![Global rules on foreign direct investment](https://www.nortonrosefulbright.com/-/media/images/nrf/nrfweb/knowledge/publications/us_24355_legal-update--fdi-alert.jpeg?w=265&revision=a5124a65-abf9-40e4-8e96-9df39ffdb212&revision=5250068427347387904&hash=96B456347C3246E5649838DF281C5F5D)
Publication
Global rules on foreign direct investment (FDI)
Cross-border acquisitions and investments increasingly trigger foreign direct investment (FDI) screening requirements.
Canada | Publication | August 16, 2022
The House of Commons recently introduced Bill C-27, which introduces three new acts: the Consumer Privacy Protection Act (CPPA), the Personal Information and Data Protection Tribunal Act, and the Artificial Intelligence and Data Act (AIDA), which would replace the current Personal Information Protection and Electronic Documents Act (PIPEDA). Bill C-27 is the successor to Bill C-11, which died on the docket when Parliament was dissolved in the fall of 2021.
For more information on the AIDA, please see our recent update on the matter.
In this update, we take a closer look at the key elements businesses should know about the proposed requirements under CPPA and provide practical tips for complying with these requirements.
While certain broad themes of PIPEDA are reproduced and clarified in the CPPA, many best practices suggested by the Office of the Privacy Commissioner of Canada have been codified. Given the increased enforcement and sanction powers proposed by Bill C-27, businesses should carefully revise their privacy programs to comply with these new obligations.
As under PIPEDA, businesses remain accountable for information under their control. What constitutes “control” has been clarified under the CPPA – a business will have control of personal information when it (1) decides whether or not to collect it, and (2) determines the purposes for the collection, use or disclosure.
To this effect, the CPPA introduces the notion of “service provider,” a third party that processes personal information on behalf of another business. It is important to note that generally speaking, the CPPA obligations will not directly apply to service providers, but rather to the controlling businesses.
Proposed next step for businesses: Identify and catalog the types of personal information the business collects, uses, discloses or stores to identify and differentiate between circumstances whereby the business acts as a service provider versus controller.
One of Bill C-27’s most significant changes is the obligation for businesses to implement and maintain a privacy management program. This program must include the policies, practices and procedures put in place by a business to comply with statutory requirements, including for protecting personal information, processing requests and complaints made by individuals and employee training procedures. When developing their program, businesses will need to consider the volume and sensitivity of personal information the business controls.
An addition introduced by the CPPA is the possibility for the Office of the Privacy Commissioner of Canada (OPC) to request access to a business’ privacy management program and provide guidance and corrective measures. This change appears to be aimed at providing the OPC with enhanced enforcement powers.
Proposed next steps for businesses:
The CPPA requires a business to ensure any service providers engaged to process personal information on the business’ behalf provide an equivalent level of protection as required of the business itself. While this is commonly recommended by the OPC to ensure compliance with PIPEDA, the specific requirement is now included as a requirement under the CPPA.
Proposed next steps for businesses:
As a customer,
As a service provider,
The CPPA is very clear on retention periods – businesses can only keep personal information for as long as is required to fulfill the purposes for which it was collected, or to comply with statutory requirements. Furthermore, businesses must be able to justify why personal information should be retained for the proposed period of time.
Businesses will be required to consider the sensitivity of personal information when determining its retention period. As soon as feasible after this period of time, personal information must be destroyed – either by permanently and irreversibly deleting information, or anonymizing it. Personal information should be anonymized as well as permanently and irreversibly anonymized in such a way that no individual can be identified from the information.
Proposed next steps for businesses:
As under PIPEDA, businesses must use appropriate physical, organizational and technological security safeguards to protect personal information under their control. The CPPA introduces a new requirement, in that businesses must have a way of authenticating an individual to whom personal information relates. Further guidance regarding manner of required authentication is not currently included.
PIPEDA’s requirements on reporting to the OPC and notifying affected individuals of breaches of these security safeguards remain generally unchanged, and the real risk of significant harm test (RROSH test) still applies when considering whether notification obligations have been triggered.
An important addition under CPPA, however, is that service providers will be required to notify controlling businesses of a breach of their security safeguards affecting personal information processed on behalf of such businesses.
Proposed next steps for businesses:
Businesses need to make information regarding the steps taken to comply with the CPPA available to the public. Most businesses can comply with this requirement by providing a detailed privacy policy, including elements such as the types of personal information under their control and how they are used, whether or not any interprovincial/international data transfers occur, and retention periods. This publicly available information should be provided in “plain language,” meaning it must be reasonably expected to be understood by regular individuals.
Proposed next steps for businesses:
Publication
Cross-border acquisitions and investments increasingly trigger foreign direct investment (FDI) screening requirements.
Publication
On February 2, 2024, the Belgian Presidency of the Council of the European Union confirmed that the Committee of Permanent Representatives had signed the Artificial Intelligence (AI) Regulation, referred to as the AI Act. Approval by the EU Parliament followed on 13 March 2024, and the AI Act is likely to appear in the EU’s Official Journal around May 2024. The AI Act aims to establish a stringent legal framework governing the development, marketing, and utilisation of artificial intelligence within the region, thereby marking a significant advancement in the regulation of this burgeoning domain.
Publication
The private credit market and direct lending have grown and diversified immensely in the past decade, offering alternative sources and terms of debt compared to those historically provided by the syndicated leveraged loan and public issuance markets. Consequently, they are fast becoming pivotal components in the capital ecosystem, so much so that the Bank of England consider that the private credit market is currently responsible for approximately $1.8 trillion of debt issuance, which is four times its size in 2015. This growth has been particularly pronounced in Europe and the US but there has also been significant activity in Asia.
Subscribe and stay up to date with the latest legal news, information and events . . .
© Norton Rose Fulbright LLP 2023