background image


Canadian Privacy Act: Bill C-11


With the turbulence surrounding the COVID-19 pandemic and the 2020 United States election, Canada’s proposed new privacy law, the “Digital Charter Implementation Act” may have gone under the radar of many Canadian organizations. This proposed law includes fines up to $25 million or 5% of global revenue (whichever is greater) for the most significant offences.

To date, Canada already has active two privacy laws. The Privacy Act pertains to government agencies and federally regulated industries, whilst the Personal Information Protection and Electronic Documents Act, or ‘PIPEDA’, applies to private-sector organizations.

On November 17, 2020, Innovation Minister Navdeep Bains presented the Digital Charter Implementation Act (DCIA) — through the proposed Digital Charter Implementation Act, the Government of Canada intends to establish a new privacy law for the private sector, the Consumer Privacy Protection Act (CPPA), repealing Part 1 of the Personal Information Protection and Electronic Documents Act (PIPEDA).

The Digital Charter Implementation Act, Bill C-11, represents one of the greatest reforms in Canada’s privacy law in years, significantly increasing protections for Canadian’s personal information – including drastically expanding the penalties for violation of federal private sector privacy law.

“The COVID-19 pandemic has accelerated the digital transformation which is changing how Canadians work, access information, access services, and connect with their loved ones. This transformation is making concerns about privacy, and how companies handle Canadians’ data, more important than ever. As Canadians increasingly rely on technology we need a system where they know how their data is used and where they have control over how it is handled. For Canada to succeed, and for our companies to be able to innovate in this new reality, we need a system founded on trust with clear rules and enforcement. This legislation represents an important step towards achieving this goal.”  

The Honourable Navdeep Bains, Minister of Innovation, Science, and Industry

So what does this mean for organizations like yours? Let's explore.

Laying the Groundwork for the Digital Charter Implementation Act

According to Bains, the fines suggested are to enforce a level of accountability. The consequential fines under the proposed legislation would deliver some of the strongest fines among the G7 nations’ privacy laws. The legislation would provide for administrative monetary penalties of up to 3% of global revenue or $10 million for non-compliant organizations.

However, for the most serious offences, the federal government has the ability to serve offending business organizations with fines of up to 5% of global revenue or $25 Million, whichever is greater. The severity of the proposed fines seeks to provide Canadians with greater control and transparency over the ways by which an organization can handle their personal data; a testament to Canada’s commitment to citizens’ rights to privacy. Provided the legislation passes, organizations will be required to obtain consent from their customers in plain language, in other words, not jargon-laden legal documentation, before using their personal data.

In addition, the rules governing the practice of removing direct identifiers (such as a name) from personal information will clarify that this personal information must be protected and that it can be used only under certain, defined circumstances without an individual’s direct consent. Certainly, this is a step in the right direction. To provide a brief summary of the main contents of the legislation, below are the take-homes as outlined on the Government of Canada website:

This legislation takes a number of important steps to ensure that Canadians will be protected by a modern and responsive law and that innovative businesses will benefit from clear rules, even as technology continues to evolve, including increasing control and transparency when Canadians’ personal information is handled by companies; giving Canadians the freedom to move their information from one organization to another in a secure manner; ensuring that Canadians have the ability to demand that their information be destroyed; providing the Privacy Commissioner with broad order-making powers, including the ability to force an organization to comply and the ability to order a company to stop collecting data or using personal information; and ensuring the strongest fines among G7 privacy laws—with fines of up to 5% of revenue or $25 million, whichever is greater, for the most serious offences.    

-Government of Canada Website, November 17, 2020

Ultimately, the proposed Digital Charter Implementation Act, 2020 lays the groundwork for trust and transparency among citizens, companies and government, as well as ensures that innovators and business organizations benefit from a modernized framework with clearly defined rules.

Social Media Implications

While social media platforms such as Facebook and Instagram are already subject to the same laws as other organizations operating in the Canadian marketplace, the CPPA would safeguard that Canadians have the ability to demand that their information on these platforms be permanently deleted.

When consent is withdrawn, Canadians can demand that their information be destroyed. To reinforce this effort, the Privacy Commissioner will have the broad “order-making powers” to order a social media company to comply, including the ability to order it to stop collecting data or using personal information.

This is meant to facilitate:

  • Increased control and transparency regarding how organizations handle Canadians' personal information

  • Greater freedom for individuals to move their information from one organization to another

  • The flexibility for Canadians to request that their info be disposed of when it is no longer needed by organizations

  • Establishing stronger information-related regulations for minors (such as disallowing organizations from collecting information from minors)

These social media implements would permanently alter how Canadian personal data is collected and distributed by companies.

What Does This Mean for Canadian Organizations?

Assuming the proposed Digital Charter Implementation Act is passed, organizations across the country have it in their best interest to prepare themselves. Whereas, the Personal Information Protection and Electronic Documents Act, or ‘PIPEDA’, threatened a maximum fine of $100,000, the newly proposed legislation’s penalties have the potential to impose significantly greater monetary damages.

To stay protected, there are a number of measures that your organization can implement, including a comprehensive review of existing security safeguards the organization currently has in place. In addition to this, we highly recommend that the vast majority of organizations bring penetration testing into their arsenal.

As a North American penetration testing company, we at Packetlabs are keeping a watchful eye on the continuing development of the Digital Charter Implementation Act. With the passing of this act, cybersecurity infrastructure for organizations large and small will be more crucial than ever before: to protect organizations from heightened liability in the case of a security breach, CISOs will need to be prepared to invest in up-to-date cybersecurity best practices.

For information on Choosing a Penetration Testing Company, or to learn more about the services that would best suit your organization in the wake of the Digital Charter Implementation Act, please contact us to consult with our team of experienced ethical hackers.