Written by Ruth Promislow, Stephen Burns, Michael Whitt QC, Mathew Flynn, Sébastien Gittens and HC Lee
Comprehensive reform to Canada's privacy legislation—which privacy experts have long anticipated—is now imminent. Today, the Minister of Innovation, Science and Industry, the Honourable Navdeep Bains, tabled the Digital Charter Implementation Act, 2020 (DCIA). Among other things, the legislation will bring Canada closer to a GDPR model in terms of potential penalties for non-compliance.
The DCIA will enact the Consumer Privacy Protection Act (CPPA), Personal Information and Data Protection Tribunal Act and make amendments to other related acts. The CPPA will effectively replace the current federal legislative scheme governing the collection, use and disclosure of personal information by private-sector organizations under the Personal Information Protection and Electronic Documents Act (PIPEDA).
Compared to PIPEDA, the CPPA moves away from reliance on the CSA Model Code included with PIPEDA and instead details the specific obligations of organizations when collecting, using and disclosing personal information.
The CPPA will also grant increased powers to the Office of the Privacy Commissioner of Canada. These will including the ability to perform audits, issue binding orders and make recommendations to a tribunal that can impose monetary penalties of up to the higher of $10 million or 3 percent of the organization’s yearly gross global revenue.
An organization that knowingly contravenes obligations, such as the obligation to report data breaches, maintain a breach record or comply with an order by the Privacy Commissioner, is guilty of an indictable offence and liable to a fine of up to the higher of $25 million and 5 percent of the organization's gross global revenue.
We anticipate that the DCIA will have a substantial impact on how organizations conduct business and manage their privacy practices, policies and procedures. The Privacy & Data Protection team at Bennett Jones is available to discuss how the changes may affect an organization's privacy obligations.