New data privacy Bill on stocks in Canada
Chris Hamblin, Editor, London, 26 April 2021
There is to be a new legislative regime to govern the collection, use, and disclosure of personal information for commercial activity in Canada.
Bill C-11, also to be known as the Digital Charter Implementation Act 2020, is designed to repeal parts of the Personal Information Protection and Electronic Documents Act and replace them with a new legislative regime governing the collection, use and disclosure of personal information for commercial activity in Canada.
At the core of this regime, the Consumer Privacy Protection Act is to be enacted to extend existing rules and to impose new rules that protect personal information on the private sector, adding to the job of the Privacy Commissioner in overseeing organizations’ compliance with these measures. The Personal Information and Data Protection Tribunal Act is to be enacted to create a tribunal to hear appeals against orders issued by the Privacy Commissioner and apply a new administrative monetary penalty regime that the Consumer Privacy Protection Act is to create. Provisions of the Personal Information Protection and Electronic Documents Act governing electronic alternatives to paper records are to be retained under the new title of the Electronic Documents Act.
A form of data portability (a term used by the European Union's General Data Protection Regulation) is to be introduced. In other words, the data subject might ask a bank to transfer whatever personal information it holds about him to another bank as he changes his account/relationship manager.
The privacy Bill, then, aims to create the (so-far non-existent) Consumer Privacy Protection Act (CPPA) and the Personal Information and Data Protection Tribunal Act (PIPDT) while repealing some of the Personal Information Protection and Electronic Documents Act (PIPEDA), which does not aim to give data subjects the explicit right to have their data deleted but instead proposes to allow them to withdraw their consent to use at any time. The underlying assumption is that if the bank does not find it necessary to keep information, it ought to delete the information. Furthermore, it ought to force its outsourcers to delete such information as well.
Penalties are to be in line with the GDPR as well. Canada's privacy commissioner is to be allowed to recommend fines to the value of C€10 million or 3% of a firm's gross global revenue, whichever is the higher. By contrast, the GDPR allows for fines of up to €20 million or, in the case of a business such as a bank, of up to 4% of its entire global turnover from the last fiscal year, whichever is the higher. This is only for the more severe infringements, however; for lesser ones the figures are €10 million and 2% of the firm’s worldwide annual revenue.