Digital Charter Implementation Act, 2020: The long-awaited overhaul of private sector privacy legislation in Canada
On November 17, 2020, the Digital Charter Implementation Act, 2020 (“Act”) was introduced as Bill C-11. This is the first major update to the federal private sector privacy regime in Canada since the implementation of the Personal Information Protection and Electronic Documents Act (“PIPEDA”) in 2000. Bill C-11 seeks to enact two new pieces of legislation: the Consumer Privacy Protection Act (“CPPA”) and the Personal Information and Data Protection Tribunal Act (“PIDPTA”). It also repeals Part 1 of PIPEDA, which will be renamed the Electronic Documents Act.
Consumer Privacy Protection Act
The CPPA will replace Part 1 of PIPEDA, and govern the protection of personal information that organizations collect, use or disclose in the course of commercial activities. Highlights include:
- Enhanced accountability: Private-sector organizations are required to implement a privacy management program which outlines policies, practices, and procedures to ensure compliance with CPPA, and provide access to the documents created under the program upon request by the Federal Privacy Commissioner.
- Codification of consent requirements: The CPPA codifies and updates the consent requirements for the collection, use and disclosure of personal information. For instance, the CPPA sets out four components of valid consent, namely a requirement to inform an individual in plain language: the purposes for the collection, use and disclosure of the personal information (which have recording requirements); (b) the ways in which the information is to be collected, used or disclosed; (c) any reasonably foreseeable consequences of the collection, use or disclosure; (d) the specific type of information to be collected, used or disclosed; and, (e) the names or types of third parties to which the information may be disclosed.
- Modernized information and access provisions: Upon request, organizations must inform individuals of whether it has personal information about them, how it uses the information, whether it has disclosed the information and to whom, and provide the individual access to the information. Organizations that use automated decision systems to make predictions, recommendations or decisions about an individual are also required, upon request, to explain how the system made the prediction, recommendation or decision about an individual and how the individuals’ personal information was used to do so. There are statutorily imposed deadlines for responding.
- Updated prospective business transaction provisions: Organizations party to a prospective business transaction for which they will use and disclose personal information without knowledge and consent, in addition to the current PIPEDA requirements, will also be required to de-identify the personal information before it is used or disclosed and keep it de-identified until the transaction is completed. The organizations are also statutorily obligated to comply with the agreement currently mandated under PIPEDA.
- Real consequences for non-compliance: The Federal Privacy Commissioner is empowered to conduct inquiries, order organizations to comply with the Act, and for certain contraventions may recommend to the new Personal Information and Data Protection Tribunal that it impose a financial penalty. The Tribunal can order a penalty based on the Commissioner’s decision or its own decision on appeal. The maximum penalty is the higher of $10,000,000 or 3% of the organization’s gross global revenue in its previous financial year.
- A private right of action: The CPPA also creates an independent, private right of action for individuals who suffer damage due to contraventions of CPPA where there have been adverse findings against the organization by the Commissioner or the Tribunal, or there has been a conviction for an offence. As a result, breach of the CPPA may result not only in an administrative penalty, but also a civil action, upping the stakes for organizations who fail to comply.
Personal Information and Data Protection Tribunal Act
The PIDPTA should be read in concert with the CPPA. In short, the PIDPTA:
- Creates the Tribunal: The PIDPTA creates the Personal Information and Data Protection Tribunal to hear appeals of decisions made by the Federal Privacy Commissioner and to impose penalties for certain contraventions of the CPPA.
- Rules and procedures: The Tribunal is empowered, with approval from the Governor in Council, to make rules that are not inconsistent with the Act or the CPPA to govern its practice and procedure. Note that a civil standard of proof is statutorily imposed, but that the Tribunal is “not bound by any legal or technical rules of evidence in conducting a hearing”, and is required to deal with all matters before it “as informally and expeditiously as the circumstances and considerations of fairness and natural justice permit”.
- Method of review: The Tribunal must provide written decisions with reasons, which must be made available to the public. All decisions of the Tribunal are to be final and binding, subject only to judicial review under the Federal Courts Act.
Stewart McKelvey will continue to monitor the progress of Bill C-11, and to keep organizations informed of their new obligations. In the meantime, please contact our Privacy group should you require further information or assistance.
This article is provided for general information only. If you have any questions about the above, please contact a member of our Privacy group.
Click here to subscribe to Stewart McKelvey Thought Leadership articles and updates.
Archive
*Last updated: March 31, 2020 Brian Tabor, QC, Matthew Newell, Colin Piercey and Madeleine Coats On March 27, 2020, Premier Stephen McNeil announced further business supports in response to the ongoing COVID-19 pandemic. This includes…
Read MoreTwila Reid and Sarah Byrne On March 26, 2020, the Newfoundland House of Assembly met with a minimum quorum of members to table and pass Bill 33 – COVID-19 Pandemic Response Act (“Act”). This omnibus…
Read MoreBrent McCumber, P.Eng. On March 24, 2020, the Government of Canada introduced legislation to implement its economic response plan to COVID-19, namely, the COVID-19 Emergency Response Act ( “Emergency Response Act”). This legislation received Royal…
Read MoreColin Piercey and Sam Ward During this unprecedented crisis, almost all businesses have been negatively affected. Some have been forced to shut down entirely while others have been severely curtailed in their ability to earn…
Read MoreDaniela Bassan, QC and Scott Pike The World Health Organization declared the COVID-19 outbreak as a pandemic on March 11, 2020. Bracing for the strain on health-care systems, authorities have enacted drastic measures designed to…
Read MoreIn volume 35 of the Canadian Intellectual Property Review, Halifax partner Daniela Bassan, QC, has published an article regarding notable cases in Canadian copyright law. Daniela’s piece reviews the key themes and trends from 2019,…
Read MoreChristopher Marr, TEP and Lauren Henderson Each year in New Brunswick, millions of dollars sit in limbo: unpaid wages, forgotten security deposits, overpayments to debt collectors, and benefits from estates, pensions and employee benefit plans,…
Read MoreAmid the COVID-19 pandemic, our Firm is focusing on business continuity, including supporting the business continuity of our clients. Practice innovation investments we have made help our business to continue “as usual” even when the…
Read MoreJohn Samms and Amanda Whitehead This article sets out to summarize the Newfoundland and Labrador Government’s announcements in respect of its latest response to the COVID-19 pandemic as of approximately 3:00 p.m. on March 19,…
Read MoreBrent McCumber, P.Eng. On March 18, 2020, the Government of Canada announced a significant economic response plan to mitigate the economic impact of COVID-19 on Canadians and businesses. While this $82 billion plan contains many…
Read More