On November 17, 2020, Canada introduced new federal privacy legislation, Bill C-11, to codify the framework introduced by the government’s Digital Charter, which proposed enhancements to Canadian privacy laws in response to the rapidly expanding online economy. If adopted, new legislation, the Consumer Privacy Protection Act (“CPPA”), will effectively replace the Personal Information Protection and Electronic Documents Act as Canada’s main privacy law and create one of the strictest data protection regimes in the world, accompanied by some of the most severe financial penalties. Companies with a connection to Canada will need to build the CPPA into their global compliance strategy.
The CPPA will significantly expand the powers of Canada’s top privacy regulator, the Office of the Privacy Commissioner (“OPC”). The OPC will now have the right to audit any organization’s privacy practices, enter into compliance agreements with non-compliant organizations, refer matters to a newly created Personal Information and Data Protection Tribunal, and impose administrative penalties. These fines can amount to the greater of 3% of an organization’s global revenue or C$10 million for most non-compliance with the CPPA, and up to 5% of an organization’s global revenue or C$25 million for the most serious infractions.
In addition to increasing the OPC’s powers, the CPPA would substantially update virtually all aspects of existing Canadian privacy laws and grant Canadian consumers greater control over their personal information. Subject to certain exceptions, consent will remain the primary building block for the collection, use, and disclosure of personal information under the CPPA. But, by default, consent will now need to be express and obtained using simple, plain language. The CPPA will establish new consumer rights that will allow individuals to transfer their personal information to another organization, be provided with explanations of any predictions, recommendations or decisions made by any automated decision system, and have their personal information destroyed. The CPPA will also provide a private right of action to individuals who can show loss or injury stemming from an organization’s contravention of the CPPA. Organizations will also be required to adhere to new rules for the de-identification of personal information. Lastly, the CCPA will require organizations to implement policies, practices, and procedures for the protection of personal information, including staff training and materials explaining the organization’s approach to fulfilling its obligations.
For a more detailed consideration of the draft legislation, along with parallel developments in provincial privacy legislation, please click here.