PIPEDA came into force in April 2000, and as it has been two decades since the law came into effect, the Canadian government has been signaling that it is working on an update for quite some time. The significant updates under the DCIA provide enhanced enforcement authority and fines, algorithmic transparency, additional rights for data subjects, and the ability for organizations to request approval of codes of practice and certification systems. The bill is still under consideration and may undergo some changes before becoming final.
Enforcement Authority and Fines
One of the eye-catching aspects of DCIA is the enhanced authority for the Privacy Commissioner, including maximum fines that can now surpass those under the General Data Protection Regulation. Of note, administrative penalties incur fines up to 3% of global gross revenues or $10,000,000 CAD, whichever amount is higher. However, egregious violations, such as obstructing the Privacy Commissioner in an investigation or knowingly contravening DCIA requirements, incur fines up to 5% of global gross revenue or $25 million CAD, whichever amount is higher. In addition to these penalty fines, there are statutory penalties of $1,000,000 for each day that there is a contravention of requirements surrounding the collection of personal information without knowledge or consent. Obstructions of the Privacy Commissioner’s investigations or audits are punishable on summary conviction and fines not exceeding $10,000, or an indictable offense and fines not exceeding $100,000.
Additionally, the Privacy Commissioner receives order-making authority, which wasn’t available under PIPEDA. Orders from the Privacy Commissioner would have the same binding effect as a Federal Court order under DCIA.
Private Right of Action
In addition to new enforcement authority and fines, there is also a new private right of action where individuals may sue in Federal Court or a superior court of a province when the Privacy Commissioner finds privacy violations and the finding is not appealed. Individuals may sue for damages for loss or injury from a violation of the DCIA within two years after the Privacy Commissioner’s finding.
Businesses must be transparent about how they use algorithms to make significant predictions, recommendations, or decisions about individuals. Individuals also have the right to request that businesses explain how a prediction, recommendation, or decision was made by an automated decision-making system.
New Rights for Data Subjects
Individuals also receive new rights. The new legislation provides individuals the right to request the disposal of their personal information and the right to withdraw consent. The right to the disposal of personal information is the right to have personal information permanently and irreversibly deleted, including from service providers who have also received the information. Individuals also receive the right to direct the transfer of their personal information from one business to another (i.e., data mobility). Both of these will require businesses that mange personal information to ensure that vendor agreements ensure the ability to pass through these obligations.
Codes of Practice and Certification Systems
Organizations may request the Privacy Commissioner to approve codes of practice and certification systems for demonstrating compliance. This will help compliance efforts as certification systems will set out rules for how DCIA applies in certain contexts, sectors, and business models.
The DCIA will be reviewed by committees and will likely undergo consultations and hearings from stakeholders, including the Privacy Commissioner, which has indicated that it will consider proposing amendments to the current draft.
An FAQ on the government of Canada’s website can be found here, and the bill text can be found here.