On November 16, 2020, the federal government introduced the Consumer Privacy Protection Act (“CPPA”), which, if enacted, will provide organizations with greater clarity regarding their obligations when engaging third party service providers to process personal information outside Canada. In this blog, we explore how the core concepts of cross-border transfers of personal information for processing are evolving after a brief period of major uncertainty.
On December 14, 2020, the Privacy Commissioner of Canada, Daniel Therrien, issued a statement regarding the recent data breach at Desjardins. The statement involved the investigation conducted under the Personal Information Protection and Electronic Documents Act (PIPEDA) concerning the largest ever data breach in Canada’s financial services sector. Plainly put, the investigation revealed that Desjardins did not demonstrate the appropriate level of attention required to protect the sensitive personal information entrusted to its care.
On October 29, 2020, the Office of the Privacy Commissioner of Canada announced the findings of a joint investigation by Office of the Privacy Commissioner of Canada, Office of the Information and Privacy Commissioner of Alberta, and the Office of the Information and Privacy Commissioner for British Columbia that examined whether the Cadillac Fairview Corporation Limited was collecting and using personal information of visitors to its Canadian malls without valid consent using Anonymous Video Analytics technology installed in wayfinding directories and mobile device geolocation tracking technologies.