Proposed Canada Privacy Bill with Significant Fines and Enforcement Authority

Arent Fox

Arent Fox

The DCIA was introduced on November 17, 2020, to replace Canada’s current national privacy law for the private sector, the Personal Information Protection and Electronic Documents Act (PIPEDA).

PIPEDA came into force in April 2000, and as it has been two decades since the law came into effect, the Canadian government has been signaling that it is working on an update for quite some time. The significant updates under the DCIA provide enhanced enforcement authority and fines, algorithmic transparency, additional rights for data subjects, and the ability for organizations to request approval of codes of practice and certification systems. The bill is still under consideration and may undergo some changes before becoming final.

Enforcement Authority and Fines

One of the eye-catching aspects of DCIA is the enhanced authority for the Privacy Commissioner, including maximum fines that can now surpass those under the General Data Protection Regulation. Of note, administrative penalties incur fines up to 3% of global gross revenues or $10,000,000 CAD, whichever amount is higher. However, egregious violations, such as obstructing the Privacy Commissioner in an investigation or knowingly contravening DCIA requirements, incur fines up to 5% of global gross revenue or $25 million CAD, whichever amount is higher. In addition to these penalty fines, there are statutory penalties of $1,000,000 for each day that there is a contravention of requirements surrounding the collection of personal information without knowledge or consent. Obstructions of the Privacy Commissioner’s investigations or audits are punishable on summary conviction and fines not exceeding $10,000, or an indictable offense and fines not exceeding $100,000.

Additionally, the Privacy Commissioner receives order-making authority, which wasn’t available under PIPEDA. Orders from the Privacy Commissioner would have the same binding effect as a Federal Court order under DCIA.

Private Right of Action

In addition to new enforcement authority and fines, there is also a new private right of action where individuals may sue in Federal Court or a superior court of a province when the Privacy Commissioner finds privacy violations and the finding is not appealed. Individuals may sue for damages for loss or injury from a violation of the DCIA within two years after the Privacy Commissioner’s finding.

Algorithmic Transparency

Businesses must be transparent about how they use algorithms to make significant predictions, recommendations, or decisions about individuals. Individuals also have the right to request that businesses explain how a prediction, recommendation, or decision was made by an automated decision-making system.

New Rights for Data Subjects

Individuals also receive new rights.  The new legislation provides individuals the right to request the disposal of their personal information and the right to withdraw consent. The right to the disposal of personal information is the right to have personal information permanently and irreversibly deleted, including from service providers who have also received the information. Individuals also receive the right to direct the transfer of their personal information from one business to another (i.e., data mobility).  Both of these will require businesses that mange personal information to ensure that vendor agreements ensure the ability to pass through these obligations.

Codes of Practice and Certification Systems

Organizations may request the Privacy Commissioner to approve codes of practice and certification systems for demonstrating compliance. This will help compliance efforts as certification systems will set out rules for how DCIA applies in certain contexts, sectors, and business models.

Next Steps

The DCIA will be reviewed by committees and will likely undergo consultations and hearings from stakeholders, including the Privacy Commissioner, which has indicated that it will consider proposing amendments to the current draft.

An FAQ on the government of Canada’s website can be found here, and the bill text can be found here.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Arent Fox | Attorney Advertising

Written by:

Arent Fox

Arent Fox on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.