All Things Newz
Law \ Legal

Proposed Changes To Canada’s Privacy Laws: What Organizations Need To Know – Privacy Protection

To print this article, all you need is to be registered or login on

On June 16, 2022, Canada’s federal government introduced the
Digital Charter Implementation Act (Bill C-27). This Bill,
if passed into law, would update Canada’s federal private
sector privacy law, establish a Personal Information and Data
Protection Tribunal, and introduce new rules governing the use of
artificial intelligence. Bill C-27 reintroduces Bill C-11, which
was first introduced in 2020 but died on the order paper due to the
2021 federal election. Bill C-27 in its current form establishes
three new statutes:

  • Consumer Privacy Protection Act (CPPA);

  • Personal Information and Data Protection Tribunal Act
    (DPTA); and

  • Artificial Intelligence and Data Act (AIDA).

This article focusses on some key takeaways of Bill C-27 with
respect to data privacy and its impact on organizations collecting
personal information. The Bill as currently drafted, and similar to
current Canadian federal private sector privacy legislation,
applies to certain organizations located in Canada, and may also
apply to organizations outside of Canada depending on the

If Bill C-27 becomes law in its current form, it would replace
the federal private sector privacy legislation that came into force
21 years ago (Personal Information Protection and Electronic
Documents Act
also known as PIPEDA) and result in significant
changes to Canada’s data privacy laws as described below.

  • Penalties: CPPA establishes significant fines for
    non-compliant organizations. Organizations could face fines up to
    5% of global revenue or $25 million, whichever is greater, for
    offences such as failing to report privacy breaches to the Privacy
    Commissioner or destroying records which are subject to an access
    appeal. The upper limit of these fines exceeds those of GDPR and
    Quebec’s Bill 64 (although the latter provides for doubled
    fines for repeat offenders). Additionally, organizations can face
    penalties up to a maximum of $10 million or 3% of gross global
    revenue. These additional penalties apply to a variety of breaches
    of the CPPA, such as failing to dispose of personal information or
    not protecting it in a secure manner.

  • Enhanced Powers of the Privacy Commissioner: Among the
    significant changes, the Privacy Commissioner would have the power
    to order organizations to change their data practices. The Privacy
    Commissioner would also have the power to recommend penalties to
    the new Personal Information and Data Protection Tribunal and
    approve an organization’s code of practice or certification
    program to meet compliance requirements.

  • New individual Rights:

    • Deletion: Currently, organizations are required to
      provide individuals with a right to access and correct their
      personal information, upon request, in certain circumstances. Bill
      C-27 also requires organizations to dispose, or in other words,
      delete an individual’s personal information, upon request, when
      it is no longer needed.

    • Data Mobility: Bill C-27 would require organizations,
      upon request, to disclose personal information it has collected
      from an individual to another organization chosen by the individual
      if both organizations are subject to a data mobility

    • Automated Decision Systems: Bill C-27 would also require
      organizations, upon request, to provide an explanation about a
      prediction, recommendation, or decision made about an individual by
      automated means where it “could have a significant
      impact” on the individual.

  • Policies and Privacy Management Program: Organizations
    are required to implement and maintain a privacy management program
    that includes policies, practices, and procedures to address, for
    example, the protection of personal information, how requests for
    information and complaints are handled, and staff training.

  • Consent: While many of the consent requirements for the
    collection, use or disclosure of personal information would remain
    the same, Bill C-27 includes several additional exceptions to the
    requirement for consent. These exceptions include defined business
    activities, transfers to service providers, and prospective
    business transactions.

  • New Tribunal: Bill C-27 creates a new Personal
    Information and Data Protection Tribunal, which would have the
    power to review certain decisions made by the Privacy Commissioner
    and impose penalties under the CPPA. Organizations may appeal a
    Privacy Commissioner decision to the Tribunal, which would have the
    authority to impose penalties. The Tribunal’s decision would be
    final and binding, and not subject to appeal or review by any court
    except in limited circumstances.

  • Private Right of Action: Bill C-27 establishes a private
    right of action. Individuals would be permitted to bring an action
    against an organization for breaches of the CPPA. To commence such
    an action, certain conditions would need to be met. For instance,
    the alleged breach of the CPPA must be supported by a finding made
    by the Privacy Commissioner or the Tribunal. If the conditions are
    met, the individual would be entitled to damages for loss or injury
    suffered due to the breach.

  • Anonymization and De-identified Information: Bill C-27
    distinguishes between de-identified and anonymized information.
    “De-identify” in Bill C-27 means to modify personal
    information so that an individual cannot be directly identified
    from it, though a risk of the individual being identified remains.
    On the other hand, “anonymize” in Bill C-27 means to
    irreversibly and permanently modify personal information, in
    accordance with generally accepted best practices, to ensure that
    no individual can be identified from the information, whether
    directly or indirectly. Personal information that has been
    anonymized falls outside the scope of the CPPA.

  • Protection of Minors: Bill C-27 contains new protections
    related to children’s privacy. It deems personal information of
    minors to be sensitive information.

The foregoing are a few of the many privacy law changes set out
in Bill C-27. The list above is by no means exhaustive. The
proposed changes set out in the initial Bill may or may not be
reflected in the final version of Bill C-27.

Next Steps for Organizations

With numerous changes potentially expected in Canada’s data
privacy landscape, organizations should consider how this affects
the way they handle personal information. Given the exposure for
serious liability under the CPPA, organizations should undertake a
methodical review of their existing data management processes and
policies, as well as data protection and privacy best practices to
prepare for potential changes down the road.

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.

POPULAR ARTICLES ON: Privacy from Canada

Source link

Related posts

Higher Education Endowments: How To Access When Needed Most – Education

Horace Hayward

Crypto Winter Is Here And So Are Government Investigations – Fin Tech

Horace Hayward

Pokémon Go Catches A Win In Enforcing Arbitration Clause – Arbitration & Dispute Resolution

Horace Hayward