Canada has suffered several cyberattacks in the recent past. On top of that, the pandemic has pushed companies to take most of their business online, which makes them susceptible to increased cyberattacks and data breaches. Last year, about 61,000 small to midsized enterprises (SMEs) fell victim to cyberfraud according to a survey conducted by the Canadian Federation of Independent Business (CFIB). Moreover, due to the impact of targeted ransomware attacks, the average demand for ransom jumped by 33% from Q4 2019 to CA$148,700 in Q1 2020 according to the National Cyber Threat Assessment 2020 by the Canadian Centre for Cyber Security.
As a consequence, the Consumer Privacy Protection Act (CPPA) has been proposed in the Canadian parliament in an attempt to enhance data security, prevent data breaches and provide greater transparency to users about how businesses utilize their personal data.
What is the CPPA?
On 7 November 2020, Bill C-11 —or the Digital Charter Implementation Act (DCIA), composed of the CPPA and the Personal Information and Data Protection Tribunal Act (PIDPTA)— was proposed in the House of Commons. The government has estimated that it will take approximately 18 months for the CPPA to become law and replace the existing Personal Information Protection and Electronic Documents Act (PIPEDA). The CPPA aims to combat cyberattacks and establish a new private-sector data privacy law around the disclosure and use of personal data, whilst maintaining PIPEDA’s governing principles.
While the act hasn’t been passed yet, in this article we’ll explore its implications for businesses if it does become law. This can help organizations become better equipped to manage upcoming changes to data privacy laws.
Why is data compliance important?
Data compliance is important to oversee the protection of the personal information of Canadian citizens. According to a study conducted by the CFIB, over a quarter of firms have been the victims of cyberattacks since March 2020, with 5% stating that the attack on them had been successful.
In such a scenario, data protection and data management become high-priority tasks. Not only does data protection prevent data misuse for fraud, phishing, and theft, it also helps organizations with the following:
- Building client trust in your business:Businesses need to protect their data from security risks in order to prosper. Despite the fact that various data privacy regulations are often similar, companies must carefully evaluate each new legislation to ensure compliance and earn the trust of their customers.
- Safeguarding your business from data breaches: Protecting a company’s data is not only a legal formality, it is also critical to keep data from being misused and misinterpreted. When a data breach occurs, businesses risk damaging their brand reputation and losing out on consumer loyalty. With compliance management, regular risk assessments, and periodic audits, businesses can minimize the risk of data breaches.
- Protecting your business from complaints: An upcoming piece of legislation, the PIDPTA, has been proposed in parliament to enhance data protection laws. This act aims to provide Canadians with clearer and more controllable access to their personal information and also ensure that business owners can be sued directly for mishandled data incidents.
Data protection enforcement changes under the CPPA
Several changes to the existing infrastructure have been proposed under the new act. The Privacy Commissioner of Canada provides privacy priorities and guidance on how to safeguard data, and acting upon advice from the Office of the Privacy Commissioner of Canada (OPC), the Personal Information and Data Protection Tribunal, established under the CPPA in its proposed form, will have the authority to impose penalties and fines.
Non-compliant businesses may face administrative fines of up to 3% of worldwide sales or CA$10 million levied by the OPC. Non-compliance can also result in fines of up to 5% of an organization’s annual sales, or CA$25 million. To avoid these penalties, businesses can automate the implementation process of administering compliance requirements, process and workflow implementation, risk management, and overall compliance management through the use of compliance management software.
The following section will outline the requirements set out in the current draft of the proposed legislation so that SMEs can begin to prepare for compliance.
How will the CPPA impact businesses?
The CPPA is expected to be implemented in all businesses that gather, utilize, or disclose personal data. The proposed legislation may expand the data responsibilities placed on organizations by requiring them to create a plan for privacy management and data protection. Here are a few things to keep in mind when it comes to the CPPA and how it may affect your business:
1. Protection of internal data
The CPPA aims to overhaul the present PIPEDA structure and hold companies entirely accountable for the security of the personal information they collect, use, or disclose, whether for themselves or a third party. Similar in essence to Europe’s General Data Protection Regulation (GDPR), the draft legislation features greater enforcement capabilities and significantly harsher punishments for anyone who breaches the law.
2. Data mobility and disposal rights for consumers
The CPPA, like the PIPEDA, contains provisions that will allow individuals to access, update, and dispose of their personal information. This right of disposal would allow users to request that a website delete their personal data, and the right to data mobility would offer users the option to move their personal information from one organization to another. The current draft of the CPPA also states that any modifications to such information would have to be notified to the third parties who hold access to a user’s personal data.
3. Transparency of algorithms used
Under the proposed CPPA, individuals will have the right to an explanation for any forecasts or decisions made by automated decision-making systems. If any organization uses techniques like machine learning, predictive analytics, and regression analysis to make a forecast, decision, or suggestion to the users, then that organization shall be required to provide an explanation of how the results were obtained.
4. New data de-identification guidelines
New regulations governing de-identification (a method of preventing the disclosure of a user’s personal information) may be imposed on businesses. Different technological and administrative processes can be used to de-identify personal information. According to the current draft of the CPPA, one way to deal with personal data which is no longer required for identification purposes is to make it anonymous. In addition, businesses would need to safeguard such personal information while also stating the restricted circumstances in which it may be used without a consumer’s permission.
If enacted as currently drafted, the CPPA could have significant financial consequences for businesses found to be non-compliant. It is critical that private-sector organizations become familiar with the proposed legislation in order to ensure that their policies and procedures are updated to reflect these potential changes. By understanding Canada’s CPPA, businesses can ensure they are compliant with the regulations and better prepare themselves for upcoming changes.
This document, while intended to inform our clients about the current data privacy and security challenges experienced by companies in the Canadian marketplace,
in no way intended to provide legal advice or to endorse a specific course of action. For advice on your specific situation, consult your legal counsel.