Published: 29 Dec 2022
Canada Digital Privacy Act: A Quick Overview
Content 1. An Overview of Digital Privacy in Canada 2. What is Canada Digital Privacy Act? 3. Key Features of the Canada Digital Privacy Act 4. Canada Digital Privacy Act – What Digital Businesses Should Know? 5. Canada Digital Privacy Law Enforcement & Underlying Fines 6. Conclusion 7. How TestingXperts Digital Testing services Help Canadian Businesses Become Compliant?
Canada has one of the world’s most comprehensive and restrictive privacy and anti-spam regimes. The national and provincial private and public sector privacy legislations control these regimes and policies. Regulated Canadian entities in all the major sectors, such as banking, insurance, healthcare, transportation, etc., must adhere to the rules or principles of the Canada Digital Privacy Act.
After Bill C-11 for the Digital Charter Implementation Act 2020 (‘DCIA’) failed to see the light of day on August 15, 2021, a new bill to reform Canada’s private sector privacy law was introduced on June 16, 2022. Bill C-27 for the Digital Charter Implementation Act 2022 is divided into three parts, each aimed at enacting a new Act, namely:
• The Consumer Privacy Protection Act
• The Personal Information and Data Protection Tribunal Act
• The Artificial Intelligence and Data Act
Bill C-27 is now under consideration in the Canadian Parliament
The proposed Consumer Privacy Protection Act will address the needs of Canadians who rely on digital technology and respond to feedback received on previously proposed legislation. This law will ensure that the privacy of Canadians will be protected and that innovative businesses can benefit from clear rules as technology continues to evolve. This includes:
• The requirement to make information readily available, in plain language, that explains the organization’s privacy policies and practices
• Increasing control and transparency when organizations handle Canadians’ personal information
• Giving Canadians the freedom to move their information from one organization to another in a secure manner
• Ensuring that Canadians can request that their information be disposed of when it is no longer needed
• Establishing stronger protections for minors by limiting organizations’ right to collect or use the information on minors and holding organizations to a higher standard when handling minors’ information
• Providing the Privacy Commissioner of Canada with broad order-making powers, including the ability to order a company to stop collecting data or using personal information
• Establishing significant fines for non-compliant organizations—with penalties of up to 5% of global revenue or $25 million, whichever is greater, for the most severe offences.
• Businesses are prohibited against false or misleading information, deceptive practices to obtain consent.
• Businesses should implement a comprehensive privacy management program, including policies, practices, and procedures.
• Businesses should determine at or before the time of the collection each of the purposes for which the personal information is to be collected, used, or disclosed and record those purposes.
• For any new purpose, businesses must record the purpose of collecting data before using or disclosing that information.
• Data collection should be limited to only the personal information necessary for the purposes determined and recorded.
• Prohibition against any use or disclosure of personal information for a purpose other than a purpose determined and recorded unless valid consent is obtained.
• Organization must obtain an individual’s valid consent for collecting, using or disclosing the individual’s personal information unless an exception applies.
• Businesses are prohibited from demanding consent as a condition of the supply of a product or service (beyond what is necessary to provide the product or service).
• Upon receiving a request to withdraw consent, businesses must inform the individual of the consequences of the withdrawal of their consent and, as soon as feasible after that, cease the collection, use, or disclosure of the individual’s personal information.
• Businesses are prohibited from retaining personal information longer than necessary to fulfill purposes or comply with the law, plus an obligation to dispose of the information as soon as feasible after that period.
• Organizations should protect personal information through physical, organizational, and technological security safeguards proportionate to the sensitivity of the data
• Businesses must notify affected individuals of a breach if it creates a potential risk.
The CPPA (Consumer Privacy Protection Act) grants the Privacy Commissioner of Canada broad order-making powers and prescribes significant administrative penalties up to CAD 10 million or 3% of global revenue. Fines are augmented in cases of serious contravention resulting in offences that may attract a maximum penalty of CAD 25 million or 5% of global revenue. Additionally, a new private right of action is provided to individuals who suffer losses due to the CPPA violation. Consent remains crucial, but the CPPA lifts some burden on the individual to understand and give consent by focusing more on the organization’s accountability and transparency.
For example, If there is a new requirement for an organization to implement a privacy management policy. While planning such a policy, the organization must consider the extent and sensitivity of the personal information to be controlled. The commissioner may access the associated policies, protocols, and procedures developed under the privacy management program and, after reviewing the same, provide necessary guidance or recommendations for the organization.
Bill C-27 strives to modernize the existing federal privacy framework and emphasizes privacy rights and the benefits of data collection for Canadians. With the ever-progressing technology and the advancements in storage and computing, it becomes essential that businesses managing sensitive data retain the privacy of Canadians by embracing industry-best practices and solutions to mitigate risks that the Digital Privacy Act presents to organizations, associations and corporations.
TestingXperts (Tx) has been at the forefront of enabling digital testing services for businesses across industries. With proven experience in mobile & web app testing services and an end-to-end service portfolio, Tx can address various challenges associated with digital apps like compliance, functionality, performance, security, usability, and cross-device compatibility. Adherence to the regulations requires a comprehensive test data management approach. Tx ensures businesses achieve faster time-to-market with highly compatible, secure, stable, and robust digital applications.
• Advice from industry experts regarding privacy and data management
• Compliance gap analysis for corporate policies and programs
• Governance for the collection, use, and disclosure of information
• Data breach evaluation
• Data mapping and Privacy Impact Assessments for AI-based apps and services
• Cloud-based cyber security risk analysis
• End-to-end software testing services portfolio for digital applications
• 10+ years of test automation expertise with more than 500+ test automation experts
• Experience with all industry-leading tools for functional testing, performance testing, security testing, and software test automation
• Follow a user-centric testing approach
• Teams have rich experience in web, mobile, and SMAC applications testing
• Detailed custom reports to help stakeholders to make informed decisions
• Seamless customer support available 24×7