On November 17, 2020, the Honourable Navdeep Bains, Minister of Innovation, Science and Industry, tabled Bill C-11, the Digital Charter Implementation Act, 2020 (the “Act”), which aims to overhaul Canada's federal data privacy law. If passed, the bill would repeal the privacy provisions of the Personal Information Protection and Electronic Documents Act (PIPEDA) and introduce new obligations for private-sector organizations and new enforcement regimes.
In tabling the bill, the Federal Government has stated that the legislation is intended “to ensure that Canadians will be protected by a modern and responsive law and that innovative businesses will benefit from clear rules, even as technology continues to evolve”.1
As currently drafted, the Act proposes to:
- enact the Consumer Privacy Protection Act(CPPA) to replace Part 1 of PIPEDA;
- establish a specialized privacy and data protection tribunal under the Personal Information and Data Protection Tribunal Act to hear appeals of certain decisions made by the Privacy Commissioner under the CPPA and to impose penalties for the contravention of certain provisions of that Act;
- provide the Privacy Commissioner with order-making powers, including the ability to force an organization to comply and to order a company to stop collecting data or using personal information, as well as the power to recommend significant administrative penalties for failure to do so; and
- introduce a private right of action by which an individual affected by a CPPA contravention may bring a claim against the organization for damages for loss or injury suffered as a result of the contravention, subject to certain conditions (s. 106).
Under the CPPA, organizations will be required, among other things, to:
- implement a “privacy management program” setting out policies and procedures the organization takes to protect personal information, deal with privacy complaints and train personnel, and to provide the Privacy Commissioner with access to those policies and procedures (ss. 9 and 10);
- identify and record each of the purposes for which it collects, uses or discloses any personal information, and ensure that it does so at or before the time of collection (s. 12(3));
- provide plain-language disclosures for the purposes of obtaining consent (s. 15(3));
- identify any third parties or types of third parties to which the personal information may be disclosed (s.15(3)(e)); and
- amend or dispose (delete) an individual's personal information at their written request (s. 55 and 63).
The draft legislation provides that failure to comply with the CPPA may face penalties of up to $10,000,000 or 3% of the organization's annual gross global revenue – whichever is greater. Serious fines are contemplated if an organization knowingly contravenes provisions relating to reporting of breaches of security safeguards, maintaining records of breaches of safeguards, retaining information subject to an access request, using de-identified information to identify an individual, and whistleblower protections, or for obstructing a Commissioner investigation, inquiry, or audit (s. 125). In those circumstances, a penalty not exceeding the greater of $25,000,000 or 5% of an organization's annual gross global revenue may be imposed.
Exemptions relating to consent requirements for handling of employee personal information are included in the bill, however significant employee training would be required to address the legislative overhaul and mitigate risk.
Bill C-11 is currently in its second reading before the House of Commons and debates and committee will follow. The full text of the bill is available at: https://parl.ca/DocumentViewer/en/43-2/bill/C-11/first-reading
The federal Privacy Commissioner has issued a statement in respect of the proposed bill here: https://priv.gc.ca/en/opc-news/news-and-announcements/2020/s-d_201119/