Skip to content

Privacy practice tune-up – getting ready for the Consumer Privacy Protection Act

Rob Aske

As we wrote about earlier, Canada’s federal government has proposed a replacement to our national privacy law for commercial transactions known as the Personal Information Protection and Electronic Documents Act (“PIPEDA”).

The new bill is the Digital Charter Implementation Act, and this bill in turn would create a new Consumer Privacy Protection Act (“CPPA”) which would replace the privacy portion of PIPEDA.

The CPPA will likely not come into force for a year or more, while consultations and the drafting of regulations proceed.

However, the proposed CPPA does restate and expand on the existing privacy law requirements of PIPEDA, and if your business needs a privacy tune-up then CPPA can provide a useful guide, with better detail than PIPEDA offers now.

Privacy management program

For example, CPPA requires all organizations (including businesses) to implement a “privacy management program” including policies, practices and procedures for protection of personal information, complaints handling, training of personnel and for explaining these practices to the public. This program must take into account the “volume and sensitivity of the personal information” under the organization’s control.

CPPA also obliges an organization to provide the federal Privacy Commissioner with access to all policies, practices and procedures of its privacy management program, merely upon request, which of course could give the Commissioner a good look into any program gaps. If the Commissioner has reasonable grounds to believe that a breach of privacy obligations has occurred, then the Commissioner may choose to “audit” these practices.

Further detail on consent

The required consent for use of personal information is also described in CPPA in greater detail, and states that consent is only valid if at or before the time that the organization seeks the individual’s consent, it provides the following information in “plain language”:

(a) the purposes for the collection, use or disclosure;

(b) the way in which the personal information is to be collected, used or disclosed;

(c) any reasonably foreseeable consequences of the collection, use or disclosure of the personal information;

(d) the specific type of personal information that is to be collected, used or disclosed; and

(e) the names of any third parties or types of third parties to which the organization may disclose the personal information.

Consent must be obtained at or before collection, and must be express unless it is appropriate to rely on implied consent, taking into account the reasonable expectations of the individual and the sensitivity of the personal information.

Plain language privacy policies

CPPA also gives clearer guidance on privacy policies to be made available to customers and others providing personal information, which must again be in “plain language” and include at least the following:

(a) a description of the type of personal information under the organization’s control;

(b) a general account of how the organization makes use of personal information, including how the organization applies any permitted exceptions;

(c) a general account of the organization’s use of any automated decision system (e.g. AI systems) to make predictions, recommendations or decisions about individuals that could have significant impacts on them;

(d) whether or not the organization carries out any international or interprovincial transfer or disclosure of personal information that may have reasonably foreseeable privacy implications;

(e) how an individual may make a request for disposal or access; and

(f) the business contact information for your privacy officer.

While the policy requirements above about automated decision systems and international and interprovincial transfers are part of many policies now, they are new as express requirements of the law.

Therefore, all businesses that may be considering a tune-up of their privacy practices and policies should review the standards as outlined in the proposed CPPA, including those above.


This article is provided for general information only. If you have any questions about the above, please contact a member of our Privacy group.

Click here to subscribe to Stewart McKelvey Thought Leadership articles and updates.

SHARE

Archive

Search Archive


 
 

TTC’s Random Testing Decision: A Bright Light for Employers in the Haze of Marijuana Legalization

April 11, 2017

Rick Dunlop In my December 15, 2016 article, Federal Government’s Cannabis Report: What does it mean for employers?, I noted the Report’s1 suggestion that there was a lack of research to reliably determine when individuals are impaired…

Read More

Unionization in the Construction Industry: Vacation Day + Snapshot Rule = Disenfranchisement

April 4, 2017

Rick Dunlop and Michelle Black On March 14, 2014, CanMar Contracting Limited (“CanMar”) granted a day off to two of its hard working and longer serving employees so they could spend time with their respective families. That…

Read More

Sometimes a bad deal is just a bad deal: unconscionability and insurance claim settlements in Downer v Pitcher, 2017 NLCA 13

March 16, 2017

Joe Thorne and Meaghan McCaw The doctrine of unconscionability is an equitable remedy available in exceptional circumstances where a bargain between parties, be it a settlement or a release, may be set aside on the basis that…

Read More

Privilege Prevails: Privacy Commissioner protects solicitor-client communications

March 16, 2017

Jonathan Coady After more than five years, the Prince Edward Island Information and Privacy Commissioner (the “Privacy Commissioner”) has completed her review into more than sixty records withheld by a local school board on the…

Read More

The Latest in Labour Law: A Stewart McKelvey Newsletter – Nova Scotia Teachers Union & Government – a synopsis

March 7, 2017

Peter McLellan, QC & Richard Jordan Introduction On February 21, 2017 the Nova Scotia Government passed Bill 75 – the Teachers’ Professional Agreement and Classroom Improvement (2017) Act. This Bulletin will provide some background to what is, today,…

Read More

Scotia Mortgage Corporation v Furlong: The Supreme Court of Newfoundland and Labrador weighs in on the former client rule in commercial transactions

March 1, 2017

Bruce Grant, QC and Justin Hewitt In the recent decision of Scotia Mortgage Corporation v Furlong1 the Supreme Court of Newfoundland and Labrador confirmed that where a law firm acts jointly for the borrower and lender in the placement…

Read More

The Ordinary Meaning of Insurance: Client Update on the SCC’s Decision in Sabean

February 21, 2017

The Supreme Court of Canada released its decision in Sabean v Portage La Prairie Mutual Insurance Co, 2017 SCC 7 at the end of January, finally answering an insurance policy question that had divided the lower…

Read More

Client Update: Outlook for the 2017 Proxy Season

February 8, 2017

In preparing for the 2017 proxy season, you should be aware of some regulatory changes and institutional investor guidance that may impact disclosure to, and interactions with, your shareholders. This update highlights what is new…

Read More

Client Update: The Future of Planning and Development on Prince Edward Island – Recent Amendments to the Planning Act

January 23, 2017

Perlene Morrison and Hilary Newman During the fall 2016 legislative sitting, the Province of Prince Edward Island passed legislation that results in significant changes to the Planning Act. The amendments received royal assent on December 15, 2016 and…

Read More

Plaintiffs’ medical reports – disclosure obligations in Unifund Assurance Company v. Churchill, 2016 NLCA 73

January 10, 2017

Joe Thorne1 and Justin Hewitt2 In Unifund Assurance Company v Churchill,3  the Newfoundland and Labrador Court of Appeal considered the application of our rules of court and the common law as they relate to disclosure of documents produced in…

Read More

Search Archive


Scroll To Top