On November 17, 2020, the Minister of Innovation, Science and Industry, Navdeep Bains, proposed a significant overhaul to Canada’s privacy legislation that would reinsert Canada as a leader on the international stage of privacy protection. If enacted, Bill C-11 (An Act to enact the Consumer Privacy Protection Act and the Personal Information and Data Protection Tribunal Act and to make consequential and related amendments to other Acts, or Digital Charter Implementation Act, 2020), would replace the Personal Information Protection and Electronic Documents Act (PIPEDA).
Part of Bill C-11 known as the Consumer Protection Privacy Act (CPPA), in its proposed form, would impose significant monetary penalties, including administrative monetary penalties up to the higher of $10,000,000 and three per cent of the organization’s gross global revenue in the financial year prior to the one in which the penalty is imposed, and for more egregious conduct, a fine up to the higher of $25,000,000 and five per cent of the organization’s gross global revenue in its previous financial year.
While the Privacy Commissioner of Canada (Commissioner) will not have power to impose the monetary penalties and fines, it will have the power to recommend such penalties and fines to a newly-proposed tribunal. Pursuant to Bill C-11, the proposed Personal Information and Data Protection Tribunal (the “Data Protection Tribunal”) would have powers to impose monetary penalties and fines on an organization after giving the organization and the Commissioner the opportunity to make representations. The Data Protection Tribunal operates, in effect, as oversight to the findings of the Office of the Privacy Commissioner of Canada, with certain independence in its review and investigatory powers.
Bill C-11 also introduces a statutory-based private right of action against organizations for damages for loss or injury suffered by individuals from contravention of the CPPA.
CPPA imposes additional obligations on organizations surrounding privacy policies and practices, and provides new rights to individuals which are consistent with those reflected in the European Union’s GDPR. In addition to carrying over some existing rights from PIPEDA into the CPPA, individuals will have the right to be informed of automated decision making, and the right to portability of personal information.
The CPPA, however, is not all increased risk for organizations. It introduces a number of key terms that provide clarity and support for common and reasonable business operations. The CPPA introduces new exemptions to consent requirements, including for legitimate business activities, and grants organizations clearer rights surrounding de-identified information. The CPPA reflects welcome clarification surrounding outsourcing and service provider relationships. As a relief to many organizations, the CPPA does not impose added restrictions on the transborder flow of personal information, although there are certain considerations for organizations when addressing transborder flow of information.
In an interesting twist, the CPPA introduces a concept of a certification program which, to the extent an organization complies, provides some protection for organizations against penalties in certain circumstances. Furthermore, the CPPA provides that organizations are able to rely on a defence of due diligence to claims against it in certain instances.
It’s important to remember that while the federal government drafted the legislation, commentary from the Office of the Privacy Commissioner of Canada and others is outstanding and is being sought. The current Privacy Commissioner of Canada, Daniel Therrien, has already briefly weighed in on the proposed new legislation with support for many of the provisions, but with concern surrounding some, including the proposed tribunal and the speed with which individuals may be afforded remedies for breach.
Canada is on a trajectory to be front and centre in the global discussion surrounding data protection standards and business risks. Aside from Bill C-11, earlier this year, we summarized Quebec’s proposed legislative overhaul to its private sector privacy laws. Quebec’s Bill-64, which pushed Quebec and, practically speaking, Canada toward a more aggressive privacy regime by introducing significant monetary penalties, fines and a private right of action, coupled with increasing rights for individuals opposite organizations. Additionally, a few months ago, Ontario introduced its desire to have its own “made in Ontario” private sector privacy law. Despite the hope that the introduction of Bill C-11 would quell Ontario’s desire to have its own private sector legislation, Ontario’s Privacy Commissioner has recently indicated her continued intent to recommend an Ontario-specific legislation. Earlier this year, Canada’s Competition Bureau imposed a $9.5 million penalty against Facebook for misleading statements relating to individual’s privacy rights.
Canada appears to be flexing its muscles in a significant manner in relation to privacy protection. However, Canada has a relatively small commercial market in the global environment. Imposing significant obligations on organizations, paired with the steep risk profile for failure to comply, may cause certain organizations to question whether Canada’s market is worth the risk, and may result in organizations being far more cautious when considering doing business in Canada.