Law.com Subscribers SAVE 30%
Call 855-808-4530 or email [email protected] to receive your discount on a new subscription.
Not Just Your Same Old Privacy Legislation: A Compliance Briefing for Privacy Officers on the New Canadian Consumer Privacy Protection Act
In June 2022, Bill C-27, or "An Act to enact the Consumer Privacy Protection Act (the Act) and, the Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Act and to make consequential and related amendments to other Acts" (Bill C-27) was introduced by the Minister of Innovation, Science and Industry, and underwent First Reading, as a replacement to the federal Personal Information Protection and Electronic Documents Act (PIPEDA). (This is in fact the second effort by the federal government to enact this replacement to PIPEDA. In 2021, Bill C-11 (An Act to enact the Consumer Privacy Protection Act and the Personal Information and Data Protection Tribunal Act and to make consequential and related amendments to other Acts) — the mooted replacement for PIPEDA — passed Third Reading of the legislative process, but Canada then had a federal election, and as a result Bill C-11 died prior to being enacted.) Prior to the introduction of the Act, there were concerns that it would effectively be a "'Made in Canada' GDPR". However, while the Act has taken the lead from the EU General Data Protection Regulation in introducing financially enormous penalties, as well as the right of data portability and the right to be forgotten, enough of the original PIPEDA remains such that the Act is now effectively a PIPEDA/GDPR hybrid.
This article, which reviews the Act (other than the Artificial Intelligence and Data Act, which — as it is completely new to the Canadian legislative landscape — will require its own future article) first seeks to identify the delta between the Act and PIPEDA in order to allow privacy officers of organizations that are already PIPEDA compliant to identify the net new compliance requirements under the Act and second, to highlight the provisions of the Act which, if breached, could lead to the imposition of significant fines, and use those as a guide as to which "hot button" features of an organization's privacy compliance program will likely be the focus of enforcement, and as such should therefore be revisited by privacy officers.
|Introduction
The Act both introduces new GDPR concepts of the right of data portability, the right to be forgotten and codes of practice (as well as more discrete concepts such the "legitimate interests" consent exemption, but also largely copies certain pre-existing rights in PIPEDA. (The Act is also known as the Digital Charter Implementation Act, 2022. However, as we review herein, the core of the Act is the Consumer Privacy Protection Act, rather than the Personal Information and Data Protection Tribunal Act which effects the creation of the Data Tribunal, the Artificial Intelligence and Data Act, and the various ancillary amendments. As a result, references to "the Act" in this article are references to the Consumer Privacy Protection Act.) In many cases these pre-existing rights have simply been lifted from their previous position in the "Principles Set Out in the National Standard of Canada Entitled Model Code for the Protection of Personal Information, CAN/CSA-Q830-96": a set of principles in a voluntary model code, that the original drafters of PIPEDA somewhat awkwardly attached as a schedule to PIPEDA such the principles were then binding. Under the Act, this Schedule has now been eliminated. (This was never an entirely satisfactory legislative structure, and organizations are well shut of it.) In effect, while the Act introduces a few new individual rights of significance based on GDPR with which Canadian organizations will need to become familiar, many of the individual rights are simply PIPEDA redux — i.e., restatements, clarification and expansions on existing PIPEDA provisions. This will assist organizations seeking to comply with the Act, if and when it comes into force.
This premium content is locked for Entertainment Law & Finance subscribers only
ENJOY UNLIMITED ACCESS TO THE SINGLE SOURCE OF OBJECTIVE LEGAL ANALYSIS, PRACTICAL INSIGHTS, AND NEWS IN ENTERTAINMENT LAW.
- Stay current on the latest information, rulings, regulations, and trends
- Includes practical, must-have information on copyrights, royalties, AI, and more
- Tap into expert guidance from top entertainment lawyers and experts
Already a have an account? Sign In Now Log In Now
For enterprise-wide or corporate acess, please contact Customer Service at [email protected] or 877-256-2473
'Huguenot LLC v. Megalith Capital Group Fund I, L.P.': A Tutorial On Contract Liability for Real Estate Purchasers
In June 2024, the First Department decided Huguenot LLC v. Megalith Capital Group Fund I, L.P., which resolved a question of liability for a group of condominium apartment buyers and in so doing, touched on a wide range of issues about how contracts can obligate purchasers of real property.
Strategy vs. Tactics: Two Sides of a Difficult Coin
With each successive large-scale cyber attack, it is slowly becoming clear that ransomware attacks are targeting the critical infrastructure of the most powerful country on the planet. Understanding the strategy, and tactics of our opponents, as well as the strategy and the tactics we implement as a response are vital to victory.
CoStar Wins Injunction for Breach-of-Contract Damages In CRE Database Access Lawsuit
Latham & Watkins helped the largest U.S. commercial real estate research company prevail in a breach-of-contract dispute in District of Columbia federal court.
The Power of Your Inner Circle: Turning Friends and Social Contacts Into Business Allies
Practical strategies to explore doing business with friends and social contacts in a way that respects relationships and maximizes opportunities.