On November 17, 2020, the Canadian Minister of Innovation, Science, and Industry introduced a new federal privacy bill that would reshape Canada’s privacy framework with a main goal of strengthening interoperability with both the European Union and the United States. Bill C-11 proposes the Digital Charter Implementation Act, 2020 which includes the Consumer Privacy Protection Act. This legislation would significantly increase protection of Canadian personal information by enhancing Canadian control over data and demanding more transparency from companies as to their handling of personal information. The Digital Charter Implementation Act includes:
- Increased control and transparency of Canadian personal identifiable information being handled by companies,
- Ability for Canadians to move information from one organization to another in a secure manner,
- Right for Canadians to destroy their information,
- Ability of the Privacy Commissioner to force an organization to comply and order businesses and corporations to stop collecting data or using personal information, and
- Strongest fine among G7 privacy laws.
Penalties and Provisions
There are significant fines for noncompliant businesses – up to 5% of revenue or a sum of Can$25 million, whichever is higher. The bill would also modernize the Consumer Privacy Protection Act (CPPA) to protect an individual’s personal information while regulating organizations collection, use, and disclosure of personal information. The CPPA would also further consent requirements for handling personal information, create transparency requirements with respect to algorithms and artificial intelligence (AI), mobility of personal data, retention and disposal of personal information, and codifies legitimate interests where consent is not required. The CPPA updates the Personal Information Protection and Electronic Documents Act, which governed how private sector organizations collect, use, and disclose personal information in commercial business.
Part of Bill C-11 also introduces the Personal Information and Privacy Protection Tribunal Act (PIPPTA). The PIPPTA was established to create an accelerated and more direct path to enforcement of orders from the Office of the Private Commissioner to meet its expanded role and provide strong enforcement. The PIPPTA also includes a private right of action, allowing individuals to sue where the commissioner issues a finding of a privacy violation and it will be upheld by the Tribunal. However, all cases must be brought up within two years of the violation.
Impact
Canada’s proposed federal privacy bill follows the lead of the European Union’s General Data Protection Regulation and the United States' California Consumer Privacy Act. Canada's privacy bill was created to impose obligations on any business that collects Canadian personal data. Businesses and companies that fail to comply will be subject to the penalties outlined above. If Bill C-11 is passed, US businesses that collect and/or process the personal data of Canadians will have to enact procedures that comply with the Consumer Privacy Protection Act and other requirements in the bill. As with any new piece of data legislation, it crucial that companies potentially impacted perform a thorough review of their forward-facing privacy practices as well as update their internal procedures to address any new compliance requirements.
At Octillo, we have a team of Global Data Privacy Attorneys that continue to monitor the constantly evolving data privacy and cybersecurity legislation landscape. The Octillo team is made up of technologists and Certified Information Privacy Professionals (CIPP/US & CIPP/E) who can help develop and review new and existing privacy policies compliant with Bill C-11 and other international legislation to help protect your business.
*Attorney Advertising. Prior results do not guarantee similar outcomes.
Subscribe to our Newsletter.