Proposed oversight and enforcement structure
Highlights
- Key change from PIPEDA: Oversight and enforcement shifts from the OPC to the newly created Digital Safety and Data Protection Commission of Canada, a multi-member body appointed by the Governor in Council that is not an independent agent of Parliament.
- Key change from the CPPA: Rather than retaining the OPC alongside a separate Tribunal, the PPCDA consolidates oversight, penalty, and initial appeal functions within the Commission. The new oversight framework is less directly tied to traditional Parliamentary oversight mechanisms, as the members of the Commission are appointed by the Governor in Council and the Commission reports through the responsible minister.
Digital Safety and Data Protection Commission of Canada (Commission)
- replaces the Office of the Privacy Commissioner of Canada for private sector privacy law regime
- overall oversight and enforcement of the PPCDA regime
- also mandated to promote online safety and reduce harms from harmful content by administering and enforcing the Digital Safety Act (Bill C-34) governing regulated social media, chatbot and other online services
Privacy and Consumer Data Commissioner (Commissioner)
Member of Commission · Investigative arm
- unlike under PIPEDA, the Commissioner is not an independent agent of Parliament
- investigation of complaints and self-initiated (ss. 97–100)
- compliance agreements (in course of resolving investigations) (ss. 102–103)
- notices of contravention (ss. 105–108) — must include grounds for contravention, including the provisions of PPCDA that have been contravened, any penalty or “proposed order,” and information regarding right to apply for a review
- if uncontested, deemed contravention and penalty is levied and “proposed order” is deemed to be made by Commission
- injunctive relief (application for review to Commission) (s. 109)
- discretion to publish information where it is in public interest (s. 135(3))
- audit/investigation powers (ss. 118, 122)
- ensures compliance with approved certification programs (s. 85)
- above processes governed by guidance that will be developed by Commission in consultation with minister and other stakeholders (s. 78)
Privacy and Consumer Data Division (Division)
Commissioner and 1+ members of Commission
- dispute resolution to resolve complaints (s. 101)
- approves codes of practice and certification programs (ss. 93–96)
- may delegate a majority of Commission responsibilities, including developing guidance, conducting research and consultation with international stakeholders relating to compliance with Act
- minister may request guidance materials, tools and that research be conducted (s. 76)
Adjudicative function of Commission
Excludes Commissioner and any member with reasonable apprehension of bias (ss. 111, 124)
- hears applications for review of notices of contravention and interim orders issued by Commissioner (ss. 109, 123)
- reviews, confirms and varies penalties (s. 110)
- reviews, confirms or varies proposed orders included in notices of contravention issued by Commissioner, and makes orders (s. 110)
- issuance of interim orders (s. 121)
- must conduct in accordance with rules published by Commission (s. 78)
Commissioner cannot adjudicate (s. 111)
↓
Federal Court
- unlike PIPEDA, organizations can appeal decisions by Commission (ss. 126–128)
Bill C-36 transfers responsibility for federal private sector privacy law from the OPC to a newly created Digital Safety and Data Protection Commission of Canada (the Commission), which will be responsible for administering the PPCDA. The Commission will also have responsibility for the recently proposed Digital Safety Act (Bill C-34), which sets out a framework to govern online safety and reduce harms resulting from online content and establishes transparency and accountability requirements for operators of regulated services, such as social media sites, chatbots and other online services.
Key features of the Digital Safety and Data Protection Commission of Canada
- The Commission consists of three to five members appointed by the Governor in Council.
- One of the Commission members will be appointed as the designated Privacy and Consumer Data Commissioner (the Commissioner) to lead the oversight and enforcement of the PPCDA and to address complaints and undertake investigations (s. 85(1)).
- Decisions of the Commissioner, which will be contained in “notices of contravention,” will be subject to review by the Commission on application of the organization or complainant.
- The Commissioner will form part of the dedicated Privacy and Consumer Data Division (the Division), along with at least one other member of the Commission (s. 89), which will manage dispute resolution mechanisms to resolve complaints (s. 101) and approve codes of practice and certification programs (ss. 93–96), as well as any other responsibility delegated by the Commission.
- The Commission has broad powers, duties and functions that may be delegated to the Division and Commissioner, including developing guidance materials for organizations, conducting public information programs, conducting research into the protection of personal information (including where requested by the minister), and consulting with international stakeholders on the promotion and administration of privacy and data protection issues (ss. 76–82).
- The Commission will also work with organizations upon request to review and provide guidance on the organization’s privacy management programs.
- Unlike the OPC, the Commission and the Commissioner are not independent agents of Parliament.
Investigation and enforcement process
Highlights
- Key change from PIPEDA: Unlike the existing regime under PIPEDA, where the Privacy Commissioner’s role is largely ombudsperson-style focused on investigation and non-binding recommendations to promote compliance, the new Commissioner gains broad powers to, in the course of investigations, enter into compliance agreements, issue notices of contravention, issue penalties and propose binding orders.
- Key change from the CPPA: The formal “inquiry” process is replaced with a streamlined model in which an uncontested notice of contravention results in a deemed contravention, with the penalty becoming due and the proposed order being made by the Commission without further review. The organization or complainant may apply to the Commission for review of any aspect of the notice, and the Commissioner cannot hear these reviews. Commission decisions may be appealed to the Federal Court. Investigations may also be resolved through dispute resolution mechanisms conducted by the Division.
Key features of the Privacy and Consumer Data Commissioner
The Commissioner operates as the investigative arm and may investigate an organization’s compliance with the PPCDA, either in response to a complaint, or where they are satisfied that there are reasonable grounds to investigate a matter under the Act (ss. 97–100). The Commissioner is also responsible for reviewing an organization’s compliance with approved certification programs and may conduct audits into an organization’s compliance (ss. 85, 118).
Investigations can also be resolved through a dispute resolution process conducted by the Division, which will be outlined further in regulations and guidance (s. 101).
The Commissioner is granted broad investigative powers, including to order the production of documents and examine premises (s. 122).
If, in the course of an investigation, the Commissioner believes on reasonable grounds an organization has contravened a requirement of the PPCDA, the Commissioner may
- enter into a compliance agreement with the organization aimed at ensuring compliance with the Act (ss. 102–103)
- issue a notice of contravention setting out
- the facts of the alleged contravention and the Commissioner’s reasons for believing there is a contravention, as well as the provisions of the PPCDA that have been contravened
- the penalty that an organization is liable to pay and the time and manner in which the penalty must be paid
- the “proposed order,” if any, that the Commissioner considers reasonably necessary to ensure compliance with the PPCDA and the reasons for it
- the organization’s rights regarding a review (s. 107)
- in exigent circumstances, issue interim orders (s. 122)
Where the notice of contravention is uncontested, the contravention is deemed to have occurred, and the order is made by the Commission and the penalty becomes due (ss. 108–109).
Review of orders/penalties
The organization and complainant may apply for a review of any aspect of the notice of contravention (including penalties and orders) or interim orders by the Commissioner (s. 109). The Commission will hear applications and review, confirm or vary penalties and proposed orders issued by the Commissioner, then make its decision (s. 121). The Commissioner cannot hear these reviews (ss. 111, 124).
The investigation and enforcement processes are governed by guidance that will be developed by the Commission in consultation with the designated minister and other stakeholders (s. 78).
Decisions of the Commission may be appealed by the complainant or affected organization to the Federal Court (ss. 126–128). Interim orders may be appealed only with leave (s. 127(1)).
Administrative monetary penalties (AMPs)
Highlights
- Key change from PIPEDA: The PPCDA introduces AMPs, which PIPEDA does not have.
- Key change from the CPPA: The penalty framework is substantively similar to the CPPA, but flows through the Commission rather than an independent Tribunal. New factors to be considered when issuing a penalty include the organization’s ability to pay and financial benefit obtained from the contravention; affected organizations (not only complainants) may appeal to the Federal Court.
The PPCDA introduces AMPs up to the higher of $10 million or 3% of the organization’s gross global revenues (s. 114). Penalties may only be imposed by the Commissioner for enumerated contraventions, as set out below (s. 113(1)).
| Contravention | PPCDA provision |
| Failing to implement/maintain a privacy management program | s. 9(1) |
| Failing to ensure equivalent protection for service provider transfers | s. 11(1) |
| Collecting/using/disclosing personal information for purposes that are not “appropriate” | s. 12(1) |
| Failing to determine/record purposes before collection or new use/disclosure of personal information | ss. 12(3)–12(4) |
| Collecting personal information beyond what is necessary | s. 13 |
| Using/disclosing personal information for secondary purpose without consent or exception | s. 14(1) |
| Failing to obtain valid consent | s. 15(1) |
| Contravening the “refusal to deal” provision | s. 15(7) |
| Obtaining consent through deception | s. 16 |
| Failing to inform of the consequences of withdrawing consent or failing to cease processing in respect of the withdrawal of consent | s. 17(2) |
| Contravening retention and disposal requirements | ss. 52, 54(1), 54(5) |
| Failing to safeguard personal information | s. 56(1) |
| Failing to report/notify breaches of security safeguards | ss. 58(1), 58(3) |
| Service provider failing to notify accountable entity of a breach | s. 61 |
| Failing to make policies/practices information available | s. 62(1) |
Factors in determining penalty amount
In imposing an AMP, the Commissioner/Commission must consider
- the nature and scope of the contravention
- evidence of exercise of due diligence to avoid the contravention
- whether the organization made reasonable efforts to mitigate or reverse the effects of the contravention
- history of compliance
- the organization’s ability to pay the penalty and the likely effect that paying it would have on the organization’s ability to carry on its business
- any financial benefit that the organization obtained from the contravention
- any other prescribed or relevant factor
The Commissioner determines penalties after investigation (ss. 105–109, 113). However, the complainant or the organization can apply for a review of these by the Commission, who may elect to vary the penalty (ss. 109–110).
An AMP cannot be imposed if the organization was in compliance with an approved certification program at the time of the contravention (s. 113(3)(a)). However, the private right of action remains available (s. 132).
Offences and criminal fines
Highlights
- Key change from PIPEDA: The PPCDA introduces significant criminal penalties for knowing contraventions. PIPEDA has no comparable offence provisions.
- Key change from the CPPA: The proposed fines remain substantively identical to those under the CPPA.
Certain knowing contraventions may be prosecuted as offences.
| Offence type | Maximum fine |
| Summary offence | Higher of $20 million or 4% of gross global revenues (s. 145(b)) |
| Indictable offence | Higher of $25 million or 5% of gross global revenues (s. 145(a)) |
Examples of conduct that may constitute an offence include
- failing to report a breach of security safeguards or notify affected individuals (s. 58)
- failing to provide the Commission with access to breach records (s. 60(1))
- failing to retain information subject to an access request (s. 69)
- unauthorized re-identification of de-identified information (s. 75)
- retaliation against a whistleblower (s. 144(1))
- contravening an order made by the Commission to ensure compliance with the PPCDA (s. 110(1))
- obstructing an investigation or audit (ss. 109, 123(4))
Order-making powers and private right of action
Highlights
- Key change from PIPEDA: The new Commission receives binding order-making powers to require compliance, publicize corrective measures, and make information preservation orders. The PPCDA also introduces a statutory private right of action for affected individuals following a final finding of contravention, a compliance agreement, or a conviction.
- Key change from the CPPA: Under the CPPA, the private right of action required either a final finding by the Commission or Tribunal that an organization had contravened the act. Under the PPCDA, claims proceed following a final Commission finding or Federal Court decision. In both frameworks, these actions may be brought in either the Federal Court or provincial superior courts.
Order making powers
In the course of an investigation, the Commission may impose binding orders on organizations to comply, and to publicize any corrective measures to ensure compliance with the Act (s. 110). In addition, during a review under ss. 109 or 123, the Commission may make any interim order considered appropriate and may make information preservation orders (ss. 121(1), 121(2)(d)).
Orders and penalties issued by the Commission may be appealed to the Federal Court, and interim orders may be appealed with leave (ss. 126, 127(1)).
Private right of action
After a final finding of contravention, the entering of a compliance agreement or a conviction, affected individuals may sue for damages for loss or injury suffered as a result (s. 132(1)–(2)). Claims may be brought in either Federal Court or the superior courts of the provinces (s. 132(5)). A two-year limitation period runs from the final finding or conviction after all appeal rights have been exhausted (s. 132(4)).
