New Consumer Privacy Legislation
Recent changes have been PROPOSED TO the Personal Information Protection and Electronic Documents Act (“PIPEDA”), which has been in effect for over 20 years, and the Consumer Privacy Protection Act (“CPPA”). The new BILL was introduced on November 17, 2020, which if passed, will replace a large majority of the two Acts, in areas such as mandatory reporting of data breaches, Commissioners, the Privacy Tribunal and Administrative Penalties. If this Bill is passed, the CPPA will ultimately strengthen Canada’s federal privacy legislation.
What is PIPEDA?
The Personal Information Protection and Electronic Documents Act is a federal legislation that governs how companies manage, collect, use and disclose third party personal information gathered in Canada in the course of a commercial transaction.
Jurisdiction and Application
The Bill applies to personal information that is collected, used and disclosed in the course of commercial activity. Therefore, changes will be made PIPEDA with respect to how companies manage, collect, use and disclose third party personal information gathered in Canada in the course of a commercial transaction and including information that is collected, used and disclosed internationally. CPPA would also apply to firms that are located outside of Canada that collect information from people within Canada during a commercial activity, for example from a website.
Reporting Breach of Privacy
Since companies are required to protect the personal privacy of consumers, any breach of privacy is a reason for concern. For that reason, any breach must be reported to the ONTARIO Privacy Commissioner (“OPC”). Additionally, all affected individuals must be notified of the data breach.
Commissioners and Orders
The OPC has previously issued a draft policy, wherein it SOUGHT stakeholder input on the current status of PIPEDA’s ability to protect online reputation, or whether provisions of the Act should be bolstered. The OPC has been considering whether there are sufficient mechanisms to enforce against content published on the internet, where there are reputational concerns. Under PIPEDA, the Privacy Commissioner could only make findings and recommendations. However, the new legislation would now allow the Privacy Commissioner to make orders, instead of the need to go to Court and complete a two-step process.
Privacy Tribunal and Administrative Penalties
For the first time, the new legislation would create a Personal Information and Data Protection Tribunal. The Tribunal will have jurisdiction to impose penalties following a recommendation from the Privacy Commissioner, along with the jurisdiction to hear appeals and make orders and findings of the Privacy Commissioner. With the new Tribunal comes stricter Administrative Penalties including:
Using personal information for an improper purpose
Requiring a person to consent to the use of their personal information as a condition
Retaining personal information for longer than necessary
The penalty for being found guilty of any of the above offences is an indictable offence and a fine of a maximum of $25 million.