Government of Canada proposes amendments to PIPEDA

November 18, 2020 - Ron Kruzeniski, Information and Privacy Commissioner

On Friday, November 13, 2020, I posted a blog on Privacy Guide for Business developed by the federal Privacy Commissioner. That guide will change because the Government of Canada has tabled Bill C-11 Digital Charter Implementation Act, 2020 on Tuesday, November 17, 2020.

The federal government has issued a fact sheet summarizing the proposed changes. Bill C-11 creates a new Consumer Privacy Protection Act (CPPA), and Data Protection Tribunal Act (DPTA) and proposes amendments to Personal Information Protection and Electronic Documents Act (PIPEDA).

The fact sheet states:

Through the proposed Digital Charter Implementation Act, 2020 (DCIA), the Government of Canada intends to establish a new privacy law for the private sector, the Consumer Privacy Protection Act (CPPA). If passed, the DCIA would significantly increase protections to Canadians’ personal information by giving Canadians more control and greater transparency when companies handle their personal information. The DCIA would also provide significant new consequences for non-compliance with the law, including steep fines for violations.

What does the Digital Charter Implementation Act, 2020 mean for me?

    • Meaningful consent: Modernized consent rules would ensure that individuals have the plain-language information they need to make meaningful choices about the use of their personal information.
    • Data mobility: To further improve their control, individuals would have the right to direct the transfer of their personal information from one organization to another…
    • Disposal of personal information and withdrawal of consent: … The legislation would allow individuals to request that organizations dispose of personal information and, in most cases, permit individuals to withdraw consent for the use of their information.
    • Algorithmic transparency: The CPPA contains new transparency requirements that apply to automated decision-making systems like algorithms and artificial intelligence. Businesses would have to be transparent about how they use such systems to make significant predictions, recommendations or decisions about individuals. Individuals would also have the right to request that businesses explain how a prediction, recommendation or decision was made by an automated decision-making system and explain how the information was obtained.
    • De-identified information: … The legislation will clarify that this information must be protected and that it can be used without an individual’s consent only under certain circumstances.

Will this new legislation limit innovation?

… Changes that support business innovation include:

    • Simplifying consent: … The legislation would remove the burden of having to obtain consent when that consent does not provide any meaningful privacy protection.
    • Data for good: … The legislation would allow businesses to disclose de-identified data to public entities (under certain circumstances) for socially beneficial purposes.
    • Recognition of codes of practice and certification systems: … the legislation would allow organizations to ask the Privacy Commissioner to approve codes of practice and certification systems that set out rules for how the CPPA applies in certain activities, sectors or business models.

Strengthened enforcement and oversight

Comprehensive and accessible enforcement model: Under the CPPA, the Privacy Commissioner would have broad order-making powers, including the ability to force an organization to comply with its requirements under the CPPA and the ability to order a company to stop collecting data or using personal information. In addition, the Privacy Commissioner would also be able to recommend that the Personal Information and Data Protection Tribunal impose a fine. The legislation would provide for administrative monetary penalties of up to 3% of global revenue or $10 million for non-compliant organizations. It also contains an expanded range of offences for certain serious contraventions of the law, subject to a maximum fine of 5% of global revenue or $25 million.

I will continue to update Saskatchewan citizens and businesses as to the progress and implications of the proposed amendments.

Categories: BlogTags: ,

Back to Blog