Posternak Blankstein & Lund LLP is now Arent Fox. Read the press release

Proposed Canada Privacy Bill with Significant Fines and Enforcement Authority

The DCIA was introduced on November 17, 2020, to replace Canada’s current national privacy law for the private sector, the Personal Information Protection and Electronic Documents Act (PIPEDA).

PIPEDA came into force in April 2000, and as it has been two decades since the law came into effect, the Canadian government has been signaling that it is working on an update for quite some time. The significant updates under the DCIA provide enhanced enforcement authority and fines, algorithmic transparency, additional rights for data subjects, and the ability for organizations to request approval of codes of practice and certification systems. The bill is still under consideration and may undergo some changes before becoming final.

Enforcement Authority and Fines

One of the eye-catching aspects of DCIA is the enhanced authority for the Privacy Commissioner, including maximum fines that can now surpass those under the General Data Protection Regulation. Of note, administrative penalties incur fines up to 3% of global gross revenues or $10,000,000 CAD, whichever amount is higher. However, egregious violations, such as obstructing the Privacy Commissioner in an investigation or knowingly contravening DCIA requirements, incur fines up to 5% of global gross revenue or $25 million CAD, whichever amount is higher. In addition to these penalty fines, there are statutory penalties of $1,000,000 for each day that there is a contravention of requirements surrounding the collection of personal information without knowledge or consent. Obstructions of the Privacy Commissioner’s investigations or audits are punishable on summary conviction and fines not exceeding $10,000, or an indictable offense and fines not exceeding $100,000.

Additionally, the Privacy Commissioner receives order-making authority, which wasn’t available under PIPEDA. Orders from the Privacy Commissioner would have the same binding effect as a Federal Court order under DCIA.

Private Right of Action

In addition to new enforcement authority and fines, there is also a new private right of action where individuals may sue in Federal Court or a superior court of a province when the Privacy Commissioner finds privacy violations and the finding is not appealed. Individuals may sue for damages for loss or injury from a violation of the DCIA within two years after the Privacy Commissioner’s finding.

Algorithmic Transparency

Businesses must be transparent about how they use algorithms to make significant predictions, recommendations, or decisions about individuals. Individuals also have the right to request that businesses explain how a prediction, recommendation, or decision was made by an automated decision-making system.

New Rights for Data Subjects

Individuals also receive new rights.  The new legislation provides individuals the right to request the disposal of their personal information and the right to withdraw consent. The right to the disposal of personal information is the right to have personal information permanently and irreversibly deleted, including from service providers who have also received the information. Individuals also receive the right to direct the transfer of their personal information from one business to another (i.e., data mobility).  Both of these will require businesses that mange personal information to ensure that vendor agreements ensure the ability to pass through these obligations.

Codes of Practice and Certification Systems

Organizations may request the Privacy Commissioner to approve codes of practice and certification systems for demonstrating compliance. This will help compliance efforts as certification systems will set out rules for how DCIA applies in certain contexts, sectors, and business models.

Next Steps

The DCIA will be reviewed by committees and will likely undergo consultations and hearings from stakeholders, including the Privacy Commissioner, which has indicated that it will consider proposing amendments to the current draft.

An FAQ on the government of Canada’s website can be found here, and the bill text can be found here.

Contacts

Continue Reading