Canada’s new privacy bill – what it means for Canadians

This past Tuesday, November 17, the federal government announced it was tabling Bill C-11, the Consumer Privacy Protection Act (CPPA). This bill represents a significant shift in privacy legislation in Canada. It follows a period of public consultations initiated by Innovation, Science and Economic Development (ISED), including last year’s calls for comments on the modernization of the Personal Information Protection and Electronic Documents Act (PIPEDA), which Cybera participated in.

Overall, we’re pleased to see many of the recommendations that we, along with other stakeholders, proposed to ISED be incorporated into Bill C-11. Like PIPEDA, the Consumer Privacy Protection Act’s overarching policy objective is to;

“recognize the right of privacy of individuals with respect to their personal information and the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances.”

We believe this proposed bill strikes an effective balance between individual rights and the reasonable use of data to foster commercial growth and research innovation. In addition, Cybera is also happy to see regulators, such as the Privacy Commissioner, being given greater punitive powers to go after bad actors in the commercial sphere. 

At a high level, the Consumer Privacy Protection Act proposes the following changes to privacy policy in Canada:

  1. Creation of a Personal Information and Data Protection Tribunal, which will hear appeals of order from the Office of the Privacy Commissioner. 
  2. Give the Office of the Privacy Commissioner binding powers to mandate compliance with the law, and recommend penalties.
  3. New Codes of Practice – Organisations can apply for approval of the codes of practice, in which they must outline their plan for complying with the law and establishing legal obligations. 
  4. Increased penalties – The Office of the Privacy Commissioner will now have the ability to recommend penalties of $25,000,000 or 5% of gross revenue (previously, violations were handled through the courts). 
  5. Private Right of Action – Individuals can appeal to the Office of the Privacy Commissioner to seek damages for losses incurred by a privacy violation.
  6. Data Portability – Strengthens the right of individuals to transfer their personal information between organizations. 
  7. De-Identified Data – Strengthens the language around how de-identified data can be used, and clarifies penalties for violating these orders.

These changes represent a significant bolstering of individual privacy rights in Canada, and bring us more in-line with the European General Data Protection Regulations (GDPR), which are quickly becoming a global standard..

You can read our full submission to the 2019 consultation here: