On November 17, 2020, there was a sea change in the House of Commons that may affect how Canadian private companies, as well as brands doing business in Canada, collect, use, disclose, and store customer personal information.
Formally titled ‘An Act to enact the Consumer Privacy Protection Act and the Personal Information and Data Protection Tribunal Act and to make consequential and related amendments to other Acts‘, the legislation is also known by its shorter name, the Digital Charter Implementation Act, also known as Bill C-11. If passed into law, the bill would accomplish two goals:
- Remove the data privacy protection sections from PIPEDA and put them into a dedicated customer privacy rights law, the Consumer Privacy Protection Act (CPPA);
- Create a legal tribunal that would hear cases related to breaches of privacy, known as the Digital Privacy Tribunal.
Canadian private-sector privacy legislation has been criticized for not having the punitive powers that may compel companies to take customer privacy rights more seriously. This makes it difficult for Canadian consumers to seek legal recourse when their privacy rights have been breached, other than through the long litigation process. A prominent example is the Tim Horton’s incident from the summer of 2020, which is now the subject of a class-action lawsuit. Retailers have already been facing great privacy challenges due to the vast amount of information-sharing that has been necessitated due to the COVID-19 pandemic, and the introduction of Bill C-11 will hopefully provide additional guidance for retailers.
The CPPA will empower the privacy commissioner’s office to levy considerable fines upon companies who flout privacy law. It appears to be modeled on Europe’s General Data Protection Regulation (GDPR), and in particular the GDPR’s schedule of standard fines. The GDPR is generally considered to be the gold standard in global customer data privacy rights law.
At this time, Canadian privacy law has no set schedule of legislative penalties on privacy law violations. If passed into law, the CPPA will have two “levels” of fines similar to the GDPR, set at the following:
- For more “run-of-the-mill” breaches relating to IT security failures, the CPPA fine is set at $10 million, or 3% of a company’s annual gross revenue, whichever is larger;
- For more serious privacy breaches where the customer’s rights to privacy are seriously breached, companies may be fined $25 million, or 5% of a company’s annual gross revenue, whichever is larger.
These fines are not set in stone, as penalties for violating the GDPR have easily run into the hundreds of millions of Euros. Additionally, the amounts above are not capped, and the privacy commissioner would be empowered to levy additional fines similar to how a court of law determines damages. However, if implemented, Canadian data privacy penalties would easily become the most severe of any G7 nation. The penalties in the EU under the GDPR are already severe, such as a €50,000,000 penalty against Google France, and a €35,000,000 fine levied against H&M in Germany. Facebook has set aside an astonishing €300,000,000 in anticipation of a fine against them that may be levied in Ireland. Expect the CPPA to follow similarly in terms of levying fines.
The CPPA also creates new rights for consumers that were previously not available before. They include:
- Greater transparency: Companies must be up-front and specific about the way they collect, use, and disclose customer personal information. They cannot obfuscate or bury critical information about how this is done in overly lengthy privacy notices that are difficult for the average consumer to read.
- Algorithmic transparency: Companies must be able to demonstrate how the technology they use complies with data privacy law. They must also demonstrate the reason why data was used to predict, recommend, or make a decision, particularly as it relates to performing credit checks, creating customer profiles, and creating advertising.
- The Right to Data Portability: This is a new right from the GDPR which allows customers to request all the personal information they give to a company and direct them to transfer it to another business, such as direct competitors. As the personal information belongs to the customer, businesses cannot object or deny a customer their right to data portability.
Although the overall purpose is to protect Canadian consumers’ right to privacy, the following are some of the other key objectives in Bill C-11:
- To penalize companies that do not report privacy breaches;
- To compel companies to create records of breaches;
- To discourage over-collection and unnecessary retention of PI;
- To prevent use of PI in ways that are privacy-invasive;
- To prevent selling or disclosure of PI to other organizations without proper consents or legislative reasons for doing so; and
- To discourage companies from silencing whistleblowers.
Kobalt, a Vancouver-based IT security company, will be presenting a free Zoom webinar on January 21, 2021, on Bill C-11 and its implications for businesses in Canada. The presentation will include an overall introduction to the legislation, from both the consumer’s and the business’s point of view. To register for the webinar, click here.