Tag: Canada Consumer Privacy Protection Act

Canadian Government proposes new federal privacy law

18. November 2020

On November 17th, Navdeep Bains, the Canadian Minister of Information Science and Economic Development, introduced Bill C-11, which is intended to modernize and reshape the Canadian privacy framework and to comply with EU and U.S. legislation. Its short title is Digital Charter Implementation Act,2020 (DCIA). A fact sheet accompanying the DCIA states:

“… If passed, the DCIA would significantly increase protections to Canadians’ personal information by giving Canadians more control and greater transparency when companies handle their personal information. The DCIA would also provide significant new consequences for non-compliance with the law, including steep fines for violations. …”

Part one of the DCIA is the Consumer Privacy Protection Act (CPPA), which is intended to establish a new privacy law in the Canadian private sector. New consent rules are adopted, data portability is introduced as a requirement, the subject’s access to its personal data is enhanced as well as its rights to erase personal data. Data subjects further have the right to request businesses to explain how a prediction, recommendation, or decision was reached, that was made by an automated decision-making system. Furthermore, they have the right to know, how personal data is being used, as well as the right to review and challenge the amount of personal data that is being collected by a company or government. On demand, a privacy management program must be provided to the Canadian Office of the Privacy Commissioner (OPC). For non-compliance companies face possible fines up to 5% of the company’s global revenue, or C$25 Million, whichever is higher. According to Bains, these are the highest fines in all the G7-nations. Businesses can ask the OPC to approve their codes of practice and certification systems, and in socially beneficial cases, disclose de-identified data with public entities.

Bill C-11 further contains the “Personal Information and Privacy Protection Tribunal Act”, which is supposed to make enforcement of privacy rights faster and more efficient. For that purpose, more resources are committed to the OPC. The OPC now can issue “orders”, which have the same effect as Federal Court orders. Further, he may force companies to comply or order them to stop collecting data and stop using personal data. The newly formed Data Protection Tribunal can raise penalties and hear appeals regarding orders issued by the OPC.

A private right of action is also included in the bill. This allows individuals to sue companies within two years after the commissioner issues a finding of privacy violation, that is upheld by the Tribunal.