Day One: Tuesday, April 27, 2021

10:15 EDT

60 min
Imran Ahmad Molly Reynolds

The New Legislation: Expectations, Highlights and Hot Spots

Moderator: Imran Ahmad, Partner, Norton Rose Fulbright Canada LLP

Catherine Stephen, Assistant General Counsel, RBC Law Group, Royal Bank of Canada

Molly Reynolds, Counsel, Torys

  • Digital Charter Implementation Act, 2020
  • Repeal of part of PIPEDA
  • Enacting the new Consumer Privacy Protection Act (CPPA or Act) and the new Personal Information and Data Protection Tribunal Act (PIDPTA),
  • Enactment of new Tribunal to hear appeals of certain decisions made by the Privacy Commissioner of Canada under the CPPA
  • Power of the Tribunal to impose penalties for contravention of certain provisions
  • Creation of new and enhanced obligations for private sector organizations including:
    • Inclusion of the much criticized Schedule of Privacy Principles into substantive provisions in the body of the Act
    • New scope – who does the Act apply to?
    • New definition of “commercial activity”
  • Governor in Council may exempt organizations where “substantially similar” provincial privacy legislation applies, exemption applies only to that province
  • CPPA will apply to personal information that is collected, used or disclosed interprovincially or internationally

11:15 EDT

60 min
Eloise Gratton

The New Reformed Consent Regime

Eloise Gratton, Partner and National Co-leader, Privacy and Data Protection Group, Borden Ladner Gervais LLP

  • Review of current privacy framework which regulates consent and the type of challenges for businesses dealing with the “notice and choice” approach, which is the legal basis for collecting, using and sharing personal information in the private sector
  • C-11 changes to the consent requirements impacting the notion of “valid consent” and new consent exemptions that allow personal information to be collected, used and disclosed including “plain language” and transparency requirements.
  • Risks triggered from recent proposed changes, including ones relating to the notion of “de-identified” data and prospective business transactions
  • Opportunities for innovation triggered by recent proposed changes to the notion of “consent” in the context of research and development and the sharing information for socially beneficial purposes
  • A review of recent 2020 OPC findings relating to consent and whether these findings would be impacted by C-11
  • Differences between C-11 and Quebec Bill 64 on the issue of consent

12:15 EDT

45 min


13:00 EDT

60 min
Carole Piovesan Noel Corriveau

New Transparency Requirements for Automated Decision-making Systems - Requiring Businesses to Explain How Algorithms, Artificial Intelligence Are Utilized

Carole Piovesan, Managing Partner, INQ Law

Noel Corriveau, Senior Counsel, INQ Law

  • The growing use of artificial intelligence (AI) in profiling, facial recognition technologies, and in automated decision-making
  • Questions  raised about the rights of individuals to know how their personal information is being used, to understand how it impacts them, and to have recourse against abuse
  • Organizations required to provide upfront a “general account” of their use of “any automated decision system to make predictions, recommendations or decisions about individuals that could have significant impacts on them.” (s. 62(1)(c))
  • The individual right of access to one’s personal information will also include a right to an explanation of any prediction, recommendation or decision made using an automated decision system.

14:00 EDT

15 min


14:15 EDT

60 min
Sylvia Kingsmill

Third-party Codes of Practice and Certification Programs

Sylvia Kingsmill, Partner, KPMG

Kenzie Gregory, Senior Consultant, Privacy, Regulatory & Information Management, KPMG

  • Any entity may apply to the Privacy Commissioner of Canada for approval of a Code of Practice
  • The Code of Practice must provide for substantially the same or greater protection of personal information as some or all of the protections provided for by the CPPA
  • Any entity may also apply to the Commissioner for approval of a certification program with specified requirements, including:
    • A code of practice
    • A mechanism to certify compliance with the code of practice
    • A mechanism for the entity to audit compliance with the code of practice
    • Disciplinary measures for non-compliance, including revocation of a certification, and
    • Any other requirements that may be provided for by regulation
  • A certified entity can operate with an approved certification program and work with those with approved certification programs, including enforcement activities
  • The Privacy By Design Certification Program

15:15 EDT

60 min

Creating a Privacy Management Program to Ensure Compliance

Elspeth M. Williams, Associate General Counsel, City of Saint John; Former General Counsel, Global Compliance, McCain Foods Limited

  • The obligation to create a privacy management program policies, practices and procedures to ensure compliance with CPPA
  • Responding to access requests
  • Staff training
  • Data portability rights to give individuals greater control over the transfer of their personal information from one organization to another
  • Creation of frameworks for “data portability” so an individual can “port” their data from one service provider to another
  • The Canadian approach to data portability in C-11 is to enable data portability between companies in a particular sector or industry
  • In certain instances, individuals will be able to request that their personal data be disclosed to other organizations
  • The details of the data mobility scheme tobe set out in regulation

16:15 EDT

End of Day One

Day Two: Wednesday, April 28, 2021

10:15 EDT

45 min
Wendy Wagner Julie Himo

Stronger Enforcement Regime, Serious Penalties and Private Right of Action

Wendy Wagner, Partner, Gowling

Julie Himo, Partner, Norton Rose Fulbright LLP

  • Currently, the Commissioner does not have the power to make orders after findings of non-compliance
  • The CPPA would give the Commissioner the power to make orders requiring organizations to conform with and stop contravening the CPPA, comply with a compliance agreement or make public measures taken to correct privacy practices.
  • If after completing an inquiry the Commissioner finds that an organization has contravened one or more specified provisions of the CPPA, the Commissioner would be able to recommend that a newly created Personal Information and Data Protection Tribunal impose a monetary penalty of up to C$10-million or three per cent of the organization’s total global revenues for the prior financial year.
  • This Tribunal would be composed of three to six members appointed by the Governor in Council on the recommendation of the Minister of Innovation, Science and Industry.
  • Greater fines are possible for various offences under the CPPA
  • A private right of action would be available for an individual who suffered damages or injury caused by a contravention of the Act for which the organization has been the subject of an adverse finding by the Commissioner or Tribunal

11:00 EDT

45 min
Kirsten Thompson

Open Banking: the First Test of Mobility/ Portability Rights

Kirsten Thompson, Partner, National Lead of Transformative Technologies and Data Strategy Group, Dentons Canada LLP

  • The right to data mobility is part of an international trend to give the individual more control over his or data and stimulate competition
  • The right to transfer personal information from one organization to another
  • Does an individual have a right to his or her own personal data?
  • Will data portability be regulated in the future?
  • Restrictions currently in place
  • Which organizations will be subject to data mobility frameworks?
  • What information is included?
  • Does the disclosing organization have the right to keep the information?
  • What will organizations subject to data mobility frameworks need to do the prepare?

11:45 EDT

45 min


13:15 EDT

45 min
Ollie Dent

How Will the New Acts Interact With GDRP

Ollie Dent, Partner, Kennedys Law LLP

No matter the size of a business, it’s possible to have an international client base. With this in mind, it’s important for businesses to consider the implications of GDPR if they interact with or target European individuals.

Ollie will walk through how the new act interacts with the GDPR which is now approaching its 3rd anniversary. Ollie will also explore the similarities and differences and whether the new provisions will allow a more harmonious approach to data compliance to be adopted between Canada and Europe.

14:00 EDT

15 min


16:00 EDT

End of Day Two