New legislation in Canada will expand data privacy obligations. GRC World Forums summarises the key changes to the law along with insight from PrivSec Global speaker Mark Sward

In November, Bill C-11 for the Digital Charter Implementation Act, 2020 was introduced to the House of Commons as part of Canada’s updated privacy legislation, which will enact the Consumer Privacy Protection Act (CPPA).

If transcribed into law, the CPPA will replace the Personal Information Protection and Electronic Documents Act (PIPEDA) in most areas and will expand data privacy obligations and impose new enforcement mechanisms on businesses collecting users’ data.

Expanded rights

The CPPA maintains the ten core privacy principles of PIPEDA, including, accountability, consent and challenging compliance.

However, it expands consumers’ rights in certain areas, such as allowing individuals to request access and deletion of their data, with some exceptions and data portability rights.

Furthermore, the CPPA implements the concept of algorithmic transparency, which will enable consumers to receive an explanation as to why a certain algorithmic decision has been made about them upon request.

It must then inform any service provider to which it transferred the PI of the individual’s request and obtain confirmation that the service provider deleted the PI.


Under CPPA, businesses will have to meet extra requirements for obtaining valid consent. At the point of collection, organisations must provide consumers with the following information:

  • The purposes of the collection, use, or disclosure of the PI, as determined and recorded by the organisation
  • The way PI is to be collected, used, or disclosed
  • Any reasonably foreseeable consequences of the collection, use, or disclosure of the PI
  • The specific type of PI to be collected, used, or disclosed
  • The names of any third parties or types of third parties to which the organization may disclose the PI

However, in a move away from PIPEDA, the new law will also provide exceptions in obtaining consent when de-identifying information.

Additionally, there are exceptions for obtaining consent if the collection or use is made for a business activity, such as providing or delivering a product or service that the individual requested or preventing or managing commercial risk. An organisation may also transfer an individual’s personal information to a service provider without the user’s knowledge.


The CPPA includes significantly high penalties for non-compliance through the Personal Information and Data Protection Tribunal (PIDPTA), which will have the power to impose administrative penalties on businesses, who use personal information for an improper purpose, require a person to consent to the use of their personal information as a condition of supplying a good or service, or retain personal information for longer than needed.

The Tribunal can impose administrative penalties on recommendation by the Privacy Commissioner and will also be able to hear appeals of the Privacy Commissioner’s decisions and assist in administration of the CPPA.

The maximum administrative penalty under the CPPA is the greater of C$10 million or 3% of global revenue for the previous year. The maximum penalty for serious offences will be up to 5% of an organization’s global revenues or $25 million whichever is higher.

Privacy Commissioner (OPC)

The Commissioner will also receive greater order-making powers under the CPPA than PIPEDA. Notably, they can order a company to “take measures to comply with the CPPA; cease doing something in contravention of the CPPA; follow a compliance agreement; or make public any corrective actions it must take to comply with the CPPA.” Under PIPEDA, the Commissioner is only able to make recommendations.

The law will first become subject to committee review and public consultation before it can be passed. So far, no timelines for preparation have been drafted.


OPINION: Mark Sward, Vice President and Global Head of Privacy at Sterling

mark sward

Mark Sward

“From a business perspective, there are many positive aspects of this bill, including a great deal of flexibility around how to implement the principles and new clarity on cross-border and intercompany transfers of data.

“I feel there are some missed opportunities here.

“While the GDPR in Europe has moved away from consent as the primary lawful basis for processing, the CPPA still maintains that consent is required for most data processing.

“This is a disappointment as it continues to put the onus on the individual to take the time and effort to understand what is being explained and make a decision, rather than putting the accountability on the organization to handle data properly.

 ”While the CPPA does not explicitly incorporate Privacy by Design principles and other unique innovations we see in other modern privacy laws, it does have hefty enforcement powers which will force companies in Canada to start paying attention. I believe this will be a good thing for Canadians.”

Hear more about the new legislation, and from Mark Sward, at Canada’s Proposed Updated Federal Privacy Law: What You Need to Know at 6pm on 23 March at PrivSec Global

Click here for more