On November 17, the Honourable Navdeep Bains, Minister of
Innovation, Science and Industry, introduced Bill C-11, the Digital Charter Implementation Act,
2020. If passed, this highly anticipated bill would
overhaul the federal government's approach to regulating
privacy in the private sector by repealing the parts of the Personal Information Protection and
Electronic Documents Act (PIPEDA) that regulate the
processing of personal information and enacting a new Consumer
Privacy Protection Act (CPPA or Act). The bill would also
enact the Personal Information and Data Protection Tribunal
Act (PIDPTA), which establishes an administrative tribunal to
hear appeals of certain decisions made by the Privacy Commissioner
of Canada under the CPPA and impose penalties for contravention of
certain of its provisions.
As expected, the CPPA redrafts PIPEDA's much criticized Schedule of privacy principles into
substantive provisions in the body of the Act. Many of PIPEDA's
obligations have been carried over into the CPPA. However, the CPPA
also creates several new and enhanced obligations for
private-sector organizations including:
-
An obligation to implement a privacy management program that includes policies, practices and procedures designed to ensure compliance with the CPPA and to provide the Commissioner with access to those policies, practices and procedures upon request
-
Requirements to provide plain-language explanations about the processing of personal information, both in connection with obtaining valid consent and to meet transparency requirements under the CPPA
-
Data portability rights to give individuals greater control over the transfer of their personal information from one organization to another
-
The obligation to allow individuals to request that the organization dispose of their personal information, subject to limited exceptions
-
New transparency requirements that apply to automated decision-making systems like algorithms and artificial intelligence, requiring businesses to explain how such systems are utilized
-
Rules governing how and when de-identified information derived from personal information may be created, used and shared
-
An obligation for organizations to de-identify personal information prior to sharing it with parties in the context of a proposed business transaction, for example, in the due diligence phase
Below we provide a high-level overview of some key aspects of Bill C-11, including proposed changes to the consent and enforcement regimes.
SCOPE
Like PIPEDA, the CPPA would apply to organizations that collect,
use or disclose personal information in the course of commercial
activities, as well as in respect of personal information about an
employee collected, used or disclosed by an organization in
connection with the operation of a federal work, undertaking or
business. The CPPA provides a new definition of "commercial
activity" that would mean "any particular transaction,
act or conduct or any regular course of conduct that is of a
commercial character, taking into account an organization's
objectives for carrying out the transaction, act or conduct, the
context in which it takes place, the persons involved and its
outcome." This new definition removes the specific reference
made in PIPEDA to "the selling, bartering or leasing of donor,
membership or other fundraising lists."
The CPPA would also maintain the ability for the Governor in
Council to exempt organizations from the application of the Act
where "substantially similar" provincial privacy
legislation applies in respect of collection, use or disclosure of
personal information occurring within that province. The CPPA
specifies that where such an exemption exists, it only applies to
personal information processing that occurs within the relevant
province, and the CPPA will continue to apply to personal
information that is collected, used or disclosed interprovincially
or internationally.
The CPPA also helpfully clarifies that the obligations under the
Act apply to organizations with personal information under their
control, and only certain provisions of the DCIA, including
specific requirements relating to breach reporting, apply directly
to service providers.
REFORMED CONSENT REGIME
The new legislation provides a reformed consent regime. While
the Act generally requires "valid consent" for any
collection, use or disclosure of personal information, and provides
a list of conditions that must be met in order for consent to be
considered valid, it expands on the exemptions that allow personal
information to be collected, used and disclosed without
consent.
For example, the CPPA would exempt organizations from having to
obtain "valid consent" to collect and use personal
information for specified "business activities"
where:
-
A reasonable person would expect such a collection or use for that activity, and
-
The personal information is not collected or used for the purpose of influencing the individual's behaviour or decisions
Specified "business activities" include:
-
An activity that is necessary to provide or deliver a product or service that the individual has requested from the organization
-
An activity that is carried out in the exercise of due diligence to prevent or reduce the organization's commercial risk
-
An activity that is necessary for the organization's information, system or network security
-
An activity that is necessary for the safety of a product or service that the organization provides or delivers
-
An activity in the course of which obtaining the individual's consent would be impracticable because the organization does not have a direct relationship with the individual
-
Any other prescribed activity
The CPPA also clarifies that organizations are not required to obtain consent to de-identify personal information or transfer personal information to a service provider.
THIRD-PARTY CODES OF PRACTICE AND CERTIFICATION PROGRAMS
If passed, Bill C-11 would create a framework for third-party
codes of practice and certification programs. An entity, which
could include any type of organization such as a not-for-profit
organization or government institution, may apply to the Privacy
Commissioner of Canada for approval of a code of practice that
provides for substantially the same or greater protection of
personal information as some or all of the protections provided for
by the CPPA.
An entity may also apply to the Commissioner for approval of a
certification program that includes specified requirements,
including a code of practice, a mechanism to certify compliance
with the code of practice, a mechanism for the entity to audit
compliance with the code of practice, disciplinary measures for
non-compliance, including revocation of a certification, and any
other requirements that may be provided for by regulation.
The CPPA gives the Commissioner the power to request that an entity
operate an approved certification program and work with entities
that operate approved certification programs, including in respect
of the Commissioner's enforcement activities. While compliance
with a code of practice or certification program will not relieve
an organization of its obligations under the CPPA, it does offer
some benefits. For example, the Commissioner cannot recommend that
a penalty be imposed on an organization for a contravention of the
CPPA, if the Commissioner is of the opinion that, at the time of
the contravention, the organization was in compliance with the
requirements of an approved certification program.
STRONGER ENFORCEMENT REGIME
The CPPA would give the Privacy Commissioner of Canada
additional enforcement powers, beyond what is currently provided
under PIPEDA.
For example, the CPPA would give the Commissioner the power to make
orders requiring organizations to conform with and stop
contravening the CPPA, comply with a compliance agreement or make
public measures taken to correct privacy practices. Currently, the
Commissioner does not have the power to make orders after findings
of non-compliance. In addition, if after completing an inquiry the
Commissioner finds that an organization has contravened one or more
specified provisions of the CPPA, the Commissioner would be able to
recommend that a newly created Personal Information and Data
Protection Tribunal impose a monetary penalty of up to C$10-million
or three per cent of the organization's total global revenues
for the prior financial year. This Tribunal would be composed of
three to six members appointed by the Governor in Council on the
recommendation of the Minister of Innovation, Science and
Industry.
The CPPA also provides for even greater fines for various offences
under the CPPA — up to the higher of C$25-million or five per
cent of the organization's gross global revenues for the prior
financial year.
Additionally, a private right of action would be available for an
individual who suffered damages or injury caused by a contravention
of the Act for which the organization has been the subject of an
adverse finding by the Commissioner or Tribunal, or where the
organization has been convicted of an offence. This means that an
organization may be subject to a Tribunal penalty and face claims
under the private right of action.
Bill C-11 is expected to be debated in the House of Commons, and
further amendments may be proposed. If passed, the CPPA may come
into force quickly, on a date fixed by order of the Governor in
Council. However, the bill contemplates that certain provisions,
specifically those relating to data mobility, and codes of practice
and certification programs, may come into force on a different
date.
For permission to reprint articles, please contact the bulletin@blakes.com Marketing Department.
© 2025 Blake, Cassels & Graydon LLP.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.