The dawn of Canadian Privacy Law 2.0: The Consumer Privacy Protection Act introduced

November 19, 2020 | David Krebs, Kelly Harris

The long-awaited overhaul of federal private sector privacy law, as outlined in our previous blog post, is finally here. The Digital Charter Implementation Act was introduced for First Reading on November 17, 2020, as Bill C-11. If enacted, the new Consumer Privacy Protection Act will replace the privacy portions of the current Personal Information Protection and Electronic Documents Act (“PIPEDA”), and consequential amendments will be made to several other statutes. Bill C-11 follows on the introduction of Quebec’s Bill C-64 as well as consultation processes in Ontario and British Columbia with respect to changes to provincial privacy regimes.

Read the full text of the version introduced at First Reading. As with any Bill, it will be subject to amendment throughout the upcoming stages of the legislative process, but it is quite clear that whatever details are to follow, Canadian privacy law will have more teeth in the form of penalties and enforcement, as well as enhancements to address the challenges and promises of present-day technology. We anticipate additional scrutiny both from privacy and civil rights proponents as well as from industry, given the increasing importance of privacy regulation and the proposed scope of changes.

Watch this space for updates, as we will be publishing a series of articles discussing key provisions and novel concepts such as:

  • New private right of action;
  • New regulatory enforcement powers, including establishment of an adjudication Tribunal;
  • New maximum administrative monetary penalty, up to a maximum of $10 million CAD or 3% of the organization’s gross global revenue (whichever is higher);
  • New offences, up to a maximum fine of $25 million CAD or 5% of global revenue (whichever is higher);
  • Consent will not be required to collect, use and/or disclose personal information in a wide variety of specified contexts;
  • De-identification introduced as a meaningful option for using personal information without consent;
  • Transparency will be required for automated decision-making;
  • Enhanced record-keeping requirements, particularly regarding proposed use;
  • Data mobility framework will be detailed in upcoming regulations;
  • Privacy Commissioner given power to approve codes of practice and certification systems.

The introduction of the Consumer Privacy Protection Act will spark debate, and we will devote some attention to exploring relevant issues and these new concepts – what they could mean in practice for organizations doing business in Canada, how they align with Europe’s General Data Protection Regulation (“GDPR”) and the California Consumer Privacy Act (“CCPA”), and where they may fall short in satisfying all relevant stakeholders.

Disclaimer

This publication is provided as an information service and may include items reported from other sources. We do not warrant its accuracy. This information is not meant as legal opinion or advice.

Miller Thomson LLP uses your contact information to send you information electronically on legal topics, seminars, and firm events that may be of interest to you. If you have any questions about our information practices or obligations under Canada’s anti-spam laws, please contact us at [email protected].

© Miller Thomson LLP. This publication may be reproduced and distributed in its entirety provided no alterations are made to the form or content. Any other form of reproduction or distribution requires the prior written consent of Miller Thomson LLP which may be requested by contacting [email protected].