Author: Adam Bosma
Canadian Government Proposes Significant Privacy Legislation Amendments
On November 17, 2020, Minister of Innovation, Science and Industry Navdeep Bains introduced for first reading Bill C-11 The Digital Charter Implementation Act (the “Bill”) which, if enacted in the form first proposed, would replace Part 1 of the Personal Information Protection and Electronic Documents Act (“PIPEDA”) with the Consumer Privacy Protection Act (“CPPA”) and introduce the Personal Information and Data Protection Tribunal Act, establishing a Personal Information and Data Protection Tribunal (the “Tribunal”) responsible for hearing findings of the Privacy Commissioner of Canada (“Commissioner”) as well as appeals under the proposed privacy regime. As of the date of this writing, the Bill has not had its second reading, but has attracted commentary from industry and privacy experts both inside and outside Canada, as the government seeks input on privacy modernization.
The Bill signals the Federal Government’s desire to modernize Canada’s privacy laws in important ways. Should the CPPA as set out in the Bill become law, it would change the way private sector organizations gather, use and store Canadians’ personal information, as well as expanding Canadians’ rights with respect to their own stored information. Highlights of these data collection and management changes include:
- Enhanced Accountability: Organizations must establish a privacy management program including the organization’s policies, practices, and procedures for the protection of personal information and other related topics.
- Consent: Organizations must seek express consent from individuals prior to collection of any personal information (except certain situations where implied consent can be shown or other exceptions apply), and ensure that the request for consent is presented in plain language. Individuals will be entitled to withdraw this consent in whole or in part, on “reasonable notice” or subject to “reasonable terms of a contract”.
- Collection: Organizations must ensure that they are collecting personal information only for specific purposes that are strictly necessary to the product or service offered, and that these precise uses must be explained in plain language to the individual prior to any collection. Organizations must then protect and safeguard all collected information to standards set out in CPPA.
- Disclosure: The CPPA provides scenarios in which an organization is permitted to disclose collected information to a service provider, and requires the service provider to afford substantially the same protections to the personal information. In all cases the disclosure restrictions and safeguards would be proportionate to the sensitivity of the personal information and the consequences should it be misused or exposed to breach of its safeguards, among other criteria.
- Individual Requests: Subject to limited exceptions, individuals would be able to request:
- whether an organization has any information about them, how it has been used and whether it has been disclosed;
- access to any information the organization stores about them;
- that the organization transfer all the personal information that it has stored about them to a different organization; and
- that any or all information about them in the organization’s control be destroyed.
- Transparency: Further transparency provisions would require an organization, upon request, to disclose how the organization uses personal information to make decisions, predictions or recommendations with respect to the individual, including by automated means. This would have significant impacts on organizations that rely on data aggregation and analysis, algorithmic recommendations (particularly in the case of social media and advertising), AI, machine learning and other systems drawing on a repository of users’ personal information.
Private sector organizations should also take note of the following penalty provisions, which if adopted would be the strictest of their kind adopted in any G7 country:
- Expanded powers of the Commissioner for carrying out investigation and enforcement activities.
- A maximum penalty provision, providing for a fine of up to the higher of $10,000,000 and 3% of an organization’s gross global revenue, except wherean organization is found to be knowingly in contravention of certain CPPA provisions, in which case the organization could be fined up to the higher of $25,000,000 and 5% of gross global revenue.
- Creation of a private right of action for individuals against an organization which has contravened the CPPA in respect of the individual’s protected information.
- Protections for whistleblowers within organizations that contravene the CPPA.
Bill C-11 is likely to attract further attention from domestic industry and privacy experts, Canada’s trading partners abroad and certainly foreign organizations that collect and store Canadians’ personal information. With review of Canada’s ‘adequacy status’ under the European Union’s GDPR data and privacy regime on the horizon, Canada is under mounting pressure to modernize its privacy laws and particularly PIPEDA, which was granted adequacy status in 2001 and reaffirmed in 2006.
We will be monitoring the progress of Bill C-11 through the House of Commons and will provide further updates. Should you have any questions or require assistance with your own privacy obligations, please feel free to reach out for specific legal advice.
Contact: Adam Bosma, phone: 604.891.1158, email: email@example.com
For further reading, see the following:
Statement from the Privacy Commissioner of Canada following the tabling of Bill C-11 November 19, 2020
Statement from Innovation, Science and Economic Development Canada, November 17, 2020
Canada Trade Commissioner: The European Union’s General Data Protection Regulation, modified November 20, 2020
This bulletin is intended as a summary only and should not be regarded or relied upon as legal advice to any specific client or regarding any specific situation.