Federal Privacy Regulation 2.0: Now with Bite and Bark
This week, the Canadian Federal Minister of Innovation, Science and Industry introduced for first reading in Parliament Bill C-11, An Act to enact the Consumer Privacy Protection Act and the Personal Information and Data Protection Tribunal Act and to make consequential and related amendments to other Acts (the “Bill”). Unlike the current federal private sector privacy regime, the Bill includes real teeth, so there will be important consequences for non-compliance. Also, the Bill includes new and potentially onerous regulatory requirements.
If passed into law, the Bill would: (a) amend and replace the Personal Information Protection and Electronic Documents Act (“PIPEDA”) with a new Consumer Privacy Protection Act (“CPPA”), and (b) enact the Personal Information and Data Protection Tribunal Act, including the establishment of a new Information and Data Protection Tribunal (the “Tribunal”) that will be empowered to hear appeals of decisions of the Privacy Commissioner of Canada (“Commissioner”) and impose penalties under the CPPA.
The CPPA’s Bite
The CPPA, like PIPEDA, generally permits organizations to use, collect and disclose personal information of an individual, on a limited basis, where the individual provides valid consent. Most of its core provisions mirror PIPEDA, as currently interpreted in guidance issued by the Commissioner and many best practices. However, in a radically different approach to PIPEDA’s ombudsman model, where the Commissioner has no power to make binding orders, the CPPA empowers the Commissioner to order an organization to:
(a) take measures to comply with the CPPA;
(b) stop doing something that contravenes the CPPA;
(c) comply with the terms of a compliance agreement that has been entered into by the organization; or
(d) make public measures taken or proposed to be taken to correct the policies, practices or procedures the organization has put in place to fulfil its obligations under the CPPA.
The cost and disruption to an organization of implementing such orders may be considerable. While an appeal to the Tribunal from such orders is available, the legislated standard of review is such that in many instances the Commissioner will have the last word on compliance measures to be taken by an organization.
Also, if an organization has contravened certain of the key requirements of the CPPA, the Commissioner may recommend that the Tribunal impose a financial penalty on the organization. This penalty is capped at “the higher of $10,000,000 and 3% of the organization’s gross global revenue in its financial year before the one in which the penalty is imposed”. In addition, for the most serious offences, the Bill proposes “the strongest fines among G7 privacy laws – with fines of up to 5% of revenue or $25 million, whichever is greater”1 upon prosecution. The CPPA also creates a private right of action against non-compliant organizations, making CPPA-based class actions possible, but that right is circumscribed.
These “teeth” change the risk management profile of privacy matters falling within the scope of the CPPA and likely how many organizations will deal with Canadian privacy issues.
The New Regulatory Bark
The CPPA contains a requirement that every organization that collects, uses or discloses personal information about individuals in the course of its commercial activities must establish a “privacy management program” that includes the organization’s policies, practices and procedures implemented to fulfil its obligations under the CPPA. The program must have regard to the volume and sensitivity of the personal information under the organization’s control. Alone, this would not be a major development as many organizations that deal with voluminous or sensitive personal information already have such a program.
What is new is that the CPPA grants the Commissioner the power to access and, effectively, regulate an organization’s privacy management program. The scope of the Commissioner’s mandate to proactively investigate privacy management programs, in the absence of a consumer complaint, is not constrained by the CPPA. When combined with the Commissioner’s order-making power, this regime creates a potentially onerous regulatory exercise for many organizations. An organization will need to document how exactly it will comply with the CPPA, knowing that the Commissioner can, at any time, access that documentation and order the organization to fix anything the Commissioner finds is out of compliance. The Tribunal’s power to impose a penalty does not extend to a privacy management program alone not being compliant, but the Commissioner’s investigation into the program may reveal other contraventions that do attract penalties (for example, failure to protect personal information through proportionate physical, organizational and technological safeguards).
Another CPPA regulatory “bark” is the added requirement that personal information may be shared between parties negotiating a transaction for the purposes of due diligence only if that information is de-identified before it is used or disclosed and remains so until the transaction is completed. In certain transactions, this may be an important change from current practices, whereby data is usually simply protected under a non-disclosure agreement that contains the elements required under statute.
The CPPA also provides individuals with at least three completely new privacy rights under Canadian law:
- a right of algorithmic transparency, whereby individuals whose personal information is subject to an automated decision system (such as predictive analytics and machine learning) may require the organization to provide an explanation of the automated decision and how the personal information was obtained;
- a right of disposal, whereby individuals may request an organization dispose of all information it has collected from the individual; and
- a right to data mobility, whereby individuals would have the right to direct the transfer of their personal information from one organization to another.
Next Steps
The Bill still has to go through the legislative process. We expect it to be the subject of consultation, Parliamentary committee analysis and, perhaps, alteration before being passed into law. For this reason, we have focussed in this Update on only a small number of aspects of the proposed CPPA. However, there are a multitude of changes being proposed for Canada’s privacy law regime, some of which may be important for particular industries and businesses. With privacy-related legislative efforts underway in Quebec, Ontario, British Columbia and now federally, this is a subject to watch in the months ahead.
The authors would like to thank Emma Baumann, Articling Student-at-Law, for her assistance in preparing this Update.
1 Innovation, Science and Economic Development Canada, News Release: New proposed law to better protect Canadians’ privacy and increase their control over their data and personal information, November 17, 2020.
Authors
Insights
-
Capital Markets
Canada Initiates Consultations and Proposes New Measures to Strengthen Anti-Modern Slavery Efforts
The Fighting Against Forced Labour and Child Labour in Supply Chains Act (the “Act”) came into force on January 1, 2024, implementing enhanced reporting requirements for certain entities to combat… -
Intellectual Property Litigation
Rise of Trademark Phishing Scams
There has been a reported surge in trademark phishing scams. The Canadian Intellectual Property Office (“CIPO”) issued a statement warning of an email phishing scam targeting members of the public by… -
Litigation and Dispute Resolution
Climate Change Suits Against the Government: Mathur v. Ontario Appeal Decision
The Court of Appeal for Ontario has released its appeal decision in Mathur v. Ontario involving a lawsuit by youth applicants challenging as inadequate Ontario’s legislated targets and plans for… -
Capital Markets
Clarification on Rules Relating to the Removal of Directors by Shareholders
In OneMove Capital Corporation v. Dye & Durham Limited (“OneMove v. D&D”), the Ontario Superior Court of Justice (the “Court”) held that shareholders may not submit a proposal under section… -
Capital Markets
Delaware Court Finds Advance Notice Bylaw Amendments Unenforceable, But Denies Relief Based on Dissident Shareholders’ Deceptive Conduct
The Supreme Court of Delaware’s recent decision in Kellner v. AIM ImmunoTech Inc. provides important guidance on the limits of a board’s authority to amend an “advance notice” bylaw in the context of… -
Litigation and Dispute Resolution
No “Magic Words” Required: Supreme Court of Canada Holds Exclusion Clauses Released Seller From Implied Statutory Conditions
On May 31, 2024, the Supreme Court of Canada released its decision in Earthco Soil Mixtures Inc. v. Pine Valley Enterprises Inc., 2024 SCC 20, which clarifies how contractual exclusion clauses are to…
Featured Work
-
Mergers and Acquisitions
Apotex Inc. acquires Searchlight Pharma Inc.
Goodmans LLP advised Apotex Inc. in connection with its acquisition of Searchlight Pharma Inc… -
Shareholder Activism
Browning West achieves landmark victory in Gildan Activewear proxy campaign
Goodmans LLP acted for Browning West, LP in the successful reconstitution of Gildan Activewear’s entire board, culminating in the reinstatement of CEO Glenn Chamandy… -
Restructuring
LoyaltyOne cross-border restructuring
Goodmans LLP is counsel to KSV Restructuring Inc. in its capacity as court-appointed monitor of LoyaltyOne, Co. in its restructuring proceedings under the Companies’ Creditors Arrangement Act before… -
Mergers and Acquisitions
Neighbourly Announces Successful Closing of Take-Private Transaction with Persistence Capital Partners
Goodmans LLP advised Brookfield Asset Management Ltd., through its Special Investments program, in connection with its structured equity investment of $320 million to partially fund the take-private… -
Mergers and Acquisitions
Forum Energy Technologies acquires Variperm Energy Services
Goodmans LLP advised Forum Energy Technologies, Inc. in the acquisition of Variperm Energy Services… -
Shareholder Activism
Aimia Inc.'s largest shareholder, Mithaq, plans takeover bid
Goodmans LLP represented The Special Committee of the Board of Directors of Aimia Inc., in connection with an unsolicited takeover bid for Aimia by Mithaq Capital, Aimia's largest shareholder…
News & Events
-
Intellectual Property Litigation
Goodmans Lawyers Recognized in the Lexpert Special Edition: Litigation 2024
We are pleased to announce the Lexpert Special Edition: Litigation 2024 continues to feature Goodmans lawyers among Canada's experts in litigation.Congratulations to our 10 featured lawyers:Andrew… -
Banking and Financial Services
Goodmans Once Again Receives Top-Tier Recognition from The Legal 500 Canada
We are pleased to announce Goodmans LLP has once again received top-tier recognition from The Legal 500 Canada in their 2025 Guide released today.Recognition from The Legal 500 is based on independent… -
Banking and Financial Services
Goodmans Recognized in the Inaugural Edition of Best Law Firms - Canada 2025
Goodmans is delighted to share we are featured in the inaugural edition of Best Law Firms - Canada 2025, recognizing us as one of the country’s exceptional law firms across 40 industries and practices…