(CPPA). Bill C-27 would also introduce a tribunal for imposing penalties and a new law dedicated to regulating artificial intelligence technologies, the Artificial Intelligence and Data Act. Like the reforms enacted in Québec, a number of the provisions introduced in the CPPA are inspired by and intended to align with the GDPR. Although the CPPA would maintain the consent-based framework of PIPEDA, it would expand the exceptions to consent to include processing personal information for the purposes of “business activities” or “legitimate interests,” provided that such purposes do not involve influencing the individual’s behaviour or decisions, and the processing falls within an individual’s reasonable expectations. Bill C-27 would also introduce fines and penalties by empowering the OPC to recommend, and the tribunal to impose, administrative monetary penalties up to the higher of $10 million and 3% of an organization’s gross global revenue in its previous financial year, and fines for offences under the CPPA up to the higher of $25 million and 5% of an organization’s gross global revenue in its previous financial year. The CPPA would also create a private right of action for individuals if the organization has been found by the OPC or the tribunal to have contravened the CPPA (and the finding may no longer be appealed), or the organization has been convicted of an offence under the CPPA. In June 2022, the Canadian federal government introduced a bill to enact the Digital Charter Implementation Act , which if passed would significantly modernize the Canadian federal private sector privacy and data protection legislative framework.
106
Doing Business in Canada
Powered by FlippingBook