Proposed Amendments to Bill C-27 Expand Privacy Regulator’s Powers and Create Risk for Businesses
The Canadian federal government has released proposed amendments to Part 1 of Bill C-27, the Consumer Privacy Protection Act (CPPA), which would significantly expand the powers and reach of the Office of the Privacy Commissioner of Canada (OPC). These changes have raised concerns among businesses due to the potential regulatory uncertainties and increased risk they may create. One notable amendment focuses on the broadening of the appropriate purposes provision.
Previously, the government had announced its intention to amend Bill C-27, but the specific legal text had not been disclosed. Now, the proposed amendments to Part 1 of the CPPA have been made available, while amendments to Part 3, the Artificial Intelligence and Data Act (AIDA), will be addressed at a later date.
The proposed amendments cover three key areas: the recognition of privacy as a fundamental right, increased flexibility for the Privacy Commissioner to reach compliance agreements, and the reinforcement of protection for children’s privacy rights.
Regarding the recognition of privacy as a fundamental right, the OPC’s wish has been granted by including this language in the Preamble and purpose section of the statute. While the language in the Preamble is influential but not legally binding, its inclusion in the body of the statute will likely be cited by those favoring stronger privacy protection.
The most significant change introduced by the amendments is the potential for the OPC to require organizations to pay a specified amount as part of compliance agreements. This raises questions about whether this payment would be considered damages and to whom it should be paid. If organizations are required to pay both a specified amount under a compliance agreement and damages under the private right of action, it could impose a significant financial burden.
Further, the proposed amendments to the appropriate purposes provision, which affects the collection, use, and disclosure of personal information by organizations, have created concerns for businesses. The amendments provide the OPC with substantial discretion to determine what factors are relevant in assessing appropriateness, without providing a definitive list. This lack of clarity could lead to unpredictable interpretation by the OPC, reducing predictability and certainty for organizations.
Of particular concern is the OPC’s past reliance on inferences and speculation to determine appropriateness. The broadening of the CPPA’s section 12, combined with increased discretion for the OPC, may create further uncertainty for businesses.
Additionally, the inclusion of the words in the manner in section 12 further expands the scope of the provision. This could potentially lead to the OPC finding an organization’s actions inappropriate based on how they collected, used, or disclosed personal information, even if the purpose itself was considered appropriate.
These proposed amendments raise significant concerns for businesses, as they could result in heightened regulatory uncertainties and potential financial risks. The broadening of the appropriate purposes provision and the increased discretion granted to the OPC may lead to unpredictable interpretations and increased business uncertainty. Organizations will need to carefully navigate these potential changes to ensure compliance with privacy regulations while managing potential risks.
Sources:
– [Original Article Title](Link to the original article)
– [Link1](Link1)
– [Link2](Link2)
