UPDATE – Are You Privacy Compliant? Penalties and Fines Drastically Increased and Expanded

UPDATE – The federal government has called for an election on September 20, 2021. This means that Bills that had been introduced but not yet received Royal Assent (meaning they were not passed into laws) will die on the order paper.  Bill C-11 is one of those Bills.  This means that, at least for now, the proposed changes to Canada’s privacy laws are not moving forward.

Changes are coming to Canada’s privacy legislation. The federal government introduced new legislation in Bill C-11 that will replace part of the Personal Information Protection and Electronic Documents Act (PIPEDA).  

The new Act will be called the Consumer Privacy Protection Act, and while it is similar to PIPEDA in many ways, there are some significant changes.   Those changes include significantly greater penalties for non-compliance with the Act, as well as some new requirements.

These amendments are important to every organization that collects, uses or discloses personal information in the course of commercial activities, and will apply across the country (subject to exemptions for provinces that have substantially similar legislation).

New Rights and Requirements

The Consumer Privacy Protection Act includes the following new requirements:

  • Individuals will have the right to transfer their data from one organization to another. The Act also contemplates the creation of a data mobility framework. This framework will be provided under the regulations, so the details of the framework are not yet available.
  • Individuals have the right to have their personal information permanently and irreversibly deleted.
  • An organization can de-identify personal information and the Act allows an organization to use de-identified information without consent in some circumstances.

Private Right of Action

An individual will be permitted to bring a lawsuit for damages for loss or injury against an organization for breaches of the Act if:

  • the Commissioner or Tribunal have made a finding that the organization contravened the Act; or
  • the organization has been convicted of an offence under the Act.

Increased Penalties and Fines

The new Act proposes much stronger penalties and fines against an organization.  Currently the maximum fine for an offence under PIPEDA is $100,000 and there is no penalty amount for contraventions other than offences.  Under the new Act there are penalties for contraventions of the Act and separate fines for offences, with significantly higher maximums:

  • The maximum penalty for all contraventions taken together is the higher of $10,000,000 and 3% of the organization’s gross global revenue in its financial year before the one in which the penalty is imposed.
  • The maximum fine on conviction of an offence is the higher of $25,000,000 and 5% of the organization’s gross global revenue in its financial year before the one in which the organization is sentenced.