In several countries around the world, lawmakers are grappling with how to protect the privacy of their citizens’ data. In other countries with well-established data privacy laws, measures are under consideration to bolster existing laws. Canada is one such country where the proposed Digital Charter Implementation Act, 2020, otherwise known as “Bill C-11”, is before Parliament. If passed, Bill C-11 will create the Consumer Privacy Protection Act (“CPPA”) and the Personal Information and Data Protection Tribunal Act (“PIDPTA”), implementing broad rights-driven changes to data privacy in Canada – with actionable consequences for companies that conduct business in the country.
What is the scope of the CPPA?
The CPPA would apply to any Canadian organization that collects individuals’ data. It adopts the existing Ten Data Privacy Principles of the Personal Information Protection and Electronic Documents Act (“PIPEDA”) and would create new compliance requirements for organizations operating in Canada.
How will the CPPA be enforced?
The CPPA strengthens the federal Privacy Commissioner’s power for investigation and enforcement and establishes financial penalties for violations of the Act amounting to the higher of $10 million or 3% of the organization’s global turnover in the financial year prior to the year in which the penalty is imposed. It would also create a private right of action for violations occurring within the previous two years.
What does it mean to acquire valid consent?
The CPPA also specifies how organizations must acquire valid consent for the collection and use of personal data. Generally, an organization must obtain an individual’s express consent and clearly disclose:
- The purposes for the collection, use, or disclosure of personal information determined by the organization;
- The way in which the personal information is to be collected, used, or disclosed;
- Reasonable, foreseeable consequences of the collection, use, or disclosure of personal information when obtaining consent from an individual;
- The specific type of personal information that is to be collected, used and disclosed; and
- The names or types of third parties to which the organization may disclose personal information when obtaining consent from an individual.
What does this mean for the use of artificial intelligence in hiring?
If an organization uses algorithm-driven decision making, such as artificial intelligence, in hiring, the CPPA also requires that an organization explain why a specific prediction, recommendation, or decision was made by an algorithm based on the individual’s personal data. Organizations must also retain for a sufficient period of time the personal information used in algorithm-driven decisions, to permit the individual to make an access request.
What rights do individuals have under the CPPA?
Individuals are also afforded the rights to request that an organization directly transfer their personal information from the originating organization to another entity. Individuals may also request that their data is disposed in accordance with the CPPA.
While it’s premature for employers to make any substantive changes to their privacy or security processes in Canada, it’s not too early to start planning for the possible passage of Bill C-11. Employers are encouraged to inventory their Canadian data handling practices in anticipation of possible changes to the law.