Chronique du CTI – BILL C-11: New and Improved Canadian Privacy Law
Par Geneviève Millie Lacroix, Lawyer et Erin Schachter, Lawyer
On November 17,
2020, the Innovation, Science, and Industry Minister Navdeep Bains introduced Bill
Act to Enact the Consumer Privacy Protection Act and the
Personal Information and Data Protection Tribunal Act and to make consequential
and related amendments to other Acts (CPPA). If
enacted, the bill will enhance the protection of data that is collected by private
institutions throughout Canada. The legislation is still at the stages of its first
reading and will likely be amended substantially before its enactment.
Nonetheless discussion of the bill in its current form is relevant to
understand where the wind of change is blowing in relation to privacy
legislation in Canada. In its current form, the bill includes many changes to Canada’s
existing framework and repeals large sections of the current federal privacy
Personal Information Protection and Electronic Documents Act (PIPEDA).
Bill C-11 also implements the ten principles contained in the Canadian
digital charter which is not a legal document and for this reason, it
has no legal force. Therefore, the proposed law is an important step towards
giving Canadians greater control over their personal data.
The New Privacy Law
The CPPA repeals
Part 1 of PIPEDA but does not entirely dismiss its content or principles. The
CPPA embeds the principles, once found in the annexes of PIPEDA, directly into
the legislation. This change is substantial as these dispositions will, if
enacted, have the force of law.
Part 2 of Bill C-11
enacts the Personal Information and Data Protection Tribunal Act, which
establishes an administrative tribunal to hear the appeals of certain decisions
made by the Privacy Commissioner and to issue penalties for non-compliance.
It is worth
noting that among
the privacy rules found in PIPEDA, the following are also found in the CPPA:
accountability, appropriate purposes, limiting collection, use and disclosure,
retention and disposal of personal information, accuracy of personal
information, security safeguards and openness and transparency.
The CPPA also
has a new purpose; it is worth taking the time to quote this purpose directly:
“The purpose of this Act is to
establish — in an era in which data is constantly flowing across borders and
geographical boundaries and significant economic activity relies on the
analysis, circulation and exchange of personal information — rules to govern
the protection of personal information in a manner that recognizes the right of
privacy of individuals with respect to their personal information and the need
of organizations to collect, use or disclose personal information for purposes
that a reasonable person would consider appropriate in the circumstances”.
At a time when
the theft of personal data is on the rise and web giants are cultivating vast quantities
of data on Canadian users, the question of data privacy has never been more
relevant. The CPPA acknowledges the trope that states when services online are
free often the consumer is the product and their data is the true prize. If we
assume the purpose as outlined above will continue to be a guiding principle,
we can expect the CPPA will change matters considerably in reference to the use
of this data. We can expect to see change on this front even if the final
version of the bill is greatly modified.
The Enforcement of
PIPEDA is notorious for its ineffective enforcement model. In reference to the
CPPA, the Office of the Privacy Commissioner of Canada (the “Privacy
Commissioner”) will no longer be limited to non-binding penalties. Rather, the bill
is designed to increase the power of the Privacy Commissioner. This will enable
the Privacy Commissioner to issue orders requiring organizations to comply with
the requirements of the CPPA, and to force an organization to stop collecting
data or using personal information.
penalties, businesses that dare to defy the law, if enacted, could face fines
up to $25 million or up to 5% of their annual revenue. In the case of less
serious offences, the penalties are substantial, being the higher of $10,000,000 or 3% of the organization’s gross global
revenue in its financial year preceding the year the penalty is imposed.
above, Part 2 of Bill C-11 enacts the Personal Information and Data
Protection Tribunal Act. The new Tribunal, composed of three to six
members, will hear the appeals of the Privacy Commissioner’s decisions during
public hearings. The Tribunal will have the power to impose penalties, but also
to increase or decrease penalties ordered by the Privacy Commissioner; these decisions
will be made public. This will be helpful in allowing scholars and
professionals to understand how factors will be weighed in a ruling and therefore
be helpful in guiding businesses towards acceptable practices.
The CPPA also
provides whistleblower provisions that will protect any person who notifies the
Privacy Commissioner of non-compliance with the law. This provision would
support enforcement of the act by encouraging employees or representatives to
report non-compliant behaviour.
In addition to
the legislative penalties, individuals who are affected by a violation of Bill C-11
will have a private right of action to seek damages for loss or injury. The
limitation period for bringing the action is within two years of the
The CPPA places
greater emphasis on the obligation of private institutions to obtain consent. Organizations must obtain valid consent
from an individual before using or disclosing any personal information regarding
that individual. The consent must be express, unless the organization can
demonstrate that it is appropriate to rely on implied consent in the given
circumstances. Consent cannot be obtained by using false or misleading
information or using deceptive or misleading practices. An individual can, on
reasonable notice, withdraw his consent in whole or in part.
are many exceptions to the requirement for consent:
Business activities which include the delivery of a
product or service, due diligence, system or network security, safety of a
product and others.
Transferring and individual’s personal information to
another service provider
De-identifying an individual’s personal information
Research and development if the information is
de-identified before it is used
Prospective and completed business transactions
Information produced in employment, business or
Employment relationship — federal work, undertaking or
Disclosure to lawyer or notary
Prevention, detection, or suppression of fraud
Publicly available information
There are also
other exceptions that fall into the category of “public interest”:
Emergency that threatens the life, health or security
of any individual.
Identification of an individual who is injured, ill or
Communication with the next of kin or authorized
Statistical or scholarly study or research
Records of historic or archival importance
Disclosure after period of time
Journalistic, artistic or literary purposes
Socially beneficial purposes
are additional exceptions for investigations, disclosures to government institutions,
disclosures required by law. With such a large list of
exceptions, it appears that consent will be the rule and exceptions may be
limited to a prescribed list of activities appearing in the law. These lists
will likely be debated as interests’ groups identify moments when consent
should be explicit.
transparency was part of PIPEDA, Bill C-11 will also ensure greater transparency
and accountability in how organizations use the personal information they collect. Businesses will have to obtain consent from
their clients in clear, plain, and simple terms, setting aside the long, bulky,
and incomprehensible 20-page legal documents. Also, the CPPA gives an
individual the right to access their personal information that is held by any
This takes into consideration a growing concern expressed by many in the
processing of decisions by automation or artificial intelligence. Recognizing
that automation and artificial intelligence is limited to the quality of the
information held, this provision would address the concern that faulty data can
lead to highly prejudicial automated decision-making. The CPPA states in Section
If the organization has used an
automated decision system to make a prediction, recommendation or decision
about the individual, the organization must, on request by the individual,
provide them with an explanation of the prediction, recommendation or decision
and of how the personal information that was used to make the prediction,
recommendation or decision was obtained.
C-11 will allow clients and users to understand how their personal data is
collected and grant them rights in reference to transferring their data from
one organization to another. The new mobility of personal information right
takes into consideration the reality of modern times and the necessity of
transferring data between organizations. When two organizations are subject to
the data mobility framework provided by the law, an individual will be able to direct
an organization to disclose personal information that it has on this individual
to another designated organization.
Bill C-11 also
includes a new privacy right, which is the de-identification of personal
information. Basically, de-identification means to:
modify personal information — or
create information from personal information — by using technical processes to
ensure that the information does not identify an individual or could not be
used in reasonably foreseeable circumstances, alone or in combination with
other information, to identify an individual.
reasonably and for the right purposes, de-identified information can be very
useful for statistical purposes. However, there is always a concern that
de-identified information can be reverse engineered and personal information
may be restored. To address this concern the CPPA prohibits the use of
de-identified information in order to identify an individual, unless it is used
“to conduct testing of the effectiveness of security safeguards that the
organization has put in place to protect the information”. Severe penalties will be
given to those who do not comply with the rule.
Bill C-11 will
also give individuals the right to have their information deleted when they
withdraw their consent. The right to retention and disposal of personal
information grants any individual the right to write a request to an
organization to dispose of the information on the individual that is held by
the organization. An organization can refuse to dispose of the information if
the disposing would result in the disposal of personal information on another
individual from whom this information cannot be removed. A refusal is also
permitted if other requirements of the CPPA, of a federal or provincial law or
of the reasonable terms of a contract prevent the disposing. If an organization
refuses a request from an individual, it must notify the individual in writing
of the reasons for denying this request and inform the individual of its
One can imagine that the concept of information that “cannot be disposed” will
require further development.
How will CPPA
affect Quebec’s organizations?
stipulates that the Governor in Council may, by order, exempt organizations,
activities, or class of a specific province from the application of the CPPA if
the legislation of the given province is substantially similar to the CPPA. With
the two current Quebec laws, the Act respecting
Access to documents held by public bodies and the Protection of Personal Information and the
respecting the protection of personal information in the private sector, it
is most likely that Quebec organizations will not be subject to the CPPA. We
can assume that businesses in Quebec that are subject to PIPEDA, such as
corporations falling under the federal jurisdiction, will be subject to the
It is important
to note that Quebec is in the process of adopting a bill that will equally
modify the privacy legislation applicable in Quebec, An
Act to Modernize Legislative provisions as Regards the Protection of Personal
Information (Bill 64). Bill 64 resembles Bill C-11, as it also
seeks to strengthen the protection of personal information. If you want to read
more on Bill 64, see our article on this subject here.
In its current
form, Bill C-11 will drastically update Canada’s privacy regime. Although it is
in its early stage, the essence of Bill C-11 is simple: protect Canadians’
information with a strict new privacy law.
 Bill C-11, An Act to enact
the Consumer Privacy Protection Act and the Personal Information and Data
Protection Tribunal Act and to make consequential and related amendments to
other Acts, 2nd
Sess, 43rd Parl, 2020 (first reading 17 November 2020), Part
1 at cl 5.
 Ibid Part 1 at cls 94 (4), 125 (a).
 Ibid Part 1 at cl 94, Part 2 at cls 4, 5, 6, 18.
 Ibid Part 1 at cl 123.
 Ibid Part 1 at cl 106.
 Ibid Part 1 at cls 15, 16, 17.
 Ibid Part 1 at cls 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 41, 43,
44, 45, 49, 50, 51.
 Ibid Part 1 at cls 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39.
 Ibid Part 1 at cls 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50.
 Ibid Part 1 at cls 62, 63.
 Ibid Part 1 at cl 72.
 Ibid Part 1 at cl 2.
 Ibid Part 1 at cls 74, 75.
 Ibid Part 1 at cls 53, 54, 55.