Search for:

In brief

In November 2020, Canada introduced new federal privacy legislation that, if adopted, will create one of the strictest data protection regimes in the world, accompanied by some of the most severe financial penalties, rivalling the standards in Europe and California. Companies with a connection to Canada will need to build the new federal law, and applicable provincial laws, into their global compliance strategy.


Key Takeaways and Next Steps

The draft federal Bill C-11 provides organizations with a glimpse into what Canada’s private sector privacy laws may look like in the near future. As Canadian lawmakers consider amendments and proposals to align with global regimes such as the European General Data Protection Regulation (GDPR), businesses are likely to see new or increased consumer rights and additional obligations with respect to how personal information may be processed. In response, organizations should:

  • monitor the upcoming proposals and consultations,
  • take inventory of their existing data privacy practices and programs in light of the proposed changes, and
  • be prepared to potentially offer “GDPR-like” rights to Canadian consumers, including Canadian equivalents to the right to data portability and the right to be forgotten.

Timing of Implementation

To become law, Bill C-11 will need to advance through a number of legislative stages, including committee review and consultation, before it receives formal approval through Royal Assent. It is also common practice to hold public consultations and obtain input from various stakeholders during the process, in which case it may not be until well into 2021 before the Bill is passed. As currently drafted, the Bill does not yet define any transition timelines to afford businesses time to align their data privacy management practices with the proposed requirements and enforcement mechanisms.

In depth

Background

The rapidly expanding online economy and the associated growth in data collection and processing have made the need for stronger privacy laws a top policy priority for Canada. The Canadian government’s Digital Charter, introduced in 2019 to provide a principled approach to enhancing Canadian privacy laws, is evidence of this. On November 17, 2020, the federal government tabled Bill C-11, An Act to enact the Consumer Privacy Protection Act and the Personal Information and Data Protection Tribunal Act and to make consequential and related amendments to other Acts (also known as the Digital Charter Implementation Act, 2020) to codify this framework. With the introduction of Bill C-11, Canada has taken a bold first step toward reasserting its position as a global leader in privacy protection, through enhanced requirements and rigorous enforcement tools and consequences. Once enacted, the Consumer Privacy Protection Act (CPPA) will effectively replace the Personal Information Protection and Electronic Documents Act (PIPEDA) as Canada’s main privacy law. The reforms will fundamentally transform Canada’s approach to privacy enforcement and influence every corner of Canadian privacy compliance, affecting every company with a business connection to Canada.

New Enforcement Powers and Penalties

The CPPA will significantly enhance the powers of Canada’s top privacy regulator. The Office of the Privacy Commissioner (OPC) will now have the right to audit any organization’s privacy practices, enter into compliance agreements with non-compliant organizations, and refer matters to a newly created Personal Information and Data Protection Tribunal, which will be enacted through another new statute, the Personal Information and Data Protection Tribunal Act. Furthermore, the OPC will be able to impose administrative penalties of up to 3% of an organization’s global revenue or C$10 million (whichever is greater) for most non-compliance with the CPPA, and penalties of up to 5% of an organization’s global revenue or C$25 million (whichever is greater) for the most serious contraventions of the CPPA, which will align closely with the GDPR.  Through its new enforcement powers, the OPC will also have the power to formally collaborate with other Canadian enforcement bodies on privacy matters, including the Canadian Radio-television and Telecommunications Commission, which primarily administers Canada’s anti-spam legislation, and the Canadian Competition Bureau, which in 2020 reached one of its largest misleading advertising penalty settlements to date in the area of misleading privacy practices.

Expanded and Updated Legal Requirements

In addition to increasing the OPC’s powers, the CPPA aims to substantially update and expand virtually all aspects of existing Canadian privacy laws and provide Canadian consumers with greater control over their personal information. Among the most notable changes are:

  1. Refreshed and Enhanced Consents: Subject to certain defined exceptions, consent will remain the primary building block for the collection, use and disclosure of personal information under the CPPA, but, by default, consent will need to be express (unless implied consent is appropriate in the circumstances), and such consent must be obtained using simple and plain language only.
  2. New Consumer Rights: Consistent with certain other leading jurisdictions, the CPPA will include new consumer rights that will allow individuals to transfer their personal information to another organization; be provided with explanations in respect of any predictions, recommendations or decisions made by any automated decision system; and have their personal information destroyed.
  3. New Private Right of Action: The CPPA will provide individuals a private right of action against any organization that has contravened its obligations under the CPPA, for proven damages for loss or injury.
  4. New De-Identification Rules: Organizations will be required to adhere to new rules related to the de-identification of personal information, including (i) implementing technical and administrative measures when de-identifying personal information; and (ii) not using de-identified information alone or in combination with other information to identify an individual.
  5. Mandatory Privacy Management Program: Organizations will be required to implement policies, practices and procedures for the protection of personal information, requests for information and complaints, staff training, and materials, that explain an organization’s approach to fulfilling their obligations under the CPPA. Organizations will also have the ability to submit codes of practice and certification programs for approval with the OPC.

Parallel Provincial Privacy Law Reforms

Bill C-11 forms part of a broader landscape of private sector privacy law reform across Canada.

  • In February of 2020, the province of British Columbia appointed a Special Committee to conduct a review of its Personal Information Protection Act, the response to which has highlighted the failure of the legislation to keep pace with national and international privacy trends.
  • In June 2020, the government of Quebec introduced Bill 64, An Act to modernize legislative provisions as regards the protection of personal information, which proposes to modernize and amend various public and private sector Quebec privacy laws to align more closely with both PIPEDA and the GDPR.

In August 2020, the government of Ontario, Canada’s most populous province, launched a consultation to consider improvements to its privacy framework, including the creation of provincial privacy legislation for the private sector. The Office of the Information and Privacy Commissioner of Ontario (“IPC”) published its feedback to the consultation in the form of an open letter, stating that “the time has come for Ontario to fill important gaps in its existing legislative frameworks and integrate privacy protection across its public, private, and health sectors”.

Author

Arlan Gates is a member of Baker McKenzie's Global Antitrust & Competition Practice Group and leads the Antitrust & Competition practice in Canada, which has been ranked by The Legal 500. His primary focus is antitrust and competition law, with an emphasis on merger control and on compliance and counseling in the areas of competitor collaboration, trade practices and misleading advertising. Mr. Gates is also a member of the Firm’s International Commercial, Information Technology & Communications and Pharmaceutical & Healthcare practice groups and has significant experience in consumer protection, digital marketing, social media, and technology, communications and pharmaceutical, health and consumer product regulatory matters.

Author

Theo Ling heads Baker McKenzie's Canadian Information Technology/Communications practice and is a member of the Firm's Global IP/Technology Practice Group, and Technology, Media & Telecoms and Financial Institutions Industry Groups. Theo is ranked by several legal directories, including Chambers Canada, where he is described as "a knowledgeable technology lawyer, with a practical, 'can-do' attitude who is excellent at getting things done." Named by the Financial Times as one of the Top Ten Most Innovative Lawyers in North America, Theo founded the legal industry's first global legal innovation lab focused on multidisciplinary collaboration and serves on the Firm's Global Innovation Committee.

Author

Karina Kudinova is an associate in Baker McKenzie's IP/Tech Group in the Toronto Office. Prior to joining the Firm, Karina was in-house counsel for a registered Canadian credit reporting agency.