of the Privacy Commissioner and allow for significantly heavier penalties than what is currently available under the Personal Information Protection and Electronic Documents Act (PIPEDA).
If Bill C-11: the Digital Charter Implementation Act is passed, the Consumer Privacy Protection Act (CPPA) would be enacted to replace PIPEDA.
Highlights of CPPA
- The federal Privacy Commissioner would have the ability to investigate violations, impose orders against organizations and recommend penalties.
- Maximum penalties for offences would be 5% of an organization’s global revenues or $25 million (whichever is higher).
- Organizations must still obtain consent from individuals to collect and use their personal data as per PIPEDA. However, for consent to be valid, certain information must be provided to the individuals in "plain language" which include the type of data being collected; how data is being collected; purposes of data collection; any potential consequences for the data's collection, use or disclosure; as well as any third parties that will have access to the data.
- Individuals would have the right to request that organizations transfer their personal data to other organizations, delete their data (subject to certain limitations), and withdraw consent for use of their data.
- Individuals would have the right to request that organizations explain how an automated decision-making system made a prediction, recommendation or decision and how information was collected.
- Organizations would be allowed to use personal information without consent if it is with the purpose of de-identifying information. Organizations would also be permitted to use de-identified data without consent under certain circumstances.
- Where the privacy commissioner finds that an organization has violated an individual's prviacy, the affected individual can sue for compensation.
Bill C-13 also proposes to enact the Personal Information and Data Protection Tribunal Act, creating an administrative tribunal that determines and imposes penalties, and hears appeals of the Privacy Commissioner’s decisions.