Earlier this week, Minister Bains (Minister of the Innovation, Science and Economic Development) tabled Bill C-11, the Digital Charter Implementation Act, 2020. Part I will enact the Consumer Privacy Protection Act (CPPA or the Act) and repeal Part I of PIPEDA. Part II will enact the Personal Information and Data Protection Tribunal Act (PIDPTA).
In many regards, CPPA is similar to PIPEDA. It is principle-based, and consent continues to be a central theme. However, it has also introduced some GDPR-inspired obligations such as the right to an explanation of automated decision-making and the right to deletion. Here are a few key highlights.
Scope: CPPA will apply to every federal organization in respect of PI (PI) collected, used or disclosed in the course of commercial activities. It will also apply to current and prospective employees as well as contractors.
Basic Privacy Program Requirements: Organizations are required to implement a privacy management program with appropriate policies, practices, and procedures. While there is no strict requirement for a GDPR-like Data Protection Officer (DPO), organizations are required to designate one or more individuals to be responsible for their privacy program. Organizations are also required to provide access to their policies, practices, and procedures to the Commissioner upon request. Organizations are required to make the following information readily available in plain language:
- a description of the type of PI under their control;
- a general account of how they makes use of PI, including how it applies the exceptions to the requirement to obtain consent;
- a general account of the organization’s use of any automated decision system to make predictions, recommendations or decisions about individuals;
- whether or not the organization carries out any international or interprovincial transfer or disclosure of PI;
- how an individual may make a request for disposal; and
- the business contact information of the individual to whom complaints or requests for information may be made.
Organizations will likely need to update their privacy notices to ensure this information is readily available to their consumers.