- The Canadian data protection commissioner is about to be empowered with a strict new law.
- Called the CPPA, the law is still in the proposal and consideration phase, but it looks stricter than the GDPR.
- The most significant change is the enforcement part, which finally includes imposing penalties.
The Canadian data protection office is looking to update the outdated “Protection and Electronic Documents Act” (PIPEDA), which was introduced back in 2000 with a new “Consumer Privacy Protection Act” (CPPA) that is going to be in sync with the current developments. Clearly, much has changed since two decades ago, and legislators couldn’t have foreseen today’s requirements.
Thankfully for them, they have the European GDPR to build upon, so they won’t have to work from scratch – and it looks like they’re going for something even stricter.
Starting with the fines for violating the law, the proposal for CPPA is to set them to 5% of the firm’s global revenue, which is 1% higher than what is suggested by the GDPR. As for the fixed penalty, this can reach up to $25 million.
The violations that can incur such fines concern failure to comply with security breach incident disclosure to the authorities, data retention requirements, sanctioning a whistleblower and identifying someone using de-identified data.
Another point where the CPPA goes stricter than GDPR is the prediction algorithms used by marketers and advertisers to generate and deliver recommendations to users. The Canadian office wants to enforce transparency regarding how these algorithms work, so they include a provision that enables an individual to request details about this. GDPR’s Article 22 does not include such a provision and is only mentioning the right to be excluded from being subject to automated data processing.
The law proposal also takes care of the currently problematic enforcement model, which is admittedly weak. The Privacy Commissioner of Canada will get more power with the new law, ordering compliance and recommending penalties for those who fail to follow the recommended practices. The Commissioner was limited to non-binding findings until now, having no legal power to take punitive action at a follow-up stage.
These CPPA points may be modified lightly or heavily in the near future, as we’re on an early stage in the development of the law right now, so there’s nothing concrete yet. What is certain is that it’s going to be a huge overhaul over the PIPEDA – and one that was well and long needed. For the time being, experts are analyzing the text of the first proposal, trying to locate problematic or legally complicated points that could call for revisions.