Proposed Canadian privateness regulation introduces fines and new necessities for personal organizations | Enterprise regulation at this time from ABA

The long-awaited revision of the existing private sector privacy laws by the Canadian government finally came on November 17, 2020 with the first reading of Law C-11 An, which passed the Consumer Privacy Act and the Tribunal Act on the Protection of Personal Data and the Data protection and to make follow-up and related changes to other laws, also known as the Digital Charter Implementation Act, 2020 (Bill C-11). Bill C-11 would enact the Consumer Privacy Act (CPPA) and the Personal Data and Data Protection Tribunal Act (PIDPTA). CPPA and PIDPTA have jointly incorporated bold new measures into Canada’s data protection law, bringing it closer to European data protection and data protection standards. This article highlights some of the highlights of the proposed legislation.

New enforcement powers and financial penalties for violating the law

The CPPA expands the enforcement powers of the Canadian Data Protection Officer (the Commissioner). After an investigation and investigation into a breach of the CPPA, the Commissioner may issue orders to ensure that organizations comply with the CPPA.[1] A violation of a compliance order is a criminal offense subject to financial punishment as set out below.[2]

The Commissioner can also recommend that the newly established Tribunal for Personal Data and Data Protection (Tribunal) impose financial sanctions if an organization has violated the CPPA.[3] The tribunal conducts hearings related to Commissioner-recommended fines and non-penalty appeals.[4] The Tribunal can impose a maximum fine of $ 10 million and 3 percent of the organisation’s gross global sales in its fiscal year prior to the one in which the fine is imposed for violating the CPPA.[5]

As mentioned above, the CPPA is introducing new offenses with heavy financial penalties. Any party found guilty of and liable for a criminal act may be fined no more than $ 25 million and 5 percent of the organization’s worldwide gross sales in its fiscal year prior to that in which the organization was convicted, or US $ 20 million – Dollars and 4 percent pay for the overall assessment.[6] These offenses include:

  • If an organization fails to report a breach of security measures with personal data under its control to the Commissioner, when the breach may result in a reasonable risk of significant harm to an individual,[7]
  • If a service provider fails to notify the organization that controls the personal data of a personal data breach,[8]
  • When an organization tries to re-identify people using unidentified information,[9] and
  • when an organization has personal data after an individual has requested access to it and the individual has not exhausted the individual’s recourse under the CPPA.[10]

Private right of action

The CPPA establishes a new plea for any person affected by an act or omission by an organization that constitutes a violation of the CPPA against the organization for damages for loss or injury suffered by the person as a result of the violation. In order to initiate this action, the DPO’s office and the tribunal must have made determinations that the organization has violated the CPPA and the finding has not been challenged in the tribunal or the tribunal has dismissed the appeal.[11]

Codification of the 10 data protection principles and new requirements

The CPPA codifies the ten data protection principles of the law on the protection of personal data and electronic documents (PIPEDA)[12] and introduces new requirements for organizations including:

  • Every organization must establish, implement and provide a data protection management program that must be tailored to, among other things, the volume and sensitivity of the personal information collected, used and stored.[13] and
  • Limiting an organization’s use of unidentified information to prescribed circumstances.[14]

The CPPA also explicitly dictates how organizations obtain valid consent. In most cases, an organization will need to obtain an individual’s explicit consent and clearly disclose:

  • the purposes determined by the organization for the collection, use, or disclosure of personal information;
  • the way in which the personal information is to be collected, used or disclosed;
  • Reasonably foreseeable consequences of the collection, use or disclosure of personal data when obtaining an individual’s consent,
  • the specific types of personal information that are about to be collected, used and disclosed, and
  • the names or types of third parties to whom the organization may disclose personal information if they obtain an individual’s consent.[15]

In addition, organizations that use personal information to inform their automated decision-making aids and make predictions about people (e.g. certain AI systems) must do the following:

  • Provide a general report on the organization’s use of an automated decision-making system to make predictions, recommendations, or decisions about individuals that could have a material impact on it;[16] and
  • Retain the personal information associated with the decisions for a sufficient period of time for the individual to request access[17] (as described below under New Rights for Individuals).

service provider

Under the CCPA, organizations have control over personal information even if those organizations outsource or otherwise provide a service provider that collects, uses, and discloses on behalf of the organization.[18] Accordingly, organizations must contract or otherwise ensure that the service provider provides essentially the same level of personal data protection that the organization requires under the CPPA.[19] Service providers are required to take appropriate security measures to protect personal data and to inform the organization that controls the personal data of any breaches of their security measures in accordance with the requirements of the CCPA.[20]

Codes of Conduct and Certification Programs

The CPPA also enables the Commissioner to approve and certify codes of conduct and certification programs designed by non-governmental organizations. These codes and certifications must provide the same, or substantially the same, or better protection of personal data under the CPPA. However, the organizations that adhere to these codes of conduct or certification programs must continue to meet their obligations under the CPPA.[21]

New rights for individuals

In addition to the codification of access rights, which are discussed in the ten data protection principles of PIPEDA,[22] CPPA sets three new rights for individuals in relation to their personal information:

  • Data mobility rights: Individuals can require an organization to transfer their personal data directly from one organization to another (provided that both organizations are part of a data portability framework).[23]
  • Transparency and Explanatory Rights: Individuals can request an organization that uses automated decision-making based on the individual’s personal information to provide them with an explanation of the prediction, recommendation, or decision and the nature of the personal information used to create the Prediction, recommendation were used or decision was received.[24]
  • Disposal Rights: Individuals can request an organization to dispose of their personal information.[25]

Next Steps

While this is only the first reading of Bill C-11, the second reading will take place shortly and debates and committees will follow. The proposed changes to Canada’s federal private sector framework, as outlined in Bill C-11, are significant and significant, and are likely to oblige many organizations to tighten their existing privacy and security practices.

[1] CPP, s. 92.

[2] CPP, p.125.

[3] CPPA, p.93,

[4] PIDPTA, p. 5.

[5] CPPA, s. 94.

[6] CPPA, p.125.

[7] CPPA, s. 58 (1) and 125.

[8] CPPA, s. 61 and 125.

[9] CPPA, s. 75 and 125.

[10] CPPA, s. 69 and 125.

[11] CPPA, s. 106.

[12] Accountability, purpose identification, consent, restriction on collection, restriction on disclosure and retention of use, accuracy, safeguards, openness, individual access, and challenge for compliance.

[13] CPPA, s. 9.

[14] CPPA, s. 20, 21, 39 (1), 74 and 75.

[15] CPPA, p.15 (3).

[16] CPPA, s. 62 (2) (c).

[17] CPPA, p.54.

[18] CPPA, s. 7 (2).

[19] CPPA, p.11 (1).

[20] CPPA, s. 57 (1) and 61.

[21] CPPA, s. 76-81.

[22] The right to withdraw a provider’s consent to the collection, use, and disclosure of their personal information, as well as access to and correction of their personal information.

[23] CPPA, s. 72.

[24] CPPA, s. 63 (3).

[25] CPPA, s. 55 (1).

Comments are closed.