For the first time since the implementation of the Personal Information Protection and Electronic Documents Act (“PIPEDA”) in 2000, the federal government has introduced an update to Canada’s privacy framework via Bill C-11, or the Digital Charter Implementation Act, 2020, which underwent its first reading in the House of Commons on November 17, 2020. If enacted into law, the Act will establish new protections for Canadians’ personal information in the private sector, more significant consequences for breaches of privacy, and a new private right of action for individuals across the country who have suffered harm or loss as a result of privacy and data breaches. The full text of Bill C-11 is available here. Here are some of its key highlights:
Consent and safeguarding provisions remain central to the legislative framework
The proposed Act seeks to establish two new federal privacy statutes: The Consumer Privacy Protection Act (the “CPPA”) and the Personal Information and Data Protection Tribunal Act (“PIDPTA”).
The CPPA will replace Part 1 of PIPEDA as the governing legislation for the collection, use and disclosure of Canadians’ personal information by organizations.1 With few exceptions,2 it will apply to every organization in respect of personal information that the organization collects, uses or discloses in the course of commercial activities within a province, interprovincially or internationally.3 In other words, its application is not limited to Canadian organizations. Taking guidance from the Office of the Privacy Commissioner of Canada, and specifically its Guidelines for obtaining meaningful consent, the CPPA aims to give Canadians more control over—and a clearer understanding of—how companies handle their personal information “in an era in which data is constantly flowing across borders and geographical boundaries.”4
Among other things, the CPPA holds that an organization must not collect, use or disclose personal information unless it obtains valid consent, and that consent will only be valid if an organization provides the individual whose consent it seeks with “plain language” information explaining:
- the purposes for the collection, use or disclosure of the personal information;
- the way in which the personal information is being collected, used or disclosed;
- any reasonably foreseeable consequences of the collection, use or disclosure of the personal information;
- the specific type of personal information that is to be collected, used or disclosed; and
- the names of any third parties or types of third parties to which the organization may disclose the personal information.5
Organizations will be expected to implement a “privacy management program” consisting of policies, practices and procedures to fulfil their compliance obligations based on the volume and sensitivity of personal information under their control,6 and must protect personal information against loss, theft, and unauthorized access through physical, organizational and technological security safeguards. In addition to considering the sensitivity of the personal information in establishing such safeguards (as required under PIPEDA), organizations must now also consider the quantity, distribution, format and method of storage of the information.7
More robust enforcement provisions
The CPPA will provide the Privacy Commissioner with greater investigative and enforcement powers, and the PIDPTA will establish a new administrative tribunal—the Personal Information and Data Protection Tribunal—with powers to impose fines and penalties for non-compliance.
For starters, the CPPA expands the Privacy Commissioner’s powers beyond investigating complaints and producing corresponding reports. The new Act provides that the Commissioner may conduct certain inquiries if it reasonably believes that an organization is in breach of the legislation, and if it identifies contraventions of the CPPA in the course of an inquiry—including any breaches of the consent and security safeguard provisions explained above—it may issue a compliance order directing an organization to (i) take measures to comply with the legislation, (ii) stop doing the contravening act, (iii) comply with the terms of a compliance agreement, or (iv) make public any measures taken or proposed to be taken to correct the organization’s policies, practices or procedures put in place to comply with the legislation.8 By contrast, under PIPEDA, only a court can make such an order.
The Commissioner’s enforcement mechanisms will not be limited to making compliance orders—depending on the severity of the identified breach, it may also issue a recommendation to the Tribunal to impose a penalty or fine on a contravening organization, which may be significant. The CPPA provides that the Tribunal may issue fines of up to $10,000,000 or 3% of the organization’s gross global revenue in its previous financial year, whichever is higher. In determining whether to impose such a penalty, the Tribunal must consider factors including:
- the nature and scope of the contravention;
- the organization’s history of compliance with the Act;
- the organization’s ability to pay and the likely effect on the organization’s ability to carry on its business;
- any financial benefit that the organization obtained from the contravention; and
- any other relevant factor.9
While there will be a due diligence defence available to contravening organizations,10 time will tell how and when this defence will be used.
Federal statutory right of action for breach of privacy: A new vehicle for class actions
One of the most significant and notable changes to the law is the introduction of a new private right of action available to individuals against organizations that contravene the CPPA, which applies in the class actions context.
This new federal statutory tort, established by section 106 of the CPPA, holds that an individual who is affected by an act or omission by an organization that constitutes a contravention of the CPPA has a cause of action against the organization for damages for loss or injury that the individual suffered as a result of the contravention. Any such action may be brought in the Federal Court or a superior court of a province, and the standard 2-year limitation period will apply.
However, this new statutory right of action is limited in scope. Unlike its provincial counterparts available to residents of British Columbia, Saskatchewan, Manitoba, Québec, and Newfoundland and Labrador under their respective provincial privacy statutes—which declare that the unlawful violation of an individual’s privacy is actionable without proof of loss or damage—individuals may only bring an action under the CPPA if:
- the Commissioner has made a finding that the organization contravened the CPPA and
- the finding is not appealed and the time limit for making an appeal has expired; or
- the Tribunal has dismissed an appeal of the finding; or
- the Tribunal has made a finding that the organization contravened the CPPA.11
As this right of action will be contingent on steps taken by the Commissioner and/or the Tribunal, it is more limited in scope and application than other rights of action advanced in class actions arising from privacy breaches—like the statutory privacy torts discussed above and the common law tort of intrusion upon seclusion—which are not contingent on regulatory action. While it may not be applied as widely, in the right context, it may ground national class actions on behalf of all Canadians—regardless of their place of residence—who have suffered loss or harm as a result of a privacy or data breach.
Ultimately, this right of action—and the legislation as a whole—represents a clear legislative statement from the federal government that protecting the privacy of Canadians is of the utmost importance. Those whose personal information is improperly collected, used, and/or disclosed by a Canadian or foreign organization will now have a new route to recourse and compensation.
Keep updated
The status of Bill C-11 is available here and further information from the Government of Canada on the DCIA is available here.
Individuals who have been affected by serious data breaches may have a legal claim for compensation. If you are an individual affected by a data breach and wish to learn more about your legal rights, contact Siskinds LLP’s consumer law group. With offices in Toronto and London, Ontario, and affiliate offices in Quebec City and Montreal, Quebec, Siskinds LLP is a prominent Canadian class action law firm striving to promote consumer rights and with a track record of success in recovering compensation for persons affected by unlawful business and commercial activities.
1 The CPPA defines “organizations” to include associations, partnerships, persons and trade unions.
2 See CPPA ss. 6(2)(b), (4).
3 Ibid at ss. 6(2), (3).
4 Ibid at s. 5.
5 Ibid at s. 15(3).
6 Ibid at s. 9.
7 Ibid at s. 57.
8 Ibid at ss. 89(1), 92(2).
9 Ibid at ss. 93(1), (2), 94(4), (5).
10 Ibid at s. 94(3).
11 Ibid at s. 106(1).