Bill C-11 aims to give more meaningful information about the collection, use and disclosure of data, while giving organizations tools to be more competitive in the digital economy.
The federal government has introduced an ambitious new bill that aims to protect Canadians’ privacy while promoting data-driven innovation. It also marks the first meaningful attempt in Canada to regulate the use of data in artificial intelligence.
“[The government is] trying to facilitate a clear path to using data responsibly for Canadian competitiveness,” says Carole Piovesan, a partner and co-founder at INQ Data Law in Toronto.
It’s the first significant effort to update Canada’s privacy law in over 20 years. By introducing Bill C-11, Ottawa is signaling its intention to align its data privacy regime with the values promoted under the EU’s General Data Protection Regulation – or GDPR – in force since 2018. It also aims to implement the principles outlined in the Digital Charter unveiled last year. “The big difference is that the CPPA still maintains a principle-based approach, and it’s not as prescriptive as the GDPR,” says Piovesan. “So it is giving some flexibility in the interpretation of the legislation in a number of areas.”
If passed, Bill C-11 will give birth to a new Consumer Privacy Protection Act, hived off from the current federal private sector privacy law, PIPEDA.
Another major development is that Bill C-11, on paper, gives the Privacy Commissioner of Canada teeth by granting it order-making powers to enforce compliance. But the OPC will have to share power with a new Personal Information and Data Protection Tribunal that can impose penalties for violations under the new law. “So you have in place an additional layer of accountability,” says Piovesan. Hopefully, separating order-making authority from the power to impose fines will serve as a meaningful check and balance on OPC findings.
For the more serious offenses, the tribunal can issue fines of up to 5% of an organization’s global revenue or $25M, whichever is greater. For lesser infringements, penalties can represent 3% of global revenue or $10 million. Under the GDPR, fines for breaches can reach up to 4% of a firm’s worldwide annual revenue in a worst-case scenario.
Those in contravention of the law face another risk. The bill sets out a private right of action for individuals—though triggered only in cases where there is a finding of a privacy violation by the OPC that is either not appealed or upheld by the tribunal. Similarly, the GDPR grants private citizens of the EU an active role in its enforcement.
What’s more, there are also whistleblower protections under the new bill against firing or imposing disciplinary measures against employees for reporting, in good faith, violations under the law.
A bill for the digital age
Among Bill C-11’s other features is…