Canada Considers New Privacy Legislation

Posted · Add Comment

In several countries around the world, lawmakers are grappling with how to protect the privacy of their citizens’ data. In other countries with well-established data privacy laws, measures are under consideration to bolster existing laws.  Canada is one such country where the proposed Digital Charter Implementation Act, 2020, otherwise known as “Bill C-11”, is before Parliament. If passed, Bill C-11 will create the Consumer Privacy Protection Act (“CPPA”) and the Personal Information and Data Protection Tribunal Act (“PIDPTA”), implementing broad rights-driven changes to data privacy in Canada – with actionable consequences for companies that conduct business in the country.

What is the scope of the CPPA?

The CPPA would apply to any Canadian organization that collects individuals’ data. It adopts the existing Ten Data Privacy Principles of the Personal Information Protection and Electronic Documents Act (“PIPEDA”) and would create new compliance requirements for organizations operating in Canada. 

How will the CPPA be enforced?

The CPPA strengthens the federal Privacy Commissioner’s power for investigation and enforcement and establishes financial penalties for violations of the Act amounting to the higher of $10 million or 3% of the organization’s global turnover in the financial year prior to the year in which the penalty is imposed. It would also create a private right of action for violations occurring within the previous two years. 

What does it mean to acquire valid consent?

The CPPA also specifies how organizations must acquire valid consent for the collection and use of personal data.  Generally, an organization must obtain an individual’s express consent and clearly disclose:

  • The purposes for the collection, use, or disclosure of personal information determined by the organization;
  • The way in which the personal information is to be collected, used, or disclosed;
  • Reasonable, foreseeable consequences of the collection, use, or disclosure of personal information when obtaining consent from an individual;
  • The specific type of personal information that is to be collected, used and disclosed; and
  • The names or types of third parties to which the organization may disclose personal information when obtaining consent from an individual.
What does this mean for the use of artificial intelligence in hiring?

If an organization uses algorithm-driven decision making, such as artificial intelligence, in hiring, the CPPA also requires that an organization explain why a specific prediction, recommendation, or decision was made by an algorithm based on the individual’s personal data. Organizations must also retain for a sufficient period of time the personal information used in algorithm-driven decisions, to permit the individual to make an access request.

What rights do individuals have under the CPPA?

Individuals are also afforded the rights to request that an organization directly transfer their personal information from the originating organization to another entity. Individuals may also request that their data is disposed in accordance with the CPPA. 

What’s next?

While it’s premature for employers to make any substantive changes to their privacy or security processes in Canada, it’s not too early to start planning for the possible passage of Bill C-11.  Employers are encouraged to inventory their Canadian data handling practices in anticipation of possible changes to the law.


Look for more updates on this and other compliance issues on the HireRight blog, and explore our compliance white papers and webinars on-demand in our Resource Library.

Alonzo Martinez

Alonzo Martinez

Alonzo Martinez is Associate Counsel, Compliance at HireRight. Mr. Martinez is responsible for monitoring and advising on key legislative and regulatory developments globally affecting HireRight’s service delivery. His work is focused on ensuring HireRight’s performance as a consumer reporting agency and data processor complies with relevant legal, regulatory, and data furnisher requirements. Mr. Martinez obtained his Juris Doctorate from the University of Colorado, and is licensed by the Supreme Court of the State of Colorado. He is a member of the Colorado Bar Association Employment Law Division, the Association of Corporate Counsel, and the Professional Background Screening Association.

More Posts

Comments

comments

Comments are closed.