Continuity with PIPEDA
The PPCDA preserves fundamental aspects of PIPEDA, including
- a balancing of the interests of individuals and organizations
- a consent-based regime as the primary authority for processing personal information
- rules generally drafted in a principles-based, risk-calibrated, technologically neutral fashion
- an accountability model pursuant to which organizations are responsible for personal information under their control
Key new features introduced by the PPCDA
The PPCDA introduces a range of new and materially enhanced features, including
- an enforcement regime with potentially severe financial penalties, a private right of action, and order-making power for the regulatory authority
- clarified and expanded exceptions to consent, including for defined business activities and for processing based on legitimate interests (subject to compliance with strict obligations)
- provisions relating to de-identified and anonymized information, with clarification that anonymized information falls outside the application of the PPCDA
- strengthened and more prescriptive accountability requirements, including an obligation to implement a mandatory privacy management program
- clarification of the obligations on service providers
- statutory recognition of codes of practice and certification programs
- new individual rights: a right of disposal (deletion/anonymization) and a right of data mobility
- transparency provisions regarding automated decision systems, including a right to an explanation and written representations
Key updates from the CPPA (Bill C-27)
Although the PPCDA is substantially similar to the CPPA proposed in Bill C-27, it incorporates several material updates.
PPCDA-specific changes from the CPPA/Bill C-27
- oversight and enforcement transferred to the new Digital Safety and Data Protection Commission of Canada (no standalone OPC or adjudicative tribunal for private sector privacy)
- no accompanying standalone legislation regulating artificial intelligence
- no standalone adjudicative tribunal to enforce the private sector privacy regime
- still no comprehensive privacy protection for personal information held by federal political parties
- personal information expressly includes inferred information about an identifiable individual (s. 2(1))
- enhanced focus on children: new statutory definition of “child” (under 18), children’s personal information included within definition of “sensitive” personal information, and requirement for the Commission, Commissioner and Division to consider “best interests of children” (ss. 2(1), 77(d), 86(d), 90(d))
- legitimate interests exception extends to disclosure as well as collection and use (s. 18(3))
- new requirement to conduct a privacy impact assessment and implement mitigating measures prior to transferring or disclosing personal information outside Canada (s. 57)
- new opportunity for individuals to make written representations contesting an automated decision system output (s. 63(6))
- failing to comply with the reasonable and appropriate purposes requirement for the collection, use and disclosure of personal information is now an enumerated contravention attracting AMPs (ss. 12(1), (3), (4))
- new AMP factors: organization’s ability to pay and financial benefit obtained from contravention
- no preamble (unlike the lengthy preamble in the CPPA)
- removal of the CPPA’s proposed disclosure exceptions for “statistics, study or research purposes” and “socially beneficial purposes”
Next
