The dawn of Canadian Privacy Law 2.0: The Consumer Privacy Protection Act introduced

November 19, 2020 | David Krebs, Kelly Harris

The long-awaited overhaul of federal private sector privacy law, as outlined in our previous blog post, is finally here. The Digital Charter Implementation Act was introduced for First Reading on November 17, 2020, as Bill C-11. If enacted, the new Consumer Privacy Protection Act will replace the privacy portions of the current Personal Information Protection and Electronic Documents Act (“PIPEDA”), and consequential amendments will be made to several other statutes. Bill C-11 follows on the introduction of Quebec’s Bill C-64 as well as consultation processes in Ontario and British Columbia with respect to changes to provincial privacy regimes.

Read the full text of the version introduced at First Reading. As with any Bill, it will be subject to amendment throughout the upcoming stages of the legislative process, but it is quite clear that whatever details are to follow, Canadian privacy law will have more teeth in the form of penalties and enforcement, as well as enhancements to address the challenges and promises of present-day technology. We anticipate additional scrutiny both from privacy and civil rights proponents as well as from industry, given the increasing importance of privacy regulation and the proposed scope of changes.

Watch this space for updates, as we will be publishing a series of articles discussing key provisions and novel concepts such as:

  • New private right of action;
  • New regulatory enforcement powers, including establishment of an adjudication Tribunal;
  • New maximum administrative monetary penalty, up to a maximum of $10 million CAD or 3% of the organization’s gross global revenue (whichever is higher);
  • New offences, up to a maximum fine of $25 million CAD or 5% of global revenue (whichever is higher);
  • Consent will not be required to collect, use and/or disclose personal information in a wide variety of specified contexts;
  • De-identification introduced as a meaningful option for using personal information without consent;
  • Transparency will be required for automated decision-making;
  • Enhanced record-keeping requirements, particularly regarding proposed use;
  • Data mobility framework will be detailed in upcoming regulations;
  • Privacy Commissioner given power to approve codes of practice and certification systems.

The introduction of the Consumer Privacy Protection Act will spark debate, and we will devote some attention to exploring relevant issues and these new concepts – what they could mean in practice for organizations doing business in Canada, how they align with Europe’s General Data Protection Regulation (“GDPR”) and the California Consumer Privacy Act (“CCPA”), and where they may fall short in satisfying all relevant stakeholders.


This blog sets out a variety of materials relating to the law to be used for educational and non-commercial purposes only; the author(s) of this blog do not intend the blog to be a source of legal advice. Please retain and seek the advice of a lawyer and use your own good judgement before choosing to act on any information included in the blog. If you choose to rely on the materials, you do so entirely at your own risk.