CAUTION: We have been advised that fraudulent emails with a modified domain name have been sent by a source purporting to be from Aird & Berlis LLP. These communications are not legitimate and are not from Aird & Berlis LLP. Disregard any such emails and do not engage with the sender or the email in any way. Please report the attempted fraud by contacting the Canadian Anti-Fraud Centre and by emailing Aird & Berlis LLP at help@airdberlis.com.

Back to all blog posts

Posted in: Privacy | GDPR | Data Security/Privacy

Dec 1, 2020

Canada Re-enters the International Ring with Bold New Privacy Law Including Significant Fines

By Paige Backman, Donald B. Johnston, Aaron Baer and Andy Nguyen

On November 17, 2020, the Minister of Innovation, Science and Industry, Navdeep Bains, proposed a significant overhaul to Canada’s privacy legislation that would reinsert Canada as a leader on the international stage of privacy protection. If enacted, Bill C-11 (An Act to enact the Consumer Privacy Protection Act and the Personal Information and Data Protection Tribunal Act and to make consequential and related amendments to other Acts, or Digital Charter Implementation Act, 2020), would replace the Personal Information Protection and Electronic Documents Act (PIPEDA).

Part of Bill C-11 known as the Consumer Protection Privacy Act (CPPA), in its proposed form, would impose significant monetary penalties, including administrative monetary penalties up to the higher of $10,000,000 and three per cent of the organization’s gross global revenue in the financial year prior to the one in which the penalty is imposed, and for more egregious conduct, a fine up to the higher of $25,000,000 and five per cent of the organization’s gross global revenue in its previous financial year.

While the Privacy Commissioner of Canada (Commissioner) will not have power to impose the monetary penalties and fines, it will have the power to recommend such penalties and fines to a newly-proposed tribunal. Pursuant to Bill C-11, the proposed Personal Information and Data Protection Tribunal (the “Data Protection Tribunal”) would have powers to impose monetary penalties and fines on an organization after giving the organization and the Commissioner the opportunity to make representations. The Data Protection Tribunal operates, in effect, as oversight to the findings of the Office of the Privacy Commissioner of Canada, with certain independence in its review and investigatory powers.

Bill C-11 also introduces a statutory-based private right of action against organizations for damages for loss or injury suffered by individuals from contravention of the CPPA.

CPPA imposes additional obligations on organizations surrounding privacy policies and practices, and provides new rights to individuals which are consistent with those reflected in the European Union’s GDPR. In addition to carrying over some existing rights from PIPEDA into the CPPA, individuals will have the right to be informed of automated decision making, and the right to portability of personal information.

The CPPA, however, is not all increased risk for organizations. It introduces a number of key terms that provide clarity and support for common and reasonable business operations. The CPPA introduces new exemptions to consent requirements, including for legitimate business activities, and grants organizations clearer rights surrounding de-identified information. The CPPA reflects welcome clarification surrounding outsourcing and service provider relationships. As a relief to many organizations, the CPPA does not impose added restrictions on the transborder flow of personal information, although there are certain considerations for organizations when addressing transborder flow of information.

In an interesting twist, the CPPA introduces a concept of a certification program which, to the extent an organization complies, provides some protection for organizations against penalties in certain circumstances. Furthermore, the CPPA provides that organizations are able to rely on a defence of due diligence to claims against it in certain instances.

It’s important to remember that while the federal government drafted the legislation, commentary from the Office of the Privacy Commissioner of Canada and others is outstanding and is being sought. The current Privacy Commissioner of Canada, Daniel Therrien, has already briefly weighed in on the proposed new legislation with support for many of the provisions, but with concern surrounding some, including the proposed tribunal and the speed with which individuals may be afforded remedies for breach.

Canada is on a trajectory to be front and centre in the global discussion surrounding data protection standards and business risks. Aside from Bill C-11, earlier this year, we summarized Quebec’s proposed legislative overhaul to its private sector privacy laws. Quebec’s Bill-64, which pushed Quebec and, practically speaking, Canada toward a more aggressive privacy regime by introducing significant monetary penalties, fines and a private right of action, coupled with increasing rights for individuals opposite organizations. Additionally, a few months ago, Ontario introduced its desire to have its own “made in Ontario” private sector privacy law. Despite the hope that the introduction of Bill C-11 would quell Ontario’s desire to have its own private sector legislation, Ontario’s Privacy Commissioner has recently indicated her continued intent to recommend an Ontario-specific legislation. Earlier this year, Canada’s Competition Bureau imposed a $9.5 million penalty against Facebook for misleading statements relating to individual’s privacy rights.

Canada appears to be flexing its muscles in a significant manner in relation to privacy protection. However, Canada has a relatively small commercial market in the global environment. Imposing significant obligations on organizations, paired with the steep risk profile for failure to comply, may cause certain organizations to question whether Canada’s market is worth the risk, and may result in organizations being far more cautious when considering doing business in Canada.

If you have any questions about Bill C-11 or the implications it will have for organizations, please contact Paige Backman, Donald Johnston, Aaron Baer, Andy Nguyen or another member of our Privacy & Data Security Group.

*The authors would like to thank Stan Fedun, an articling student at the firm, for his assistance with the article.

Areas of Expertise

Related Categories

Related Blogs

Posted in: TheSpotlight Categories

Insights TheSpotlight
Seismic Shift in Privacy Risks and Obligations By Paige Backman and Corey Fletcher Jul 30, 2020 As the world continues to focus on the ongoing effects of COVID-19 and plan for an eventual recovery, many have noticed a seismic shift in Canada’s privacy laws. In addition to the Competition Bureau of Canada stepping in to impose a $9.5 million penalty based on alleged false and misleading priv...

Posted in: Privacy | Data Security/Privacy

Insights TheSpotlight
Competition Bureau Brings Big Stick to Privacy Claims – $9.5 Million Penalty for Privacy Claim By Paige Backman Jul 07, 2020 The Competition Bureau recently concluded that Facebook Inc. made false or misleading claims to the public about the privacy of Canadians’ personal information on Facebook and Messenger. As a result, Facebook Inc. is required to pay a $9 million penalty, plus an ...

Posted in: Data Security/Privacy | Privacy | Data Protection

Insights TheSpotlight
Federal Privacy Law – Is It About to Change: Part Deux? By Donald B. Johnston Jan 13, 2020 In my last blog, I speculated about whether privacy law is about to change and promised to write more about it. My speculation was sparked by the 2018-2019 Annual Report to Parliament made by the Office of the Privacy Commission. Here’s a bit more about this excellent report.

Posted in: Privacy

Insights TheSpotlight
Federal Privacy Law – Is It About to Change? By Donald B. Johnston Dec 19, 2019 The 2018-2019 Annual Report to Parliament of the Office of the Privacy Commissioner is interesting reading, and it shows that the OPC has been doing some deep thinking about the nature of privacy and has been looking around the world at the philosophies of privacy in other jurisdictions.