Canada: Watch out, GDPR - Canada proposes strict new privacy law framework backed by significant fines

In brief

In November 2020, Canada introduced new federal privacy legislation that, if adopted, will create one of the strictest data protection regimes in the world, accompanied by some of the most severe financial penalties, rivalling the standards in Europe and California. Companies with a connection to Canada will need to build the new federal law, and applicable provincial laws, into their global compliance strategy.


Contents

Key Takeaways and Next Steps

The draft federal Bill C-11 provides organizations with a glimpse into what Canada's private sector privacy laws may look like in the near future. As Canadian lawmakers consider amendments and proposals to align with global regimes such as the European General Data Protection Regulation (GDPR), businesses are likely to see new or increased consumer rights and additional obligations with respect to how personal information may be processed. In response, organizations should:

  • monitor the upcoming proposals and consultations,
  • take inventory of their existing data privacy practices and programs in light of the proposed changes, and
  • be prepared to potentially offer "GDPR-like" rights to Canadian consumers, including Canadian equivalents to the right to data portability and the right to be forgotten.

Timing of Implementation

To become law, Bill C-11 will need to advance through a number of legislative stages, including committee review and consultation, before it receives formal approval through Royal Assent. It is also common practice to hold public consultations and obtain input from various stakeholders during the process, in which case it may not be until well into 2021 before the Bill is passed. As currently drafted, the Bill does not yet define any transition timelines to afford businesses time to align their data privacy management practices with the proposed requirements and enforcement mechanisms.

In depth

Background

The rapidly expanding online economy and the associated growth in data collection and processing have made the need for stronger privacy laws a top policy priority for Canada. The Canadian government's Digital Charter, introduced in 2019 to provide a principled approach to enhancing Canadian privacy laws, is evidence of this. On November 17, 2020, the federal government tabled Bill C-11, An Act to enact the Consumer Privacy Protection Act and the Personal Information and Data Protection Tribunal Act and to make consequential and related amendments to other Acts (also known as the Digital Charter Implementation Act, 2020) to codify this framework. With the introduction of Bill C-11, Canada has taken a bold first step toward reasserting its position as a global leader in privacy protection, through enhanced requirements and rigorous enforcement tools and consequences. Once enacted, the Consumer Privacy Protection Act (CPPA) will effectively replace the Personal Information Protection and Electronic Documents Act (PIPEDA) as Canada's main privacy law. The reforms will fundamentally transform Canada's approach to privacy enforcement and influence every corner of Canadian privacy compliance, affecting every company with a business connection to Canada.

New Enforcement Powers and Penalties

The CPPA will significantly enhance the powers of Canada's top privacy regulator. The Office of the Privacy Commissioner (OPC) will now have the right to audit any organization's privacy practices, enter into compliance agreements with non-compliant organizations, and refer matters to a newly created Personal Information and Data Protection Tribunal, which will be enacted through another new statute, the Personal Information and Data Protection Tribunal Act. Furthermore, the OPC will be able to impose administrative penalties of up to 3% of an organization's global revenue or C$10 million (whichever is greater) for most non-compliance with the CPPA, and penalties of up to 5% of an organization's global revenue or C$25 million (whichever is greater) for the most serious contraventions of the CPPA, which will align closely with the GDPR.  Through its new enforcement powers, the OPC will also have the power to formally collaborate with other Canadian enforcement bodies on privacy matters, including the Canadian Radio-television and Telecommunications Commission, which primarily administers Canada's anti-spam legislation, and the Canadian Competition Bureau, which in 2020 reached one of its largest misleading advertising penalty settlements to date in the area of misleading privacy practices.

Expanded and Updated Legal Requirements

In addition to increasing the OPC's powers, the CPPA aims to substantially update and expand virtually all aspects of existing Canadian privacy laws and provide Canadian consumers with greater control over their personal information. Among the most notable changes are:

  1. Refreshed and Enhanced Consents: Subject to certain defined exceptions, consent will remain the primary building block for the collection, use and disclosure of personal information under the CPPA, but, by default, consent will need to be express (unless implied consent is appropriate in the circumstances), and such consent must be obtained using simple and plain language only.
  2. New Consumer Rights: Consistent with certain other leading jurisdictions, the CPPA will include new consumer rights that will allow individuals to transfer their personal information to another organization; be provided with explanations in respect of any predictions, recommendations or decisions made by any automated decision system; and have their personal information destroyed.
  3. New Private Right of Action: The CPPA will provide individuals a private right of action against any organization that has contravened its obligations under the CPPA, for proven damages for loss or injury.
  4. New De-Identification Rules: Organizations will be required to adhere to new rules related to the de-identification of personal information, including (i) implementing technical and administrative measures when de-identifying personal information; and (ii) not using de-identified information alone or in combination with other information to identify an individual.
  5. Mandatory Privacy Management Program: Organizations will be required to implement policies, practices and procedures for the protection of personal information, requests for information and complaints, staff training, and materials, that explain an organization's approach to fulfilling their obligations under the CPPA. Organizations will also have the ability to submit codes of practice and certification programs for approval with the OPC.

Parallel Provincial Privacy Law Reforms

Bill C-11 forms part of a broader landscape of private sector privacy law reform across Canada. 

  • In February of 2020, the province of British Columbia appointed a Special Committee to conduct a review of its Personal Information Protection Act, the response to which has highlighted the failure of the legislation to keep pace with national and international privacy trends.
  • In June 2020, the government of Quebec introduced Bill 64, An Act to modernize legislative provisions as regards the protection of personal information, which proposes to modernize and amend various public and private sector Quebec privacy laws to align more closely with both PIPEDA and the GDPR.

In August 2020, the government of Ontario, Canada's most populous province, launched a consultation to consider improvements to its privacy framework, including the creation of provincial privacy legislation for the private sector. The Office of the Information and Privacy Commissioner of Ontario ("IPC") published its feedback to the consultation in the form of an open letter, stating that "the time has come for Ontario to fill important gaps in its existing legislative frameworks and integrate privacy protection across its public, private, and health sectors".


© 2021 Baker & McKenzie. Ownership: This site (Site) is a proprietary resource owned exclusively by Baker McKenzie (meaning Baker & McKenzie International and its member firms, including Baker & McKenzie LLP). Use of this site does not of itself create a contractual relationship, nor any attorney/client relationship, between Baker McKenzie and any person. Non-reliance and exclusion: All information on this Site is of general comment and for informational purposes only and may not reflect the most current legal and regulatory developments. All summaries of the laws, regulation and practice are subject to change. The information on this Site is not offered as legal or any other advice on any particular matter, whether it be legal, procedural or otherwise. It is not intended to be a substitute for reference to (and compliance with) the detailed provisions of applicable laws, rules, regulations or forms. Legal advice should always be sought before taking any action or refraining from taking any action based on any information provided in this Site. Baker McKenzie, the editors and the contributing authors do not guarantee the accuracy of the contents and expressly disclaim any and all liability to any person in respect of the consequences of anything done or permitted to be done or omitted to be done wholly or partly in reliance upon the whole or any part of the contents of this Site. Attorney Advertising: This Site may qualify as “Attorney Advertising” requiring notice in some jurisdictions. To the extent that this Site may qualify as Attorney Advertising, PRIOR RESULTS DO NOT GUARANTEE A SIMILAR OUTCOME. All rights reserved. The content of the this Site is protected under international copyright conventions. Reproduction of the content of this Site without express written authorization is strictly prohibited.