Summarizing Changes Brought Forward by Federal Privacy Bill C-27

On June 16, 2022, to update Canada’s federal private sector privacy law, the federal government tabled Bill C-27, An Act to enact the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Act and to make consequential and related amendments to other Acts.

There are significant new penalties introduced should the bill pass.

Organizations guilty of an indictable offence are liable to a fine of up to 5% of global revenue or CA$25 million, whichever is greater.
Administrative monetary penalties of up to 3% of global revenue or CA$10 million for other select violations of the Consumer Privacy Protection Act (CPPA).
Private right of action is also available for individuals.

The following provisions are featured within the Act, many of which are subject to administrative monetary penalties. Companies are highly encouraged to seek legal counsel for their compliance efforts.

Organizations must implement a privacy management program that includes policies, practices, and procedures. Organizations must take into account the volume and sensitivity of the personal information under their control. (s. 9(1), (2))
Organizations must ensure, by contract or otherwise, that service providers provide a level of protection equivalent to what’s in the Act (s. 11(1))
Organizations must determine the purposes at or before the time of personal information collection. If the organization uses the personal information for new purposes, the organization must record that new purpose before using or disclosing that information for the new purpose (s. 12 (3))
Organizations must limit the collection of personal information to only the personal information necessary for the purposes determined and recorded. (s. 13)
Organizations must obtain an individual’s valid consent before any use or disclosure for other purposes (s. 14)
Organizations must determine the purposes at or before the time of personal information collection. If the organization uses the personal information for new purposes, the organization must record that new purpose before using or disclosing that information for the new purpose (s. 12 (3))
Consent is valid only if the organization provides the individual with information about the (a) purposes, (b) manner, (c) consequences of the collection, (d) type of information being collected, and (e) names/types of third parties involved in the collection, use, or disclosure of their personal information (s. 15(3))
Consent must be expressly obtained with details provided in plain language; some exceptions are listed (s. 15(4), (5))
Exceptions to the requirement of consent include: business activities (s. 18-28), public interest (s. 29-39), investigations (s. 40-42), disclosures to government institutions (s. 43-48), as required by law (s. 49-50), and publicly available information (s. 51)
Organizations must not require individuals to consent to the collection, use, or disclosure of their personal information beyond what is necessary to provide a product or service (s. 15(7))
Consent cannot be obtained by deception, such as providing false or misleading information (s. 16)
Individuals may withdraw their consent at any time, and that withdrawal should cease the collection, use, or disclosure of the individual’s personal information (s. 17(1), (2))
Organizations must have a recorded assessment of it’s planned activities, prior to collecting or using personal information, and a copy of such record must, upon request, be provided to the Commissioner (s. 18(5))
Organizations must not retain personal information longer than necessary to fulfill the purposes for which it was collected, used, or disclosed, and the organization must dispose of the information as soon as feasible after that period (s. 53(1))
Organizations that use personal information to make a decision about an individual must retain the information for a sufficient period to permit the individual to request access to it (s. 54)
Written requests from individuals to dispose of their personal information under an organization’s control must be acted upon as soon as feasible, with some exceptions (s. 55(1))
Refusal to dispose of personal information must be given to the individual in writing, setting out any reasons and recourse (s. 55(3))
Disposing of an individual's information at their request must also be sent to any service provider to which it has been transferred, and the organization must ensure the service provider has disposed of the information (s. 55(4))
Personal information under an organization’s control must be accurate and routinely updated (s. 56)
Organizations must protect personal information through physical, organizational, and technological security safeguards. The level of protection provided by those safeguards must be proportionate to the sensitivity of the information (s. 57(1))
Organizations must report breaches of security safeguards involving personal information with a real risk of significant harm to the Commissioner and the individual involved (s. 58)
If a service provider determines that any breach of security safeguards has occurred that involves personal information, it must notify the organization that controls the personal information as soon as feasible (s. 61)
Organizations must make readily available, in plain language, information that explains the organization’s policies and practices (s. 62)
Organizations that de-identify personal information must ensure that any technical and administrative measures applied to the information are proportionate to the purpose for which the information is de-identified and the sensitivity of the personal information; some prohibitions are detailed (s. 74, 75)