TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

The Privacy Advisor | Big fines included in Canada's newly proposed national privacy bill Related reading: 'Schrems II': Impact on Data Flows with Canada



The Canadian government proposed new legislation Tuesday that would reshape the nation's privacy framework. Bill C-11, which was introduced by Minister of Information Science and Economic Development Navdeep Bains, includes steep fines for companies — up to 5% of revenue or C$25 million, whichever is the higher sum. 

In a fact sheet, the proposed Digital Charter Implementation Act, 2020, which includes the Consumer Privacy Protection Act, "would significantly increase protections to Canadians' personal information by giving Canadians more control and greater transparency when companies handle their personal information."

In a news release, Bains said, "As Canadians increasingly rely on technology we need a system where they know how their data is used and where they have control over how it is handled. ... For Canada to succeed, and for our companies to be able to innovate in this new reality, we need a system founded on trust with clear rules and enforcement." 

The new framework would modernize consent rules, require data portability, provide users with a means to "control their online identity" and allow individuals "to request that organizations dispose of personal information and, in most cases, permit individuals to withdraw consent for the use of their information." The bill also addresses algorithmic transparency and includes deidentification rules. 

In comments to the IAPP, nNovation's Constantine Karbaliotis, CIPP/C, CIPP/C, CIPP/US, CIPM, CIPT, FIP, said, "The (CPPA) updates the existing federal privacy law, the Personal Information Protection and Electronic Documents Act, in significant ways: requiring a privacy management program that must be provided to the Office of the Privacy Commissioner on demand; providing for fines of up to 5% or $25 million; algorithmic transparency rights to Canadians, as well as data mobility, enhanced access and rights of erasure. It also codifies previous guidance from Canada’s commissioners for meaningful consent, while also codifying 'legitimate interests' where consent is not required."

The federal revamp from the Trudeau government comes as international data flows have been challenged in the wake of the "Schrems II" judgment in the EU and as the U.S. considers its own federal privacy legislation.  

"A key point made by Minister Bains was the goal interoperability with both EU and U.S. legislation and adequacy as the desired outcome of the legislation," Karbaliotis pointed out. 

As part of Bill C-11, Bains also introduced the Personal Information and Privacy Protection Tribunal Act Tuesday. Karbaliotis said the PIPPTA "is established as a promised 'quicker' path to enforcement from orders of the OPC, and the minister also committed to resources to the OPC to meet its expanded role and providing strong enforcement." 

On Twitter, law professor Michael Geist highlighted some of the key details in the new proposals under Bill C-11. "The enforcement side of the privacy is subject to a huge overhaul: order making power for the privacy commissioner, reviews of the orders by the new tribunal, and big penalties available for non-compliance. Privacy commissioner order has same effect as Federal Court order," he wrote, adding, "The bill also includes a new private right of action. Individuals can sue where the commissioner issues a finding of a privacy violation and it is upheld by the Tribunal. Case must be brought within two years." 

The nonprofit organization that oversees the .ca internet domain, the Canadian Internet Registration Authority, applauded the bill. President Byron Holland said, "Companies that handle massive troves of personal data must be held accountable for protecting that data, be transparent about how they use it, and face real consequences should they break the trust of their users." 

Photo by Toa Heftiba on Unsplash

Canadian Privacy, Fourth Edition

The newly updated edition of “Canadian Privacy: Data Protection Law and Policy for the Practitioner” is crucial for anyone responsible for information risk management, information security, information auditing or legal compliance for clients or organizations based in Canada or subject to Canadian jurisdiction.

Print version | Digital version

Credits: 1

Submit for CPEs


If you want to comment on this post, you need to login.

  • comment John Berard • Nov 17, 2020
    Can you say more about this: "The bill also includes a new private right of action. Individuals can sue where the commissioner issues a finding of a privacy violation and it is upheld by the Tribunal. Case must be brought within two years."?  It seems more a limited private right of action, determined by a process than cannot help but become politically considered. Yes?
  • comment Jedidiah Bracy • Nov 17, 2020
    Hi John, thanks for the question. I was careful to keep that as a  quote from Michael Geist. At the time I wrote this, I didn't have access to the full bill, but you can find it here: 
    Geist offered a fuller analysis here: 
    In his fuller analysis, Geist writes: "Fifth, the law features a private right of action that will allow individuals to seek damages for loss or injury suffered due to a privacy violation. The private right of action is triggered once the Privacy Commissioner has made a finding of contravention of the law (in other words, individuals must first file a complaint with the commissioner) and the finding is either not appealed to the Tribunal or the Tribunal upholds the ruling. The action must be brought within two years of the rulings." 
    Hopefully that helps a little?
    Also, we'll be publishing a fuller analysis this week, so stay tuned.
  • comment Jedidiah Bracy • Nov 17, 2020
    In short, John - yes, I think you are correct.
  • comment Barry Sookman • May 16, 2021
    The CPPA high penalties are just part of the problem. There is scant procedural protection before enforcement orders can be made by the privacy commissioner and narrow appeal rights.