In 2022 the federal government introduced a complete overhaul of the private sector privacy laws, designed to regulate an organization’s privacy practices to further protect individual’s personal information. The CPPA will replace the Personal Information Protection and Electronic Documents Act (PIPEDA) which has been in existence since 2001. CPPA is built on the foundation of PIPEDA and its ten fair information principles, but the draft of CPPA proposes changes, some of which include the following:
The consent clauses of the CPPA are consistent with PIPEDS’s ten fair information principles. However, the draft CPPA also includes specific guidance on the requirements that the consent be valid. An organization must provide specific information in plain language including:
-purposes for collection, use or disclosure of personal information
- the way in which personal information is collected, used and disclosed
- the foreseeable consequences of the collection, use or disclosure
These are also consistent with PIPEDA’s ten fair information principles including technological security safeguards. In the draft of the CPPA, it requires the consideration of the sensitivity of personal information and the organization must consider the distribution, quantity, format, and method of storage when establishing safeguards.
Privacy Management Program
PIPEDA currently requires organizations to have policies and practices, however, under the CPPA there would be a requirement to implement a “privacy management program.” The program would include the organization’s policies, practices, and procedures.
The CPPA will create a new privacy breach legal claim. It will give individuals statutory right of action allowing private claim damages against an organization for compensation when the Privacy Commissioner deems that the organization violated the individuals’ rights under the Act.
The proposed Personal Information and Data Protection Tribunal, which will have authority relating to various findings, orders and decisions made under the CPPA regarding penalties under the Act.
Significant Penalties for Business Non-Compliance
Under PIPEDA the penalty provisions are limited. However, under the draft CPPA, contravention of obligations can be reported to Tribunal by the Privacy Commissioner who has the power to levy significant fines. Contraventions of provisions could be regarding valid consent, the requirement to dispose of personal information and obligations to have necessary safeguards in place. The maximum penalty is the higher of $10 million or 3% of gross global revenue.
Under the draft CPPA, there will be even more significant penalties for businesses that are found to knowingly contravene the Act. Organizations could be faced with an indictable offence and be liable for fines not exceeding $25 million or 5% of gross global revenue. The penalties could be applied to the following contraventions:
- Purposely not reporting breach of security safeguards of real risk or not notifying impacted individuals of such a breach
- Knowingly contravening the responsibility of maintaining a breach record and personal information that is subject to request
- Knowingly using de-identified information to identify an individual
- Not complying with an order issued by the Privacy Commissioner
- Obstructing the Commissioner in the investigation of a complaint
When enacted the CPPA will have a significant impact on regulatory scrutiny of organizations regarding privacy practices. Organizations will be responsible to undertake a comprehensive review of how business is conducted and manage privacy practices, policies, and procedures with the draft legislation in mind.