Skip to content

Brought to you by

Dentons logo

Privacy and Cybersecurity Law

Coverage and commentary on developments in data protection.

open menu close menu

Privacy and Cybersecurity Law

  • Home
  • About Us

C-11 – The act to enact the Consumer Privacy Protection Act: Five top measures to get ready

By Chantal Bernier
December 10, 2020
  • Canada
Share on Facebook Share on Twitter Share via email Share on LinkedIn

Chantal Bernier, National Practice Leader, Privacy and Cybersecurity, Dentons Canada LLP Former Interim Privacy Commissioner of Canada

C-11, An Act to enact the Consumer Privacy Protection Act (CPPA) and the Personal Information and Data Protection Tribunal Act, is arguably so balanced and pragmatic that it is reasonable to expect it will become law, essentially as is, before the end of 2021 – barring an election. It will apply to all businesses across Canada, except to provincial businesses in Alberta, British Columbia and Québec where provincial privacy laws apply to the private sector. 

So we may have no more than a year to get ready. It is time to turn to compliance assurance with CPPA through five main measures.

1.     Develop a breach response plan

The unprecedented penalties instituted in C-11 – from an administrative monetary penalty of up to $10 million or 3 percent of global annual revenue to a fine of up to $25 million or 5 percent of global annual revenue – are not for failing to safeguard information. Failure to safeguard personal information is a contravention of the CCPA, subject to penalties. In relation to breaches, however, the heaviest fines apply to failure to report a breach to the Office of the Privacy Commissioner of Canada (OPC) or to notify individuals, where there is a real risk of significant harm, as well as failure to record security incidents.

The heaviest fines therefore are related to failures in governance mechanisms set up to make all the right decisions should a breach occur: what should the escalation process be if a breach is suspected or detected to ensure diligent response? Who should be part of the breach response team to be effective? How will  “real risk of significant harm” be assessed in your organisation? Who should make the assessment and who will make the decision to report or notify? Who will you call as service providers, for example, to proceed to the forensic investigation and remediation?

All these questions must de addressed in advance. While detailing with a breach is not the time to set up the response process.

2.     Adopt a privacy management program

The current Personal Information Protection and Electronic Documents Act (PIPEDA) is essentially reproduced in CCPA in relation to the development and implementation of privacy management programs. Procedures must be implemented to protect personal information, mechanisms must be set up to address requests and complaints, staff must be trained on the organisation’s privacy policies and material must be developed to explain the organisation’s privacy compliance policies and procedures.

But CPPA adds a clincher:  the OPC will have the power to request access to an organization’s privacy management program and the organization would have to comply. So, make sure you have the components adopted:

Your privacy management program should also include a new feature: guidance to your staff, marketing and product development particularly come to mind, on what would constitute an “appropriate purpose”, as proposed in CPPA, to process personal information in your business.

3.     Designate an individual responsible for internal privacy compliance in your organization

This obligation already exists in PIPEDA, but as privacy management programs have gained in importance, so has the urgency to designate the right person to ensure privacy compliance in your organization. The choice must be carefully thought through. The position must be of a sufficiently high level to exercise authority in the organization. While the person does not have to be a privacy expert, they must be supported in that regard. Many organisations choose their general counsel as the individual responsible for privacy compliance and it is a natural choice since it is a matter of legal compliance. The decision, however, ,must be grounded on what truly works best for each organisation. .Positions responsible for the management and protection of personal information, such as of Chief Technology Officer, Chief Information Officer, or Chief Information Security Officer, cannot cumulate assurance for privacy compliance as that would constitute a conflict of interests.

4.     Review your privacy policies and consent forms

The proposed CPPA prescribes specific content for consent forms and privacy policies to support meaningful consent. Consent forms and privacy policies should therefore be reviewed to ensure they meet the requirements proposed in the CPPA. . This includes the new obligation to provide a “general account” of your automatic decision-making, systems, as applicable. An “automatic decision-making system” refers to “any technology that assist or replaces the judgment of human decision-makers”. The use of artificial intelligence, for example, so helpful in so many contexts, must be the object of a narrative to make public.  

5.     Engage your entire organization in privacy compliance

Your staff is your first line of defence. Ensure you socialize the privacy management program and create a culture of privacy compliance n your organisation.  As we have seen in so many high-profile breaches, no technological measure can compensate for human vulnerabilities.

Other measures are also advisable, such as considering developing a code of practice to be approved by the OPC; or getting privacy compliance certification; or exploring the potential of the use of de-identified information. But the five measures above are musts and the stakes are high. So, it is time to get ready.

Share on Facebook Share on Twitter Share via email Share on LinkedIn
Subscribe and stay updated
Receive our latest blog posts by email.
Stay in Touch
Bill C-11, Breach response plan, consent forms, CPPA, Internal privacy compliance, Personal Information and Data Protection Tribunal Act, Privacy management program, privacy policies
Chantal Bernier

About Chantal Bernier

Chantal Bernier leads Dentons’ Canadian Privacy and Cybersecurity practice group. She is also a member of the Firm’s Government Affairs and Public Policy group. Chantal advises leading-edge national and international companies as they expand into Canada and Europe, enter the e-commerce space, adopt data analytics and roll out data-based market initiatives. Her clients include ad tech companies, financial institutions, biotech companies, data analytics firms and government institutions.

All posts Full bio

RELATED POSTS

  • Canada
  • Consumer Protection

MicroSD memory cards to be excluded from copyright levies

In a press release entitled “Harper Government Says No to Fees on Memory Cards”, Minister of Industry Christian Paradis announced the […]

By Margot Patterson
  • Canada
  • Enforcement
  • New and Proposed Laws
  • Privacy Rights

Canada’s Privacy Commissioner Pursues a Stronger Consent Framework and More Proactive Enforcement

By Privacy and Cybersecurity Group
  • Canada
  • Privacy Rights

Consent to Disclose Information in Response to a Consumer Complaint – Guidance from Canada

By Privacy and Cybersecurity Group

About Dentons

Dentons is designed to be different. As the world’s largest law firm with 20,000 professionals in over 200 locations in more than 80 countries, we can help you grow, protect, operate and finance your business. Our polycentric and purpose-driven approach, together with our commitment to inclusion, diversity, equity and ESG, ensures we challenge the status quo to stay focused on what matters most to you. www.dentons.com

Dentons boilerplate image

Twitter

Categories

  • Accountability
  • Asia Pacific
  • Canada
  • Cloud Computing
  • Consumer Protection
  • Cybersecurity
  • Data Breach
  • Data Transfers
  • Employee Privacy
  • Enforcement
  • Europe
  • General
  • Government Information
  • Health Information Privacy
  • Latin America
  • Marketing, Cookies & Spam
  • New and Proposed Laws
  • Privacy Notices
  • Privacy Rights
  • Record Retention
  • Smart Cities
  • United Kingdom
  • United States

Subscribe and stay updated

Receive our latest blog posts by email.

Stay in Touch

Dentons logo

© 2023 Dentons

  • Legal notices
  • Privacy policy
  • Terms of use
  • Cookies on this site