Day One: Tuesday, April 27, 2021
10:00 EDT
15 min
Welcome and Opening Remarks from the Chairs
10:15 EDT
60 min
The New Legislation: Expectations, Highlights and Hot Spots
Moderator: Imran Ahmad, Partner, Norton Rose Fulbright Canada LLP
Catherine Stephen, Assistant General Counsel, RBC Law Group, Royal Bank of Canada
- Digital Charter Implementation Act, 2020
- Repeal of part of PIPEDA
- Enacting the new Consumer Privacy Protection Act (CPPA or Act) and the new Personal Information and Data Protection Tribunal Act (PIDPTA),
- Enactment of new Tribunal to hear appeals of certain decisions made by the Privacy Commissioner of Canada under the CPPA
- Power of the Tribunal to impose penalties for contravention of certain provisions
- Creation of new and enhanced obligations for private sector organizations including:
- Inclusion of the much criticized Schedule of Privacy Principles into substantive provisions in the body of the Act
- New scope – who does the Act apply to?
- New definition of “commercial activity”
- Governor in Council may exempt organizations where “substantially similar” provincial privacy legislation applies, exemption applies only to that province
- CPPA will apply to personal information that is collected, used or disclosed interprovincially or internationally
11:15 EDT
60 min
The New Reformed Consent Regime
- Review of current privacy framework which regulates consent and the type of challenges for businesses dealing with the “notice and choice” approach, which is the legal basis for collecting, using and sharing personal information in the private sector
- C-11 changes to the consent requirements impacting the notion of “valid consent” and new consent exemptions that allow personal information to be collected, used and disclosed including “plain language” and transparency requirements.
- Risks triggered from recent proposed changes, including ones relating to the notion of “de-identified” data and prospective business transactions
- Opportunities for innovation triggered by recent proposed changes to the notion of “consent” in the context of research and development and the sharing information for socially beneficial purposes
- A review of recent 2020 OPC findings relating to consent and whether these findings would be impacted by C-11
- Differences between C-11 and Quebec Bill 64 on the issue of consent
12:15 EDT
45 minBreak
13:00 EDT
60 min
New Transparency Requirements for Automated Decision-making Systems - Requiring Businesses to Explain How Algorithms, Artificial Intelligence Are Utilized
- The growing use of artificial intelligence (AI) in profiling, facial recognition technologies, and in automated decision-making
- Questions raised about the rights of individuals to know how their personal information is being used, to understand how it impacts them, and to have recourse against abuse
- Organizations required to provide upfront a “general account” of their use of “any automated decision system to make predictions, recommendations or decisions about individuals that could have significant impacts on them.” (s. 62(1)(c))
- The individual right of access to one’s personal information will also include a right to an explanation of any prediction, recommendation or decision made using an automated decision system.
14:00 EDT
15 minBreak
14:15 EDT
60 min
Third-party Codes of Practice and Certification Programs
Sylvia Kingsmill, Partner, KPMG
Kenzie Gregory, Senior Consultant, Privacy, Regulatory & Information Management, KPMG
- Any entity may apply to the Privacy Commissioner of Canada for approval of a Code of Practice
- The Code of Practice must provide for substantially the same or greater protection of personal information as some or all of the protections provided for by the CPPA
- Any entity may also apply to the Commissioner for approval of a certification program with specified requirements, including:
- A code of practice
- A mechanism to certify compliance with the code of practice
- A mechanism for the entity to audit compliance with the code of practice
- Disciplinary measures for non-compliance, including revocation of a certification, and
- Any other requirements that may be provided for by regulation
- A certified entity can operate with an approved certification program and work with those with approved certification programs, including enforcement activities
- The Privacy By Design Certification Program
15:15 EDT
60 minCreating a Privacy Management Program to Ensure Compliance
- The obligation to create a privacy management program policies, practices and procedures to ensure compliance with CPPA
- Responding to access requests
- Staff training
- Data portability rights to give individuals greater control over the transfer of their personal information from one organization to another
- Creation of frameworks for “data portability” so an individual can “port” their data from one service provider to another
- The Canadian approach to data portability in C-11 is to enable data portability between companies in a particular sector or industry
- In certain instances, individuals will be able to request that their personal data be disclosed to other organizations
- The details of the data mobility scheme tobe set out in regulation
16:15 EDT
End of Day One
Day Two: Wednesday, April 28, 2021
10:00 EDT
15 min
Welcome and Opening Remarks from the Chairs
10:15 EDT
45 min
Stronger Enforcement Regime, Serious Penalties and Private Right of Action
- Currently, the Commissioner does not have the power to make orders after findings of non-compliance
- The CPPA would give the Commissioner the power to make orders requiring organizations to conform with and stop contravening the CPPA, comply with a compliance agreement or make public measures taken to correct privacy practices.
- If after completing an inquiry the Commissioner finds that an organization has contravened one or more specified provisions of the CPPA, the Commissioner would be able to recommend that a newly created Personal Information and Data Protection Tribunal impose a monetary penalty of up to C$10-million or three per cent of the organization’s total global revenues for the prior financial year.
- This Tribunal would be composed of three to six members appointed by the Governor in Council on the recommendation of the Minister of Innovation, Science and Industry.
- Greater fines are possible for various offences under the CPPA
- A private right of action would be available for an individual who suffered damages or injury caused by a contravention of the Act for which the organization has been the subject of an adverse finding by the Commissioner or Tribunal
11:00 EDT
45 min
Open Banking: the First Test of Mobility/ Portability Rights
- The right to data mobility is part of an international trend to give the individual more control over his or data and stimulate competition
- The right to transfer personal information from one organization to another
- Does an individual have a right to his or her own personal data?
- Will data portability be regulated in the future?
- Restrictions currently in place
- Which organizations will be subject to data mobility frameworks?
- What information is included?
- Does the disclosing organization have the right to keep the information?
- What will organizations subject to data mobility frameworks need to do the prepare?
11:45 EDT
45 minBreak
12:30 EDT
45 min
The Right to Erasure: Duty to Allow Individuals to Request That the Organization Dispose of Their Personal Information
David Goodis, Partner, INQ Law; Former Assistant Commissioner, IPC Ontario
- Purpose/Importance of Right to Erasure
- Current Law Under PIPEDA
- New CCPA/Bill C-11 Right to Erasure
- Scope of Right: Organization’s Duty
- Exceptions and Limitations to the Right
13:15 EDT
45 min
How Will the New Acts Interact With GDRP
No matter the size of a business, it’s possible to have an international client base. With this in mind, it’s important for businesses to consider the implications of GDPR if they interact with or target European individuals.
Ollie will walk through how the new act interacts with the GDPR which is now approaching its 3rd anniversary. Ollie will also explore the similarities and differences and whether the new provisions will allow a more harmonious approach to data compliance to be adopted between Canada and Europe.
14:00 EDT
15 minBreak
14:15 EDT
45 min
How Will the New Act Interact With Other Canadian Acts
Stephen Burns, Partner, Bennett Jones LLP
Danielle Miller Olofsson, Chief Access to Information and Privacy, Hydro Quebec
15:00 EDT
45 min
The Tribunal – What will Tribunal proceedings look like?
- How will the Tribunal work?
- How will the Tribunal process differ from current PIPEDA regime?
- What orders can the Tribunal make?
- The relationship between the Tribunal and the courts
15:45 EDT
15 min
Wrap Up and Take-Aways
16:00 EDT
End of Day Two