Law.com Subscribers SAVE 30%
Call 855-808-4530 or email [email protected] to receive your discount on a new subscription.
Not Just Your Same Old Privacy Legislation: A Compliance Briefing for Privacy Officers on the New Canadian Consumer Privacy Protection Act
In June 2022, Bill C-27, or "An Act to enact the Consumer Privacy Protection Act (the Act) and, the Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Act and to make consequential and related amendments to other Acts" (Bill C-27) was introduced by the Minister of Innovation, Science and Industry, and underwent First Reading, as a replacement to the federal Personal Information Protection and Electronic Documents Act (PIPEDA). (This is in fact the second effort by the federal government to enact this replacement to PIPEDA. In 2021, Bill C-11 (An Act to enact the Consumer Privacy Protection Act and the Personal Information and Data Protection Tribunal Act and to make consequential and related amendments to other Acts) — the mooted replacement for PIPEDA — passed Third Reading of the legislative process, but Canada then had a federal election, and as a result Bill C-11 died prior to being enacted.) Prior to the introduction of the Act, there were concerns that it would effectively be a "'Made in Canada' GDPR". However, while the Act has taken the lead from the EU General Data Protection Regulation in introducing financially enormous penalties, as well as the right of data portability and the right to be forgotten, enough of the original PIPEDA remains such that the Act is now effectively a PIPEDA/GDPR hybrid.
This article, which reviews the Act (other than the Artificial Intelligence and Data Act, which — as it is completely new to the Canadian legislative landscape — will require its own future article) first seeks to identify the delta between the Act and PIPEDA in order to allow privacy officers of organizations that are already PIPEDA compliant to identify the net new compliance requirements under the Act and second, to highlight the provisions of the Act which, if breached, could lead to the imposition of significant fines, and use those as a guide as to which "hot button" features of an organization's privacy compliance program will likely be the focus of enforcement, and as such should therefore be revisited by privacy officers.
Introduction
The Act both introduces new GDPR concepts of the right of data portability, the right to be forgotten and codes of practice (as well as more discrete concepts such the "legitimate interests" consent exemption, but also largely copies certain pre-existing rights in PIPEDA. (The Act is also known as the Digital Charter Implementation Act, 2022. However, as we review herein, the core of the Act is the Consumer Privacy Protection Act, rather than the Personal Information and Data Protection Tribunal Act which effects the creation of the Data Tribunal, the Artificial Intelligence and Data Act, and the various ancillary amendments. As a result, references to "the Act" in this article are references to the Consumer Privacy Protection Act.) In many cases these pre-existing rights have simply been lifted from their previous position in the "Principles Set Out in the National Standard of Canada Entitled Model Code for the Protection of Personal Information, CAN/CSA-Q830-96": a set of principles in a voluntary model code, that the original drafters of PIPEDA somewhat awkwardly attached as a schedule to PIPEDA such the principles were then binding. Under the Act, this Schedule has now been eliminated. (This was never an entirely satisfactory legislative structure, and organizations are well shut of it.) In effect, while the Act introduces a few new individual rights of significance based on GDPR with which Canadian organizations will need to become familiar, many of the individual rights are simply PIPEDA redux — i.e., restatements, clarification and expansions on existing PIPEDA provisions. This will assist organizations seeking to comply with the Act, if and when it comes into force.
This premium content is locked for Entertainment Law & Finance subscribers only
ENJOY UNLIMITED ACCESS TO THE SINGLE SOURCE OF OBJECTIVE LEGAL ANALYSIS, PRACTICAL INSIGHTS, AND NEWS IN ENTERTAINMENT LAW.
- Stay current on the latest information, rulings, regulations, and trends
- Includes practical, must-have information on copyrights, royalties, AI, and more
- Tap into expert guidance from top entertainment lawyers and experts
Already a have an account? Sign In Now Log In Now
For enterprise-wide or corporate acess, please contact Customer Service at [email protected] or 877-256-2473
Bonus Content: How Emerging Technologies Are Impacting IP: A Chat With Legalweek Speaker Ryan Phelan
In advance of Legalweek '25, a Q&A with conference speaker Ryan Phelan, a partner at Marshall, Gerstein & Borun and founder and moderator of legal blog PatentNext, to discuss how courts and jurisdictions are handling novel technologies, the copyrightability of AI-assisted art, and more.
Overview of Regulatory Guidance Governing the Use of AI Systems In the Workplace
Businesses have long embraced the use of computer technology in the workplace as a means of improving efficiency and productivity of their operations. In recent years, businesses have incorporated artificial intelligence and other automated and algorithmic technologies into their computer systems. This article provides an overview of the federal regulatory guidance and the state and local rules in place so far and suggests ways in which employers may wish to address these developments with policies and practices to reduce legal risk.
Is Google Search Dead? How AI Is Reshaping Search and SEO
This two-part article dives into the massive shifts AI is bringing to Google Search and SEO and why traditional searches are no longer part of the solution for marketers. It’s not theoretical, it’s happening, and firms that adapt will come out ahead.
While Federal Legislation Flounders, State Privacy Laws for Children and Teens Gain Momentum
For decades, the Children’s Online Privacy Protection Act has been the only law to expressly address privacy for minors’ information other than student data. In the absence of more robust federal requirements, states are stepping in to regulate not only the processing of all minors’ data, but also online platforms used by teens and children.
Revolutionizing Workplace Design: A Perspective from Gray Reed
In an era where the workplace is constantly evolving, law firms face unique challenges and opportunities in facilities management, real estate, and design. Across the industry, firms are reevaluating their office spaces to adapt to hybrid work models, prioritize collaboration, and enhance employee experience. Trends such as flexible seating, technology-driven planning, and the creation of multifunctional spaces are shaping the future of law firm offices.