Through the proposed Digital Charter Implementation Act, 2020 (DCIA), the Government of Canada intends to establish a new privacy law for the private sector, the Consumer Privacy Protection Act (CPPA). If passed, the DCIA would significantly increase protections to Canadians' personal information by giving Canadians more control and greater transparency when companies handle their personal information. The DCIA would also provide significant new consequences for non-compliance with the law, including steep fines for violations.
What does the Digital Charter Implementation Act, 2020 mean for me?
- Meaningful consent: Modernized consent rules would ensure that individuals have the plain-language information they need to make meaningful choices about the use of their personal information.
- Data mobility: To further improve their control, individuals would have the right to direct the transfer of their personal information from one organization to another. For example, individuals could direct their bank to share their personal information with another financial institution.
- Disposal of personal information and withdrawal of consent: The accessibility of information online makes it hard for individuals to control their online identity. The legislation would allow individuals to request that organizations dispose of personal information and, in most cases, permit individuals to withdraw consent for the use of their information.
- Algorithmic transparency: The CPPA contains new transparency requirements that apply to automated decision-making systems like algorithms and artificial intelligence. Businesses would have to be transparent about how they use such systems to make significant predictions, recommendations or decisions about individuals. Individuals would also have the right to request that businesses explain how a prediction, recommendation or decision was made by an automated decision-making system and explain how the information was obtained.
- De-identified information: The practice of removing direct identifiers (such as a name) from personal information is becoming increasingly common, but the rules that govern how this information is then used are not clear. The legislation will clarify that this information must be protected and that it can be used without an individual's consent only under certain circumstances.
Will this new legislation limit innovation?
Canada needs to keep pace with other countries that are taking aggressive action to support trust and privacy. For example, the European Union and the United States have new privacy and e-protection laws. The proposed CPPA is an important step in ensuring Canadians can trust that their data is safe and their privacy is respected, while allowing innovation that promotes a strong economy. Changes that support business innovation include:
- Simplifying consent: In the digital economy, the use of personal information is often core to the delivery of a product or service, and consumers can reasonably expect that their information will be used for this purpose. Currently, organizations are required to seek consent for such uses, making privacy policies longer and less accessible and creating burden. The legislation would remove the burden of having to obtain consent when that consent does not provide any meaningful privacy protection.
- Data for good: Greater data sharing and access between the public and private sectors can help to solve some of our most important challenges in fields such as public health, infrastructure and environmental protection. The legislation would allow businesses to disclose de-identified data to public entities (under certain circumstances) for socially beneficial purposes.
- Recognition of codes of practice and certification systems: To help organizations understand their obligations under the CPPA and demonstrate compliance, the legislation would allow organizations to ask the Privacy Commissioner to approve codes of practice and certification systems that set out rules for how the CPPA applies in certain activities, sectors or business models.
Strengthened enforcement and oversight
Comprehensive and accessible enforcement model: Under the CPPA, the Privacy Commissioner would have broad order-making powers, including the ability to force an organization to comply with its requirements under the CPPA and the ability to order a company to stop collecting data or using personal information. In addition, the Privacy Commissioner would also be able to recommend that the Personal Information and Data Protection Tribunal impose a fine. The legislation would provide for administrative monetary penalties of up to 3% of global revenue or $10 million for non-compliant organizations. It also contains an expanded range of offences for certain serious contraventions of the law, subject to a maximum fine of 5% of global revenue or $25 million.
What about social media?
Social media platforms are already subject to the same laws as other organizations operating in the Canadian marketplace. The CPPA would ensure that Canadians have the ability to demand that their information on these platforms be permanently deleted. When consent is withdrawn or information is no longer necessary, Canadians can demand that their information be destroyed. To reinforce this, the Privacy Commissioner will have the ability to order a social media company to comply, including order it to stop collecting data or using personal information.