Day One: Tuesday, April 27, 2021
10:00 EDT15 min
10:15 EDT45 min
11:00 EDT60 min
- Digital Charter Implementation Act, 2020
- Repeal of part of PIPEDA
- Enacting the new Consumer Privacy Protection Act (CPPA or Act) and the new Personal Information and Data Protection Tribunal Act (PIDPTA),
- Enactment of new Tribunal to hear appeals of certain decisions made by the Privacy Commissioner of Canada under the CPPA
- Power of the Tribunal to impose penalties for contravention of certain provisions
- Creation of new and enhanced obligations for private sector organizations including:
- Inclusion of the much criticized Schedule of Privacy Principles into substantive provisions in the body of the Act
- New scope – who does the Act apply to?
- New definition of “commercial activity”
- Governor in Council may exempt organizations where “substantially similar” provincial privacy legislation applies, exemption applies only to that province
- CPPA will apply to personal information that is collected, used or disclosed interprovincially or internationally
12:00 EDT45 min
12:45 EDT45 min
- Review of current privacy framework which regulates consent and the type of challenges for businesses dealing with the “notice and choice” approach, which is the legal basis for collecting, using and sharing personal information in the private sector
- C-11 changes to the consent requirements impacting the notion of “valid consent” and new consent exemptions that allow personal information to be collected, used and disclosed including “plain language” and transparency requirements.
- Risks triggered from recent proposed changes, including ones relating to the notion of “de-identified” data and prospective business transactions
- Opportunities for innovation triggered by recent proposed changes to the notion of “consent” in the context of research and development and the sharing information for socially beneficial purposes
- A review of recent 2020 OPC findings relating to consent and whether these findings would be impacted by C-11
- Differences between C-11 and Quebec Bill 64 on the issue of consent
13:30 EDT45 min
- The growing use of artificial intelligence (AI) in profiling, facial recognition technologies, and in automated decision-making
- Questions raised about the rights of individuals to know how their personal information is being used, to understand how it impacts them, and to have recourse against abuse
- Organizations required to provide upfront a “general account” of their use of “any automated decision system to make predictions, recommendations or decisions about individuals that could have significant impacts on them.” (s. 62(1)(c))
- The individual right of access to one’s personal information will also include a right to an explanation of any prediction, recommendation or decision made using an automated decision system.
14:15 EDT15 min
14:30 EDT45 min
- Any entity may apply to the Privacy Commissioner of Canada for approval of a Code of Practice
- The Code of Practice must provide for substantially the same or greater protection of personal information as some or all of the protections provided for by the CPPA
- Any entity may also apply to the Commissioner for approval of a certification program with specified requirements, including:
- A code of practice
- A mechanism to certify compliance with the code of practice
- A mechanism for the entity to audit compliance with the code of practice
- Disciplinary measures for non-compliance, including revocation of a certification, and
- Any other requirements that may be provided for by regulation
- A certified entity can operate with an approved certification program and work with those with approved certification programs, including enforcement activities
- The Privacy By Design Certification Program
15:15 EDT60 min
- The obligation to create a privacy management program policies, practices and procedures to ensure compliance with CPPA
- Responding to access requests
- Staff training
- Data portability rights to give individuals greater control over the transfer of their personal information from one organization to another
- Creation of frameworks for “data portability” so an individual can “port” their data from one service provider to another
- The Canadian approach to data portability in C-11 is to enable data portability between companies in a particular sector or industry
- In certain instances, individuals will be able to request that their personal data be disclosed to other organizations
- The details of the data mobility scheme tobe set out in regulation
End of Day One
Day Two: Wednesday, April 28, 2021
10:00 EDT15 min
10:15 EDT45 min
- Currently, the Commissioner does not have the power to make orders after findings of non-compliance
- The CPPA would give the Commissioner the power to make orders requiring organizations to conform with and stop contravening the CPPA, comply with a compliance agreement or make public measures taken to correct privacy practices.
- If after completing an inquiry the Commissioner finds that an organization has contravened one or more specified provisions of the CPPA, the Commissioner would be able to recommend that a newly created Personal Information and Data Protection Tribunal impose a monetary penalty of up to C$10-million or three per cent of the organization’s total global revenues for the prior financial year.
- This Tribunal would be composed of three to six members appointed by the Governor in Council on the recommendation of the Minister of Innovation, Science and Industry.
- Greater fines are possible for various offences under the CPPA
- A private right of action would be available for an individual who suffered damages or injury caused by a contravention of the Act for which the organization has been the subject of an adverse finding by the Commissioner or Tribunal, or where the
11:00 EDT45 min
Mobility/ Portability Rights
- The right to data mobility is part of an international trend to give the individual more control over his or data and stimulate competition
- The right to transfer personal information from one organization to another
- Does an individual have a right to his or her own personal data?
- Will data portability be regulated in the future?
- Restrictions currently in place
- Which organizations will be subject to data mobility frameworks?
- What information is included?
- Does the disclosing organization have the right to keep the information?
- What will organizations subject to data mobility frameworks need to do the prepare?
11:45 EDT45 min
12:30 EDT45 min
- Purpose/Importance of Right to Erasure
- Current Law Under PIPEDA
- New CCPA/Bill C-11 Right to Erasure
- Scope of Right: Organization’s Duty
- Exceptions and Limitations to the Right
13:15 EDT45 min
No matter the size of a business, it’s possible to have an international client base. With this in mind, it’s important for businesses to consider the implications of GDPR if they interact with or target European individuals.
Ollie will walk through how the new act interacts with the GDPR which is now approaching its 3rd anniversary. Ollie will also explore the similarities and differences and whether the new provisions will allow a more harmonious approach to data compliance to be adopted between Canada and Europe.
14:00 EDT15 min
14:15 EDT45 min
15:00 EDT45 min
- How will the Tribunal work?
- How will the Tribunal process differ from current PIPEDA regime?
- What orders can the Tribunal make?
- The relationship between the Tribunal and the courts
15:45 EDT45 min
Q & A, Wrap Up and Take-Aways
End of Day Two