Law.com Subscribers SAVE 30%
Call 855-808-4530 or email [email protected] to receive your discount on a new subscription.
Not Just Your Same Old Privacy Legislation: A Compliance Briefing for Privacy Officers on the New Canadian Consumer Privacy Protection Act
In June 2022, Bill C-27, or "An Act to enact the Consumer Privacy Protection Act (the Act) and, the Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Act and to make consequential and related amendments to other Acts" (Bill C-27) was introduced by the Minister of Innovation, Science and Industry, and underwent First Reading, as a replacement to the federal Personal Information Protection and Electronic Documents Act (PIPEDA). (This is in fact the second effort by the federal government to enact this replacement to PIPEDA. In 2021, Bill C-11 (An Act to enact the Consumer Privacy Protection Act and the Personal Information and Data Protection Tribunal Act and to make consequential and related amendments to other Acts) — the mooted replacement for PIPEDA — passed Third Reading of the legislative process, but Canada then had a federal election, and as a result Bill C-11 died prior to being enacted.) Prior to the introduction of the Act, there were concerns that it would effectively be a "'Made in Canada' GDPR". However, while the Act has taken the lead from the EU General Data Protection Regulation in introducing financially enormous penalties, as well as the right of data portability and the right to be forgotten, enough of the original PIPEDA remains such that the Act is now effectively a PIPEDA/GDPR hybrid.
This article, which reviews the Act (other than the Artificial Intelligence and Data Act, which — as it is completely new to the Canadian legislative landscape — will require its own future article) first seeks to identify the delta between the Act and PIPEDA in order to allow privacy officers of organizations that are already PIPEDA compliant to identify the net new compliance requirements under the Act and second, to highlight the provisions of the Act which, if breached, could lead to the imposition of significant fines, and use those as a guide as to which "hot button" features of an organization's privacy compliance program will likely be the focus of enforcement, and as such should therefore be revisited by privacy officers.
Introduction
The Act both introduces new GDPR concepts of the right of data portability, the right to be forgotten and codes of practice (as well as more discrete concepts such the "legitimate interests" consent exemption, but also largely copies certain pre-existing rights in PIPEDA. (The Act is also known as the Digital Charter Implementation Act, 2022. However, as we review herein, the core of the Act is the Consumer Privacy Protection Act, rather than the Personal Information and Data Protection Tribunal Act which effects the creation of the Data Tribunal, the Artificial Intelligence and Data Act, and the various ancillary amendments. As a result, references to "the Act" in this article are references to the Consumer Privacy Protection Act.) In many cases these pre-existing rights have simply been lifted from their previous position in the "Principles Set Out in the National Standard of Canada Entitled Model Code for the Protection of Personal Information, CAN/CSA-Q830-96": a set of principles in a voluntary model code, that the original drafters of PIPEDA somewhat awkwardly attached as a schedule to PIPEDA such the principles were then binding. Under the Act, this Schedule has now been eliminated. (This was never an entirely satisfactory legislative structure, and organizations are well shut of it.) In effect, while the Act introduces a few new individual rights of significance based on GDPR with which Canadian organizations will need to become familiar, many of the individual rights are simply PIPEDA redux — i.e., restatements, clarification and expansions on existing PIPEDA provisions. This will assist organizations seeking to comply with the Act, if and when it comes into force.
This premium content is locked for Entertainment Law & Finance subscribers only
ENJOY UNLIMITED ACCESS TO THE SINGLE SOURCE OF OBJECTIVE LEGAL ANALYSIS, PRACTICAL INSIGHTS, AND NEWS IN ENTERTAINMENT LAW.
- Stay current on the latest information, rulings, regulations, and trends
- Includes practical, must-have information on copyrights, royalties, AI, and more
- Tap into expert guidance from top entertainment lawyers and experts
Already a have an account? Sign In Now Log In Now
For enterprise-wide or corporate acess, please contact Customer Service at [email protected] or 877-256-2473
Major Differences In UK, U.S. Copyright Laws
This article highlights how copyright law in the United Kingdom differs from U.S. copyright law, and points out differences that may be crucial to entertainment and media businesses familiar with U.S law that are interested in operating in the United Kingdom or under UK law. The article also briefly addresses contrasts in UK and U.S. trademark law.
Strategy vs. Tactics: Two Sides of a Difficult Coin
With each successive large-scale cyber attack, it is slowly becoming clear that ransomware attacks are targeting the critical infrastructure of the most powerful country on the planet. Understanding the strategy, and tactics of our opponents, as well as the strategy and the tactics we implement as a response are vital to victory.
The Article 8 Opt In
The Article 8 opt-in election adds an additional layer of complexity to the already labyrinthine rules governing perfection of security interests under the UCC. A lender that is unaware of the nuances created by the opt in (may find its security interest vulnerable to being primed by another party that has taken steps to perfect in a superior manner under the circumstances.
Removing Restrictive Covenants In New York
In Rockwell v. Despart, the New York Supreme Court, Third Department, recently revisited a recurring question: When may a landowner seek judicial removal of a covenant restricting use of her land?