Key Takeaways and Next Steps
The draft federal Bill C-11 provides organizations with a glimpse into what Canada's private sector privacy laws may look like in the near future. As Canadian lawmakers consider amendments and proposals to align with global regimes such as the European General Data Protection Regulation (GDPR), businesses are likely to see new or increased consumer rights and additional obligations with respect to how personal information may be processed. In response, organizations should:
- monitor the upcoming proposals and consultations,
- take inventory of their existing data privacy practices and programs in light of the proposed changes, and
- be prepared to potentially offer "GDPR-like" rights to Canadian consumers, including Canadian equivalents to the right to data portability and the right to be forgotten.
Timing of Implementation
To become law, Bill C-11 will need to advance through a number of legislative stages, including committee review and consultation, before it receives formal approval through Royal Assent. It is also common practice to hold public consultations and obtain input from various stakeholders during the process, in which case it may not be until well into 2021 before the Bill is passed. As currently drafted, the Bill does not yet define any transition timelines to afford businesses time to align their data privacy management practices with the proposed requirements and enforcement mechanisms.
The rapidly expanding online economy and the associated growth in data collection and processing have made the need for stronger privacy laws a top policy priority for Canada. The Canadian government's Digital Charter, introduced in 2019 to provide a principled approach to enhancing Canadian privacy laws, is evidence of this. On November 17, 2020, the federal government tabled Bill C-11, An Act to enact the Consumer Privacy Protection Act and the Personal Information and Data Protection Tribunal Act and to make consequential and related amendments to other Acts (also known as the Digital Charter Implementation Act, 2020) to codify this framework. With the introduction of Bill C-11, Canada has taken a bold first step toward reasserting its position as a global leader in privacy protection, through enhanced requirements and rigorous enforcement tools and consequences. Once enacted, the Consumer Privacy Protection Act (CPPA) will effectively replace the Personal Information Protection and Electronic Documents Act (PIPEDA) as Canada's main privacy law. The reforms will fundamentally transform Canada's approach to privacy enforcement and influence every corner of Canadian privacy compliance, affecting every company with a business connection to Canada.
New Enforcement Powers and Penalties
The CPPA will significantly enhance the powers of Canada's top privacy regulator. The Office of the Privacy Commissioner (OPC) will now have the right to audit any organization's privacy practices, enter into compliance agreements with non-compliant organizations, and refer matters to a newly created Personal Information and Data Protection Tribunal, which will be enacted through another new statute, the Personal Information and Data Protection Tribunal Act. Furthermore, the OPC will be able to impose administrative penalties of up to 3% of an organization's global revenue or C$10 million (whichever is greater) for most non-compliance with the CPPA, and penalties of up to 5% of an organization's global revenue or C$25 million (whichever is greater) for the most serious contraventions of the CPPA, which will align closely with the GDPR. Through its new enforcement powers, the OPC will also have the power to formally collaborate with other Canadian enforcement bodies on privacy matters, including the Canadian Radio-television and Telecommunications Commission, which primarily administers Canada's anti-spam legislation, and the Canadian Competition Bureau, which in 2020 reached one of its largest misleading advertising penalty settlements to date in the area of misleading privacy practices.
Expanded and Updated Legal Requirements
In addition to increasing the OPC's powers, the CPPA aims to substantially update and expand virtually all aspects of existing Canadian privacy laws and provide Canadian consumers with greater control over their personal information. Among the most notable changes are:
- Refreshed and Enhanced Consents: Subject to certain defined exceptions, consent will remain the primary building block for the collection, use and disclosure of personal information under the CPPA, but, by default, consent will need to be express (unless implied consent is appropriate in the circumstances), and such consent must be obtained using simple and plain language only.
- New Consumer Rights: Consistent with certain other leading jurisdictions, the CPPA will include new consumer rights that will allow individuals to transfer their personal information to another organization; be provided with explanations in respect of any predictions, recommendations or decisions made by any automated decision system; and have their personal information destroyed.
- New Private Right of Action: The CPPA will provide individuals a private right of action against any organization that has contravened its obligations under the CPPA, for proven damages for loss or injury.
- New De-Identification Rules: Organizations will be required to adhere to new rules related to the de-identification of personal information, including (i) implementing technical and administrative measures when de-identifying personal information; and (ii) not using de-identified information alone or in combination with other information to identify an individual.
- Mandatory Privacy Management Program: Organizations will be required to implement policies, practices and procedures for the protection of personal information, requests for information and complaints, staff training, and materials, that explain an organization's approach to fulfilling their obligations under the CPPA. Organizations will also have the ability to submit codes of practice and certification programs for approval with the OPC.
Parallel Provincial Privacy Law Reforms
Bill C-11 forms part of a broader landscape of private sector privacy law reform across Canada.
- In February of 2020, the province of British Columbia appointed a Special Committee to conduct a review of its Personal Information Protection Act, the response to which has highlighted the failure of the legislation to keep pace with national and international privacy trends.
- In June 2020, the government of Quebec introduced Bill 64, An Act to modernize legislative provisions as regards the protection of personal information, which proposes to modernize and amend various public and private sector Quebec privacy laws to align more closely with both PIPEDA and the GDPR.
In August 2020, the government of Ontario, Canada's most populous province, launched a consultation to consider improvements to its privacy framework, including the creation of provincial privacy legislation for the private sector. The Office of the Information and Privacy Commissioner of Ontario ("IPC") published its feedback to the consultation in the form of an open letter, stating that "the time has come for Ontario to fill important gaps in its existing legislative frameworks and integrate privacy protection across its public, private, and health sectors".