Canada’s new proposed privacy law, the CPPA, would be a major overhaul of PIPEDA. The draft law is designed to deal with new challenges of protecting personal information arising from major increases in the collection, use and disclosure of personal information and it uses in AI systems, IOT, big data analytics, and as part of many other technologies and processes. While the law is intended to balance the interests of individuals in their reasonable expectations of privacy and the legitimate interests of organizations, it falls short in many ways. A summary of the CPPA and criticisms that have been leveled against it by organizations are set out in the slides below. The Privacy Commissioner and others believe that the CPPA is flawed and needs to be further strengthened.
The slides highlight the major differences between the CPPA and PIPEDA and between the CPPA and the GDPR and in particular the ways the CPPA is more onerous than the GDPR. Many highlights are depicted in yellow redlines against PIPEDA in the slides.
A summary of criticisms of the CPPA I believe hit the mark are listed below.
- PIPEDA is principle based and flexible; CPPA is more prescriptive and rule based e.g. consents
- CPPA creates ambiguous new standards that are complex and too difficult to apply e.g. the appropriate purposes limitation, standards and exceptions for consent, explainability of decisions and predictions using automated decisions, what is a commercial activity
- CPPA is more onerous than international standards including even aspects of the GDPR e.g. consent and exceptions to consent such as for R&D, de-identified information, automated decisions, the disposal/erasure of data, service provider obligations
- CPPA creates obligations that eschew/challenge technological means of compliance e.g. disposal of information
- CPPA has unbalanced enforcement provisions with some harsher monetary penalties than the GDPR, new order making powers of the OPC, weak procedural protections before the OPC with no division of responsibilities between investigators and adjudicators, weak oversight by the new Tribunal, new private rights of action and class action risks
- CPPA could impede risk taking and innovation with its new enforcement regime, especially because it is combined with ambiguous and prescriptive standards that in important instances are more onerous than under the GDPR and remedial order making powers of the OPC that can shut down businesses based on its own view of these ambiguous standards and these orders will be virtually unappealable to the Tribunal because of the palpable and overriding error standard of review
- CPPA is not interoperable with GDPR, provincial or other international standards
- Overall balance in CPPA requires recalibration to promote privacy and not impede innovation or prejudice Canadian based businesses