By -

First major overhaul of national data protection legislation in 20 years. Here's everything you need to know about Bill C-11

On November 17, the Minister of Innovation, Science and Economic Development tabled a bill that will change the privacy landscape in Canada. Once passed, it is expected that businesses will have 18 months to adapt to the change.

The legislation will be called the Consumer Privacy Protection Act (CPPA). It replaces the schedule to the Personal Information Protection and Electronic Documents Act that addresses data privacy. The legislation applies to interprovincial, cross border and in province data (except where a province has its own robust data protection legislation – currently BC, Alberta and Quebec have such legislation).


  • Consent to collection must be meaningful, plain language information must be provided.

  • An individual has the right (subject to regulations) to request the transfer of personal information. It is anticipated that we will first see this in relation to changing financial institutions.

  • The right to be forgotten. Subject to legitimate needs, an organization must dispose of personal information that it has. Also, consent can be withdrawn.

  • Implied consent to collection is now recognized. This should facilitate matters for both businesses and consumers.

  • Systems like Artificial Intelligence (AI) when applied to automated decision making must be transparent. Individuals have the right to request how a prediction, recommendation or decision was made by an AI system, if it affects them.

  • Anonymized or de-identified information (e.g. names removed), must be protected and can only be used in specific circumstances such as internal research and development.

Tribunal Created

Part of the bill creates the Data Protection Tribunal. The Privacy Commissioner can make an application to this tribunal for administrative monetary penalties. Under the Competition Act, AMP’s do not require proof beyond a reasonable doubt and are not a finding of guilt, but they represent a disincentive to disregard the legislation. AMPS can be up to 3% of global revenue or $10 million (whichever is higher). In the most severe cases, fines are possible. They can be as high as 5% of global revenue or $25 million (whichever is higher). The Tribunal must consider a number of factors including the nature and scope of the contravention, whether the organization has voluntarily compensated persons affected, and the organization’s history of compliance.

Directors and officers face personal liability for contraventions of the legislation


Organizations must implement a privacy management program. This must include policies and procedures to;

  • designate a privacy officer,

  • protect personal information,

  • address how requests for information and complaints are dealt with,

  • train staff on privacy, and

  • develop materials to explain how obligations under the act are dealt with.

Codes of Practice and Certification

The bill recognizes that data protection is complex. The Commissioner can approve codes of practice and certification systems that apply within an industry, sector or business model. This will simplify application of the CPPA for all businesses and in particular small businesses. It can also provide a safe haven.  

Data Sharing

In fields such as public health, infrastructure and environmental protection, the disclosure of anonymized data to public entities for socially beneficial purposes will be permitted. Details of this will be developed as regulations are adopted.

Going Forward

It will be crucial for businesses to examine their privacy policies and practices before the legislation comes into effect. For businesses that are present in the EU, many of these principles are already found in GDPR and so they will have a head start.

To learn more about Simplex Legal, visit their website or connect with Gerard Power, Senior Legal Counsel.

Sign up to the Bubblebox Newsletter below to stay up to date on the upcoming changes or follow us on LinkedIn, where we'll be providing updates to future webinars, blogs, articles, and provide resources to keep you aware of the upcoming data privacy changes.

This article is intended to provide general guidance to the subject at matter. It is recommended that your own legal counsel should be sought about your specific circumstances.