Canada- Digital Charter Implementation Act 2020

Canada- Digital Charter Implementation Act 2020

The federal government has updated Canada's privacy framework by introducing the Digital Charter Implementation Act 2020 (DCIA). Upon enactment into law, this Act shall facilitate the protection of Canada's personal information in the private sector, establish provisions in case of breach of privacy, and avail remedies to individuals who have suffered a loss due to breach thereof.

Objectives of the DCIA:

The Act aims to modernize consent rules and ensure that personal information is written in plain language. Further, the Act seeks to improve data mobility, empowers individuals to withdraw consent regarding personal information, and requires organizations to maintain a transparent algorithm and remove any such practices that involve identifying personal information.

Key highlights:

The Act proposes establishing a new federal privacy statute, namely, the Consumer Privacy Protection Act (CPPA).

1. Part I of The Personal Information Protection and Electronic Documents Act 2000, concerning collection and disclosure of data is proposed to be replaced by the CPPA. The application of this provision shall not be limited to Canadian organizations alone. It will also apply to organizations that collect, use or disclose information for commercial activities provincially, nationally and internationally. The new Act aims to give citizens more control over how their data is processed across borders.
2. The CPPA mandates that organizations shall obtain valid consent before collecting, using or disclosing personal information. The organization seeking information shall, in plain language, explain to the concerned person; the purpose of collecting such information, the method of collection, consequences of disclosure, type of information, the names of the parties with whom such information may be shared.
3. The organization shall implement a privacy management program, comprising of policies and procedures to fulfil their compliance obligations, based on the sensitivity of the data collected. The organization is responsible for breaching such compliance requirements, such as theft of data, unauthorized access, technical or physical breach, etc.
4. The proposed law aims to increase the Privacy Commissioner's investigative and enforcement powers by expanding its capabilities and permitting inquiries in cases where the Commissioner reasonably believes there exists a breach of legislation. The Commissioner is empowered to issue a compliance order directing organizations to take measures to rectify the breach, cease contravening acts, enforce compliance with the terms of the compliance agreement, or if any actions have been proposed in the organization, make such measures public. The prior PIPEDA permitted the court alone to make such an order.
5. Depending on the severity of the breach, the Commissioner shall impose a fine on the organization extending up to $10,000,000 or equivalent to 3% of the gross global revenue of the organization in the preceding financial year. The Commission shall take into consideration the following factors before imposing such a penalty, as follows;

1. The nature and scope of the contravention;
2. The organization's history with the breach;
3. Their ability to pay and carry on business;
4. Financial benefits derived from the breach;
5. Any other such factor, as may be relevant ;

6. The CPPA further provides for a class action against organizations that act in contravention of thereof. Such action can be brought before the Superior Court of a province, subject to a two-year limitation.