Canada: Understanding The Digital Charter Implementation Act, 2020
What Organizations Need To Know About Canada's New Privacy Law Regime

Background

Canadian businesses and organizations should be aware of upcoming changes to the country's federal privacy legislation, which introduces new data protection requirements and serious penalties for organizations which do not comply with them.

Introduced in Parliament in November, 2020, the Digital Charter Implementation Act, if passed, will provide the first significant overhaul of the country's privacy law regime in a decade, replacing the existing Personal Information Protection and Electronic Documents Act ("PIPEDA") with two new acts: the Consumer Privacy Protection Act ("CPPA") and the Personal Information and Data Protection Tribunal Act ("PIPTD").

Key Changes to Know

Creation of New Privacy Protection Tribunal

PIPTD will create a new Personal Information and Data Protection Tribunal (the "Tribunal") which will be responsible for hearing appeals of decisions made by the Privacy Commissioner of Canada (the "Commissioner").

The Tribunal will produce written decisions with reasons that will be made publicly available and will serve as final and binding, subject only to judicial review under the Federal Courts Act.

Importantly, this Tribunal will not be bound by legal or technical rules of evidence and will instead deal with matters "informally and expeditiously", providing fairness and natural justice considerations are met.

Significant Penalties and Fines

The Tribunal will also have power to impose penalties for contraventions of the CPPA as recommended by the Commissioner, which are more significant than under current legislation.

Notably, organizations that violate the CPPA could face administrative monetary penalties of up to the greater of $10,000,000 and 3% of the organization's gross global revenue.

Creation of Private Rights of Action

The CPPA also has created a private right of action for individuals whereby an individual may claim damages for personal loss or injury for the actions of an organization which was convicted of an offence under the CPPA by the Tribunal or Commissioner.

Organizations should be aware that these civil actions could result in financial liability in addition to any penalty or fine imposed by the Tribunal for contravening the CPPA.

Enhanced Consent and Accountability for Data Collection

The CPPA will also require organizations to provide certain information to an individual at or before the time of collection of data, including:

• the purpose of the collection;
• the use and disclosure of the collection;
• any reasonably foreseeable consequences of the collection;
• the type of information involved; and
• the name or types of any third parties with whom the information may be shared.

Grounds for Processing Data without Consent

Similar to the existing legislative scheme, the CPPA permits organizations to lawfully collect and disclose personal information without consent, providing there is a valid reason.

Valid reasons include:

• when necessary to provide a product or service requested by an individual;
• when part of a due diligence process;
• when needed for security and safety purposes; and
• where obtaining consent would be impracticable to the nature of an indirect relationship.

However, organizations should ensure that they only collect information without consent in circumstances where a reasonable person would permit consent, and not for the purpose of influencing their behaviour or decisions.

De-identifying Personal Information in Business Transactions

The CPPA also provides express requirements to de-identify information being used without an individual's knowledge or consent in a business transaction. Organizations should be aware that they will be required to de-identify the information before it is used, and to keep it de-identified until the transaction is complete.

Moving Forward

Moving forward, Canadian businesses and organizations should remain aware of changes, including any news on the transition period to the enforceability of these changes, and prepare to comply with the new Digital Charter Implementation Act, once fully implemented.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.