Feds to overhaul Canada’s federal data privacy law

Amid a pandemic that is accelerating digital transformation and increasing instances of cyber attacks and breaches, the federal government has introduced Bill C-11, the Digital Charter Implementation Act, to  overhaul Canada’s federal data privacy law.

This bill aims to repeal the privacy provisions of the Personal Information Protection and Electronic Documents Act (PIPEDA) and introduce new obligations for organizations in the private sector. It will also provide individuals with greater control over their personal information.

The Bill also proposes to create a new privacy statute, the Consumer Privacy Protection Act (CPPA), as well as a new administrative tribunal, the Personal Information and Data Protection Tribunal.

When the legislation is approved, any company that collects and shares the personal information of customers and employees will have to comply or risk serious penalties.

This bill is similar to many that are being introduced in provinces across Canada and in many other countries to update and bring data privacy legislation in line with the European Union’s General Data Protection Regulation (GDPR) – currently the toughest privacy and security law in the world.

British Columbia, Ontario and Quebec recently proposed privacy legislation updates. And, and on November 3, the California Privacy Rights and Enforcement Act (CPRA), which will strengthen privacy rights in that state, was approved. 

Bill C-11 introduces extensive new regulations and requirements that business leaders will need to address. Following are some of the key provisions.

• The powers of the Privacy Commissioner, especially mandatory orders and financial penalties will be expanded.[1]
• There is a new private right of action enabling individuals to bring a claim against an organization for a privacy violation.
• Companies will need more than a privacy policy – they will be required to implement a comprehensive “privacy management program” including policies, practices and procedures, to fulfil their obligations under the Act.[2]
• Company policies will have to be available, transparent and written in plain language. They will also have to disclose more than PIPEDA required, such as whether the organization transfers personal information internationally or interprovincially and whether it uses automated decision-making systems such as artificial intelligence.[3]
• There will be larger penalties for failure to comply with requirements, up to the higher of C$10 million or 3% of an organization’s gross global revenue.[4]
• There will also be larger fines for offences such as contravening breach notification or record keeping requirements –  up to the higher of C$25 million or 5% of a company’s global revenue.
• While PIPEDA requires express consent only for sensitive information, express consent is the default for the new legislation.[5]

There are many more requirements with which  private-sector organizations will have to comply.

Now is the time to review and update your data privacy and security framework to ensure it aligns with this expansive legislation – and protects your competitive advantage.

Connect with an MNP advisor to discuss your data privacy and security needs.

Adriana Gliga-Belavic, CISSP, CIPM, PCIP, is a Partner, member of the Firm’s Cyber Security team and Privacy Leader with MNP in Toronto. Passionate about security and privacy, Adriana helps public and private clients build pragmatic strategies and privacy programs to maintain customer trust and find the right balance between business results, proactive cyber resiliency and enhanced privacy.

Sources

• [1] Privacy modernization with a northern touch: the proposed Digital Charter Implementation Act
• [2] BILL-C11
• [3] Repackaging PIPEDA for a GDPR world
• [4] Privacy modernization with a northern touch: the proposed Digital Charter Implementation Act
• [5] New Privacy Law for Canada: Government Tables the Digital Charter Implementation Act, 2020