PIPEDA: The evolution of data privacy legislation
Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) became law in 2000, and is the Canadian federal-level law protecting personal information. Broadly speaking, it applies to private-sector businesses that operate in or have impact across more than one province (for example, railways, banks, radio stations). As of November 2020, it’s also joined the ranks of national and local privacy laws facing major overhauls in light of the challenges our increasingly online environment poses to protecting personal data.
A few recent examples of countries and areas moving towards a more consumer rights-driven model of privacy legislation include:
- California, where the California Privacy Rights Act will take over from the current California Consumer Privacy Act in 2023
- Brazil, where the Lei Geral de Proteção de Dados Pessoais (LGPD) went into effect in 2020
- New Zealand, where the latest update to the Privacy Act from 2020 adds clarity to its extraterritorial application, increases enforcement options, and expands consumer rights
While enforcement varies from region to region, recent cases like the initial $124 million fine levied against the Marriott hotel chain, Capital One’s $80 million, and British Airways’ $26.2 million indicate that governments are increasingly willing to issue fines and empower oversight bodies where self-regulation proves insufficient to protect sensitive data.
PIPEDA and Bill C-11
Canada, as one of the 12 countries benefiting from an adequacy decision under the EU’s General Data Protection Regulation (GDPR), is anticipating a reassessment of that adequacy decision by or before 2022. (An adequacy decision indicates that the EU has determined that a given country’s privacy protections are essentially equivalent to those offered in the EU, and permits cross-border transfers of personal data to that country with no further safeguards required.)
- A new private-sector privacy law, the Consumer Privacy Protection Act (CPPA)
- A Personal Information and Data Protection Tribunal
- New powers for The Office of the Privacy Commissioner (currently only an advisory body), which will be able to:
- Issue binding orders
- Recommend monetary penalties of up to 5% of an organization’s global revenue or $25,000,000 to the Personal Information and Data Protection Tribunal
- Expanded consumer rights, which include:
- Right to deletion
- Right to withdrawal of consent
- Right to data mobility
Bill C-11 also adds a transparency requirement around automated decision-making, similar to that in the GDPR.
The CPPA will replace substantial portions of PIPEDA, and the parts of PIPEDA that remain will be renamed the Electronic Documents Act. It will also result in minor alterations to other acts, including the Competition Act and the Canada Business Corporations Act.
This update, with the Competition Bureau’s recent moves to enforce accuracy in privacy disclosures, is increasingly bringing Canada into alignment with global developments in privacy.
Key points for compliance
In line with other recent items of privacy legislation, Bill C-11 targets transparency, consumer rights, de-identification of personal information and consent.
Collecting, using and retaining personal information
The collection, use and retention of personal information requires express, specific and informed consent at or before collection. Personal information must be limited to the minimum required for the purpose, and retained only for as long as reasonably needed for that purpose, or as otherwise required by law.
Organizations must designate someone to be responsible for their privacy compliance, and make contact information for that person readily available on request. Organizations must provide disclosure in plain language, and maintain policies, procedures and staff training to support their compliance with the act. Organizations are responsible for personal information they control, even when that information is processed by service providers. Organizations must protect personal information through physical, organizational, and technological security safeguards.
With some exceptions, organizations must respond within 30 days of receiving a request, must provide any necessary support with the request process and can’t charge for responding to requests unless the organization has notified the consumer of the cost, the cost to the consumer is minimal, and the consumer, on being advised, doesn’t withdraw their request.
- Access — consumers may request access to any personal information an organization holds concerning them, and how that information is being used and disclosed.
- Automated decisioning — consumers may ask organizations if a prediction, recommendation, or decision about them was made using automated decisioning, and how that prediction, recommendation, or decision was made.
- Challenge compliance — a consumer may challenge an organization’s compliance with the act.
- Deletion — a consumer may request deletion of their information.
- Mobility — consumers may request that an organization disclose their personal information to another organization.
- Withdrawal of consent — a consumer may withdraw their consent with reasonable notice to the organization.
Personal information protection in the spotlight
With the explosion in data-driven businesses enabled by the internet, personal information is a very valuable commodity. Sufficient information allows businesses to predict what consumers will want to buy, when and where they’re likely to want to buy it — and even target certain individuals to influence them to want to buy certain products.
However, that kind of insight isn’t just coveted by legitimate business. Cyberattacks are helping criminals to make more than $1.5 trillion in revenue each year (for comparison, Apple, Amazon, Facebook, Tesla, and Microsoft made a combined total of $761 billion in 2019).
To underscore the increasing priority on protecting personal data, as of 2020, 66% of countries worldwide have some form of data protection legislation in place, and a further 10% have draft legislation in progress. While a major focus of these laws is to educate and empower individuals to share their data wisely, a number of governments have been willing to put oversight bodies in place where self-regulation has proven ineffective.
All in all, organizations are facing growing pressure to be transparent about how they obtain and use personal information, ensure they secure it adequately, and treat the consumers who own that information with consideration and respect. The payoff? Consumer trust, and increased willingness to share that precious resource — personal information.