How Canada’s Consumer Privacy protection act impacts privacy practices of business organizations
With the open exchange of information online, Individual privacy has become the foremost requirement for all. Even Business organizations are under compulsion to safeguard the privacy of their employees.
In Canada, the federal government is keen on enforcing individual privacy. In November 2020, the Canadian government instituted a new law for individual privacy. This law called CPPA- Consumer Privacy Protection Law has a great impact on the privacy practices of business organizations.
The CPPA is the new act that supersedes the PIPEDA-Personal Information and Electronics Documents Act.
Let us see how the new Canadian Consumer Privacy Act overrides the PIPEDA to enforce more privacy in organizations.
- Heavy fines or penalties
Canada’s Privacy Protection Act levies heavy penalties for non-compliance of CPPA by business organizations. Fines are as high as 5% of the global revenue of $25 million whichever is higher. Breaching the Digital Privacy Act will cost more for any business organization.
- Sweeping powers to the Privacy Commissioner
Under the old PIPEDA, the Privacy Commissioner could only make recommendations if an organization breaches privacy.
But the CPPA gives the Privacy Commissioner broad and sweeping powers to give orders and penalties against such organizations.
- New Privacy Protection Tribunal
Nowthe Canadian government has formed a “ Personal Information and Data Protection Tribunal. This tribunal will hear the appeals from the Privacy Commissioner and levy the fines.
- The new Canadian Privacy law has global powers
Thenew CPPA has more powers as it applies to all personal information a company uses internationally.
- An individual has new rights of action
With the new CPPA, an individual has better rights of action. He can even sue an organization for compensation within 2 years if the breach of privacy. But this is only after the Privacy Commissioner confirms the violation and the tribunal upholds it.
- New rights for data deletion and data portability
Under the new CPPA, the individual has new rights to transfer or delete his data. A consumer can ask an organization to delete his personal data. Or request that it be transferred to some other company.
- Algorithms should be more transparent
The CPPA demands that the companies have transparent algorithms. Consumers can now ask for an explanation of an automated decision or prediction.
- Easy consent procurement from the individual
TheCPPAhasrelaxed the need for consent that an organization must get each time from an individual. For instance, for delivering a product or service, the company has to use the personal details of the individual. It cannot ask for his consent each time. These relaxations will have a huge impact on the privacy practices of companies.
- Limiting the use of unidentified data
The CPPA has new rules for use of de-identified data. While allowing companies to use the personal information of individuals without their consent in some cases, it limits the same elsewhere. Yet in some situations, an organization can disclose this private information for the cause of social benefit.
- Each organization to have its own privacy code of practice
The CPPA encourages organizations to have their own codes and certifications to comply with the privacy law. The Privacy Commissioner must approve this code. Then, it will establish the company’s legal obligation to comply with privacy.
The new Canadian Privacy law or CPPA has wrought sweeping reforms in the privacy practices of companies. Business organizations should seek the help of IP law firms in understanding the full extent of the CPPA. Only then can they comply with this new privacy law effectively.