Privacy practice tune-up – getting ready for the Consumer Privacy Protection Act
As we wrote about earlier, Canada’s federal government has proposed a replacement to our national privacy law for commercial transactions known as the Personal Information Protection and Electronic Documents Act (“PIPEDA”).
The new bill is the Digital Charter Implementation Act, and this bill in turn would create a new Consumer Privacy Protection Act (“CPPA”) which would replace the privacy portion of PIPEDA.
The CPPA will likely not come into force for a year or more, while consultations and the drafting of regulations proceed.
However, the proposed CPPA does restate and expand on the existing privacy law requirements of PIPEDA, and if your business needs a privacy tune-up then CPPA can provide a useful guide, with better detail than PIPEDA offers now.
Privacy management program
For example, CPPA requires all organizations (including businesses) to implement a “privacy management program” including policies, practices and procedures for protection of personal information, complaints handling, training of personnel and for explaining these practices to the public. This program must take into account the “volume and sensitivity of the personal information” under the organization’s control.
CPPA also obliges an organization to provide the federal Privacy Commissioner with access to all policies, practices and procedures of its privacy management program, merely upon request, which of course could give the Commissioner a good look into any program gaps. If the Commissioner has reasonable grounds to believe that a breach of privacy obligations has occurred, then the Commissioner may choose to “audit” these practices.
Further detail on consent
The required consent for use of personal information is also described in CPPA in greater detail, and states that consent is only valid if at or before the time that the organization seeks the individual’s consent, it provides the following information in “plain language”:
(a) the purposes for the collection, use or disclosure;
(b) the way in which the personal information is to be collected, used or disclosed;
(c) any reasonably foreseeable consequences of the collection, use or disclosure of the personal information;
(d) the specific type of personal information that is to be collected, used or disclosed; and
(e) the names of any third parties or types of third parties to which the organization may disclose the personal information.
Consent must be obtained at or before collection, and must be express unless it is appropriate to rely on implied consent, taking into account the reasonable expectations of the individual and the sensitivity of the personal information.
Plain language privacy policies
CPPA also gives clearer guidance on privacy policies to be made available to customers and others providing personal information, which must again be in “plain language” and include at least the following:
(a) a description of the type of personal information under the organization’s control;
(b) a general account of how the organization makes use of personal information, including how the organization applies any permitted exceptions;
(c) a general account of the organization’s use of any automated decision system (e.g. AI systems) to make predictions, recommendations or decisions about individuals that could have significant impacts on them;
(d) whether or not the organization carries out any international or interprovincial transfer or disclosure of personal information that may have reasonably foreseeable privacy implications;
(e) how an individual may make a request for disposal or access; and
(f) the business contact information for your privacy officer.
While the policy requirements above about automated decision systems and international and interprovincial transfers are part of many policies now, they are new as express requirements of the law.
Therefore, all businesses that may be considering a tune-up of their privacy practices and policies should review the standards as outlined in the proposed CPPA, including those above.
This article is provided for general information only. If you have any questions about the above, please contact a member of our Privacy group.
Click here to subscribe to Stewart McKelvey Thought Leadership articles and updates.
Archive
INTRODUCTION On December 6, 2012, The Nova Scotia Department of Environment (NSE) released Draft Ministerial Protocols (the “Draft Protocols”) related to contaminated sites. The release of the Draft Protocols has been eagerly anticipated. The adoption…
Read MoreRecent changes to the Rules of the Supreme Court, 1986, SNL 1986, c 42, Sch D On December 14, 2012, several changes were made to the Rules of the Supreme Court. These changes include: who may act…
Read MoreIN THIS ISSUE: Putting Trust in your Estate Planning, by Paul Coxworthy and Michael McGonnell The Risks, for Insurers in Entering Administration Services Only (ASO) Contracts, by Tyana Caplan Angels in Atlantic Canada, by Allison McCarthy, Gavin Stuttard and Adam Bata…
Read MoreBill 31, An Act Respecting Human Rights, came into force on June 24, 2010 replacing the Human Rights Code (the “Code”). For more information, please download a copy of this client update.
Read MoreIN THIS ISSUE Expanded Fines and Penalties for Environmental Offences: The New Federal Environmental Enforcement Act Spam about to be Canned? Preparing a Business for Sale Business Disputes Corner – Place of Arbitration and Selected…
Read MoreThe Nova Scotia Court of Appeal has unanimously upheld the province’s legislative limits on general damage recovery for “minor injuries”. Today’s decision, authored by Chief Justice Michael MacDonald, completely affirms the January 2009 decision of…
Read MoreThe Canada Revenue Agency (“CRA”) announced helpful administrative positions concerning the new rules under the Fifth Protocol to the Canada-US Income Tax Convention, 1980 which will come into effect on January 1, 2010. The CRA…
Read MoreIN THIS ISSUE Contractor Held Liable for Business Interruption: Heyes v. City of Vancouver, 2009 BCSC 651 When Can a Tendering Authority Walk Away if Bids are Too High? Crown Paving Ltd. v. Newfoundland &…
Read MoreWithholding tax and other issues under the Fifth Protocol The Fifth Protocol to the Canada-US Tax Convention, 1980 introduced significant changes which may affect the use of most unlimited companies and other so-called ULCs. These…
Read MoreIN THIS ISSUE An Eye for an Eye: Alberta Court of Appeal Upholds Finding of Retaliation Liability as a Result of Generosity in Quebec Undue Hardship Established in Scent Case Parents of Twins Get Double…
Read More- « Previous
- 1
- …
- 61
- 62
- 63