"CPPA from GDPR does not fall far": Canada is trying to tighten requirements for the protection of personal data

The General Data Protection Regulation (GDPR) came into force almost three years ago, but in such a short period – by the standards of the development of legislative initiatives – it became a real flagship, an example and in many respects a reason for revising local acts on working with personal data in a number of countries.

We discuss how the situation in Canada is developing: what regulators are proposing and what risks technology specialists and companies see in potential changes in the regulatory framework.

What happened

The impact of the GDPR cannot be overstated. He pulled along a chain of similar measures in USA, Brazil and even Kenya… In the third year of the triumphant march of the law across the planet, Canadian regulators also got involved. They decided to acquire their own “localization” of the law – to revise the twenty-year PIPEDA (Personal Information Protection and Electronic Documents Act) and develop a new document called the Consumer Privacy Protection Act (CPPA).

According to official statements, the CPPA is intended to bring the conditions for the collection, processing, storage and use of personal data in line with the general level of technological development and the context of citizens’ interaction with local organizations. In particular, the government of Canada does an emphasis on how the latter should explain the reasons for collecting the data and the extent to which it is “mobile” – for example, warn of cross-border transfers and provide the possibility of safe transfers from one organization to another upon request.

The main thing that distinguishes the “Canadian GDPR” is the new sanctions for violators of the regulation. They will have to shell out 3% of the company’s annual income (including earnings of affiliates around the world) or 10 million, most likely, Canadian dollars.

But in the event of a major leak, deliberate leakage or violation of the rules of data de-identification, a fine of up to 5% / 25 million is provided, respectively.

Notable nuances

The top bar of five percent was not chosen by chance – this is how the Canadian authorities demonstrate their determination to surpass the GDPR in all respects. They are not limited to the size of the sanctions. Under the CPPA, organizations will be required, upon request, to provide clarifications on how their algorithm or recommendation system works, which makes decisions based on the personal data of a citizen of the country. Experts considerthat in this regard (as well as in terms of fines) Canada can bypass European regulators.

As for de-identification, it is meant to be completely prohibited. There are sanctions for establishing an identity based on the provided personal data. The only exception is testing to maintain the proper level of security (probably some system that prevents such attempts). However, it is still difficult to say how conditional social networks will fulfill this requirement if a person decides to indicate his real name and age. Most likely, the requirement will be applied against persistent violators – for example, organizations involved in recovering data from many gray databases for subsequent spam audience with offers to use any service.

What’s interesting about the CPPA took into account and situations where you do not need to obtain consent to collect personal data. Let’s say that this includes maintaining network security, plus – everything that does not fall under commercial activity and other attempts to have any influence on a person’s making certain decisions (for example, about buying).

Another new regulation allows organizations to introduce their own measures to protect personal data, which may exceed in terms of the level of requirements what is spelled out in the CPPA itself.

What to expect

The Canadian version of the GDPR will be applied to all structures that somehow come into contact with the data of citizens. If large companies can allocate two or three full-time specialists for training, keeping up to date and checking corporate policies for the operation and ensuring the security of PD, then for small businesses this process will most likely be difficult, given that CPPA also requires training. employees.

On the other hand, the regulation looks like a framework document. Most of the wording is too general, so it is worth waiting for clarifications in the format of additional acts clarifying and regulating certain points from the CPPA. As practice shows, in Canada this process can take several years, so while entrepreneurs can breathe out, and the government can think about how to protect the interests of citizens without harming the budget of small companies.

Generally speaking, local GDPR options were just the beginning. Many countries are now launching campaigns proposing targeted regulation of the big data industry.

So, in the UK, the so-called “National Data Strategy“- a strategy whose goal is to deploy a” data economy “. The government wants to understand where and how this or that data of citizens is used, and is trying to offer a universal mechanism or even a standard for their anonymous accounting, classification and processing on the side of companies.

Most likely, the development of the document will take many years, so other countries will still have many opportunities to launch their own analogs and such initiatives (in addition to GDPR).

What else to read on our blog: