The dawn of Canadian Privacy Law 2.0: The Consumer Privacy Protection Act introduced

19 novembre 2020 | David Krebs, Kelly Harris

( Disponible en anglais seulement )

The long-awaited overhaul of federal private sector privacy law, as outlined in our previous blog post, is finally here. The Digital Charter Implementation Act was introduced for First Reading on November 17, 2020, as Bill C-11. If enacted, the new Consumer Privacy Protection Act will replace the privacy portions of the current Personal Information Protection and Electronic Documents Act (“PIPEDA”), and consequential amendments will be made to several other statutes. Bill C-11 follows on the introduction of Quebec’s Bill C-64 as well as consultation processes in Ontario and British Columbia with respect to changes to provincial privacy regimes.

Read the full text of the version introduced at First Reading. As with any Bill, it will be subject to amendment throughout the upcoming stages of the legislative process, but it is quite clear that whatever details are to follow, Canadian privacy law will have more teeth in the form of penalties and enforcement, as well as enhancements to address the challenges and promises of present-day technology. We anticipate additional scrutiny both from privacy and civil rights proponents as well as from industry, given the increasing importance of privacy regulation and the proposed scope of changes.

Watch this space for updates, as we will be publishing a series of articles discussing key provisions and novel concepts such as:

  • New private right of action;
  • New regulatory enforcement powers, including establishment of an adjudication Tribunal;
  • New maximum administrative monetary penalty, up to a maximum of $10 million CAD or 3% of the organization’s gross global revenue (whichever is higher);
  • New offences, up to a maximum fine of $25 million CAD or 5% of global revenue (whichever is higher);
  • Consent will not be required to collect, use and/or disclose personal information in a wide variety of specified contexts;
  • De-identification introduced as a meaningful option for using personal information without consent;
  • Transparency will be required for automated decision-making;
  • Enhanced record-keeping requirements, particularly regarding proposed use;
  • Data mobility framework will be detailed in upcoming regulations;
  • Privacy Commissioner given power to approve codes of practice and certification systems.

The introduction of the Consumer Privacy Protection Act will spark debate, and we will devote some attention to exploring relevant issues and these new concepts – what they could mean in practice for organizations doing business in Canada, how they align with Europe’s General Data Protection Regulation (“GDPR”) and the California Consumer Privacy Act (“CCPA”), and where they may fall short in satisfying all relevant stakeholders.

Avis de non-responsabilité

Les renseignements affichés sur ce blogue contiennent des points de droit variés fournis uniquement à des fins informatives et non commerciales. Ces renseignements ne constituent pas un avis juridique de la part de l’auteur. Nous mettons en garde les lecteurs de ne pas prendre de décision particulière sans avoir préalablement obtenu l’avis juridique d’un professionnel qualifié. Toute personne qui décide de prendre une décision en s’appuyant sur ces renseignements le fait à ses propres risques.