On November 17, 2020, the federal government introduced Bill C-11, the Digital Charter Implementation Act, 2020 (“DCIA”), which would serve to overhaul Canada’s federal private sector privacy law regime. The new scheme would introduce two new statutes, the Consumer Privacy Protection Act (“CPPA”) and the Personal Information and Data Protection Tribunal Act (“PIDPTA”), and replace the existing Personal Information Protection and Electronic Documents Act (“PIPEDA”) with the Electronic Documents Act.
The DCIA takes obvious influence from the EU’s General Data Protection Regulation (“GDPR”), and represents a sea change for the federal private sector privacy regime, establishing a new administrative tribunal capable of implementing steep fines and new consumer privacy rights, amongst several other consequential changes.
New Administrative Tribunal
The DCIA would establish a brand new administrative tribunal, the Personal Information and Data Protection Tribunal (the “Tribunal”), to hear appeals of certain decisions made by the Office of the Privacy Commissioner of Canada (the “OPC”). The Tribunal would have authority to impose penalties where certain provisions of the CPPA have been contravened, offering a more streamlined path to the enforcement of OPC orders than available under the current regime.
Expanded Enforcement Powers for the OPC
The proposed CPPA would provide the OPC with broader order-making powers, including the ability to enforce compliance and require organizations to stop collecting or using individuals’ information.
The OPC would also be able to recommend fines to the Tribunal, which the Minister of Innovation, Science, and Industry has suggested will be the steepest fines of all G7 privacy laws. The proposed fines are as follows:
- for less serious offences, organizations could be fined up to the greater of $20,000,000 or 4% of the organization’s gross global revenue; and,
- for more serious offences, organizations could be fined up to the greater of $25,000,000 or 5% of the organization’s gross global revenue.
New Privacy Rights
The proposed legislation would also establish several new privacy rights.
For example, the CPPA would establish a right to deletion or erasure of personal data (often referred to as the “right to be forgotten”), which provides individuals with the ability to request that organizations permanently delete their personal information when it is no longer required for the delivery of a service.
Further, the proposed legislation would provide individuals with the right to “data mobility”. This right would allow individuals to extract their data from one organization to another that offers a similar service.
Other Consequential Amendments
The proposed scheme may also lead to various other changes, including:
- mandatorily requiring organizations to establish privacy management programs;
- permitting individuals to bring civil actions where the OPC has found a privacy violation which is upheld by the Tribunal;
- permitting organizations to disclose de-identified data to public entities for “socially beneficial purposes”;
- enhancing consent requirements;
- establishing new algorithmic transparency requirements; and,
- permitting organizations to request that the OPC approve codes of practice and certification systems put in place.
In Our View
We are currently reviewing Bill C-11 in detail and will issue a more comprehensive review shortly.
Given the severe consequences which could result from violations of the proposed scheme, organizations are well-advised to take steps to ensure that they are familiar with the proposed Bill C-11 changes and review their existing privacy practices regarding the handling of personal information.
Federal public sector organizations should also consider taking steps to update their privacy practices, as the federal government has indicated that the DCIA is merely an “initial step” towards the comprehensive reform of Canada’s federal privacy regime.