Yesterday, the Canadian government proposed new legislation that would significantly reform Canada’s privacy legal framework. The Digital Charter Implementation Act, 2020 (DCIA) was introduced by the Minister of Information Science and Economic Development and includes administrative monetary penalties of up to 3% of global revenue or $10 million CAD for violations. It also contains an expanded range of offences for certain serious contraventions of the law, subject to a maximum fine of 5% of global revenue or $25 million CAD. If passed, the DCIA would establish a new private sector privacy law in Canada, the Consumer Privacy Protection Act (CPPA), and a new Personal Information and Data Protection Tribunal that would impose the above-mentioned fines.
As outlined in an earlier PRIVATECH blog post, PIPEDA amendments are long overdue. In addition to international pressure to strengthen Canada’s privacy laws, many of the Federal Privacy Commissioner’s decisions highlight the inadequacy of PIPEDA. Take the Equifax decision with its confusing reasoning relating to transborder flows or personal information, or the PIPEDA case released this past summer involving RateMD, where the Commissioner struggles to balance the interests of the parties.
The Government of Canada’s Fact Sheet outlines key changes to Canada’s framework, such as modernizing consent rules and removing the burden of having to obtain consent when this does not provide any privacy gains; introducing a right to data mobility (similar to the data portability right under the EU GDPR); allowing individuals to request disposal of their personal information (with some parallels to the right of erasure, often called the right to be forgotten under the GDPR); requiring transparency for automated decision-making; and clarifying when de-identified information can be used without consent.
The new law would also given organizations the ability to ask the Privacy Commissioner to approve codes of practice and certification systems for certain activities, sectors or business models; and would provide the Privacy Commissioner of Canada with broad order-making powers.The DCIA also includes a new private right of action. Individuals can sue within two years where the commissioner issues a finding of a privacy violation and it is upheld by the Tribunal.
Strengthening enforcement and oversight is likely the most significant improvement that the CPPA will introduce. Currently, without adequate regulator powers or the ability to impose fines, many businesses simply don’t take PIPEDA seriously. Over the past 20 years, Canada’s reputation as a leader in privacy has dwindled – these new developments promise a turning point towards strengthening our privacy legislative position.
For more information about the proposed federal privacy statutory changes, contact PRIVATECH. PRIVATECH will also endeavour to keep you posted as the DCIA proceeds through the House of Commons.