On November 17, 2020, Canada’s Minister of Innovation, Science and Industry introduced the proposed Digital Charter Implementation Act (DCIA or “Act”), new legislation from the Liberal Party of Canada that could dramatically alter how the country regulates consumer data.[1] The Act, which will likely extend to businesses outside of Canada, aims to “significantly increase protections to Canadians’ personal information” and “provide significant new consequences for non-compliance with the law.”[2] The DCIA grants consumers powerful consent rules, including the ability to withdraw consent, control over the transfer of their information to third parties, algorithmic transparency rights and data de-identification safeguards.[3] Penalties for noncompliance are substantial and can reach as high as 5% of a company’s revenue or C$25 million, whichever is greater.[4]
The new Act would coexist with Canada’s Privacy Act and replace the Personal Information Protection and Electronic Documents Act (PIPEDA).[5] Not unlike its U.S. namesake, the Privacy Act regulates the federal government’s use of personal information.[6] The Privacy Act governs the collection, use and disclosure of personal information in the contexts of government pensions, employment insurance, national security, federal law enforcement and tax collection.[7] PIPEDA, on the other hand, is a comprehensive consumer privacy law that governs how private sector organizations collect, use and disclose information in the commercial setting.[8] The DCIA aims to replace PIPEDA by rehoming PIPEDA’s rules on electronic documents in the newly proposed Electronic Documents Act and modernizing PIPEDA’s privacy provisions by creating the Consumer Privacy Protection Act.[9] Finally, the DCIA will likely coexist with provincial privacy laws that provide more tailored guidance for certain provinces in areas such as general data privacy, health privacy and financial privacy.[10]
The DCIA is in the earliest stages of the legislative process and has yet to be assigned to a committee.[11] As such, it is difficult to predict whether the bill will be signed into law. While Canadian Prime Minister Justin Trudeau enjoys a Liberal majority in the House of Commons, there are early signs that some Conservatives might not be on board with the new bill.[12] Conservative Member of Parliament James Cumming promised that he and other Conservative lawmakers will review the legislation to ensure that it does not impose burdensome regulations on small business, especially in light of the pandemic.[13] While there may be signs of early skepticism, the proposed Act adopts many established and widely accepted principles found in similar authorities such as Europe’s General Data Protection Regulation and the California Consumer Privacy Act (CCPA).
If enacted, the DCIA will likely apply extraterritorially and across a wide range of different entities. The proposed Act covers data that is collected both interprovincially and internationally, and applies to “every organization in respect of personal information that . . . the organization collects, uses or discloses in the course of commercial activities.”[14] The Act will also cover data collected in the context of employment. “Organization” is broadly defined to include associations, partnerships, persons and trade unions.[15] Interestingly, the definition does not include any limitations on where an organization is located. This lack of geographic specificity, coupled with the DCIA’s application to data collected internationally, strongly suggests that businesses in the U.S. and around the world will have to comply with the Act’s requirements. Further, the DCIA has the potential to apply to even more businesses than the CCPA because the Act does not establish any revenue threshold requirements like its U.S. counterpart.
Phillips Lytle is committed to monitoring the bill as it makes its way through the legislative process to ensure our clients stay up-to-date on the latest developments.
[1] Jedidiah Bracy, Big Fines Included in Canada’s Newly Proposed National Privacy Bill, IAPP (Nov. 17, 2020), https://tinyurl.com/y6sgfbdv.
[2] Fact Sheet: Digital Charter Implementation Act, 2020, Government of Canada (Nov. 17, 2020), https://www.ic.gc.ca/eic/site/062.nsf/eng/00119.html.
[3] Supra note 2.
[4] Supra note 2.
[5] Ron Kruzeniski, Government of Canada Proposes Amendments to PIPEDA, Office of the Saskatchewan Information and Privacy Comm’r (Nov. 18, 2020), https://oipc.sk.ca/government-of-canada-proposes-amendments-to-pipeda/#:~:text=Through%20the%20proposed%20Digital%20Charter,Privacy%20Protection%20Act%20(CPPA).
[6] Summary of Privacy Laws in Canada, Office of the Privacy Comm’R of Canada (Jan. 2018), https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/02_05_d_15/ (last modified Jan. 31, 2018).
[7] Supra note 6.
[8] Supra note 6.
[9] Supra note 5.
[10] Provincial Laws That May Apply Instead of PIPEDA, Office of the Privacy Comm’R of Canada , https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/r_o_p/prov-pipeda/ (last modified May 11, 2020).
[11] Bill C-11, Digital Charter Implementation Act, 2020, 2nd Sess., 43 Parl., 2020, https://parl.ca/DocumentViewer/en/43-2/bill/C-11/first-reading.
[12] See Catharine Tunney, Companies Could Face Hefty Fines Under New Canadian Privacy Law, CBC News (Nov. 17, 2020), https://www.cbc.ca/news/politics/privacy-bill-bains-fines-1.5804779.
[13] Press Release: Banning Huawei Would Protect the Privacy of Canadians, James Cumming ( Nov. 17, 2020), http://www.jamescumming.ca/press_release_banning_huawei.
[14] Bill C-11, Digital Charter Implementation Act, 2020, 2nd Sess., 43 Parl., 2020, https://parl.ca/DocumentViewer/en/43-2/bill/C-11/first-reading.
[15] Supra note 14.