Information contained in this publication is intended for informational purposes only and does not constitute legal advice or opinion, nor is it a substitute for the professional judgment of an attorney.
On November 17, 2020, Canada’s federal Minister of Innovation, Science and Industry introduced Bill C-11, An Act to enact the Consumer Privacy Protection Act and the Personal Information and Data Protection Tribunal Act and to make consequential and related amendments to other Act (Bill C-11) for consideration in the House of Commons. The short title of Bill C-11 is the Digital Charter Implementation Act, 2000, and its aim is to reform federal private sector privacy legislation.
Bill C-11 is not yet law. It can become law only after it has been approved by both Houses of Parliament and has received Royal Assent. Bill C-11 is moving through the legislative process and is currently at the Second Reading stage where it will be debated.
If Bill C-11 becomes law in its present form it will make significant changes to Canada’s data privacy law through the creation of the following statutes:
- the Consumer Privacy Protection Act (CPPA) (the Personal Information Protection and Electronic Documents Act (PIPEDA) will be repealed in part); and
- the Personal Information and Data Protection Tribunal Act (PIPDT).
The CPPA would impact any business that collects an individual's data. It reiterates principles pertaining to data privacy that exist in PIPEDA, while creating new data privacy obligations and a mechanism for their enforcement.
Under the CPPA, the federal Privacy Commissioner (Commissioner) would have the power to investigate contraventions of the CPPA and make orders. In addition, penalties much more significant than those set out in PIPEDA could be imposed.
Penalties for some administrative offences under the CPPA could be up to the greater of (a) 3% of an organization’s global revenues, or (b) $10 million. Penalties for the most serious offences could be up to the greater of (a) 5% of an organization’s global revenues, or (b) $25 million.
New Data Privacy Obligations
Under the CPPA, any business that collects an individual’s data would be subject to new data privacy obligations, including but not limited to: (i) new requirements for obtaining an individual’s consent for the collection, use or disclosure of data; (ii) subject to certain exceptions, an employer would be required, upon request, to inform individuals whether it has any personal information about them, how it is being utilized, and whether it has been disclosed; (ii) an individual’s right to request access to their personal data in an organization’s possession; and (iv) upon an individual’s request, the deletion of their personal information that has been collected.
The CPPA would require an organization to explain to an individual why a specific prediction, recommendation, or decision was made by an algorithm based on the individual’s personal data.
Private Right of Action
The CPPA would introduce a private right of action for damages to an individual affected by an organization’s act or omission that contravened the CPPA. An individual would have this cause of action only if it is determined that the organization contravened the CPPA or if the organization is fined for a contravention of specified sections of the CPPA. A two-year limitation period would apply.
The CPPA would introduce a right of mobility to personal information. This would allow an individual to request that personal information about them collected by one organization be transmitted by that organization to another organization of the individual’s choosing, provided that both organizations are subject to a data mobility framework that would be provided for in the regulations.
De-identification of Personal Information
The CPPA would require the use of “technical and administrative measures” (undefined) for the de-identification of personal information proportionate to: (i) the de-identification’s purpose, and (ii) the personal information’s sensitivity. The CPPA also would prohibit the use of de-identified information to identify an individual.
The PIPDT would create an administrative tribunal and establish how it will operate. The tribunal’s purpose would be to hear appeals of the Privacy Commissioner's decisions and apply the administrative monetary penalty regime created under the CPPA.
Bottom Line for Employers
As Bill C-11 is currently making its way through the legislative process, it is too early to know if it will be amended or passed and in what form. In the meantime, organizations should become familiar with the proposed CPPA and PIPDT, consider how the proposed legislation could affect their operations, and continue to monitor its development. We understand that once the law comes into force, there will be a transition period so that organizations can prepare for the changes.