Are You Privacy Compliant? Penalties and Fines Drastically Increased and Expanded


UPDATE – The federal government has called for an election on September 20, 2021. This means that Bills that had been introduced but not yet received Royal Assent (meaning they were not passed into laws) will die on the order paper.  Bill C-11 is one of those Bills.  This means that, at least for now, the proposed changes to Canada’s privacy laws are not moving forward.

Changes are coming to Canada’s privacy legislation. The federal government introduced new legislation in Bill C-11 that will replace part of the Personal Information Protection and Electronic Documents Act (PIPEDA).  

The new Act will be called the Consumer Privacy Protection Act, and while it is similar to PIPEDA in many ways, there are some significant changes.   Those changes include significantly greater penalties for non-compliance with the Act, as well as some new requirements.

These amendments are important to every organization that collects, uses or discloses personal information in the course of commercial activities, and will apply across the country (subject to exemptions for provinces that have substantially similar legislation).

Privacy – New Rights and Requirements

The Consumer Privacy Protection Act includes the following new requirements:

  • Individuals will have the right to transfer their data from one organization to another. The Act also contemplates the creation of a data mobility framework. This framework will be provided under the regulations, so the details of the framework are not yet available.
  • Individuals have the right to have their personal information permanently and irreversibly deleted.
  • An organization can de-identify personal information and the Act allows an organization to use de-identified information without consent in some circumstances.

Private Right of Action

An individual will be permitted to bring a lawsuit for damages for loss or injury against an organization for breaches of the Act if:

  • the Commissioner or Tribunal have made a finding that the organization contravened the Act; or
  • the organization has been convicted of an offence under the Act.

Increased Penalties and Fines

The new Act proposes much stronger penalties and fines against an organization.  Currently the maximum fine for an offence under PIPEDA is $100,000 and there is no penalty amount for contraventions other than offences.  Under the new Act there are penalties for contraventions of the Act and separate fines for offences, with significantly higher maximums:

  • The maximum penalty for all contraventions taken together is the higher of $10,000,000 and 3% of the organization’s gross global revenue in its financial year before the one in which the penalty is imposed.
  • The maximum fine on conviction of an offence is the higher of $25,000,000 and 5% of the organization’s gross global revenue in its financial year before the one in which the organization is sentenced.

About the author

Gayle Wadden
Gayle Wadden CLO, Compliance Works
Gayle Wadden is a senior lawyer with deep experience in employment and corporate law. She is responsible for overseeing Compliance Works’ legal content.

The latest in HR laws delivered to your inbox

Subscribe to the Compliance Works newsletter for our takes on HR laws, compliance changes, and other trending workplace topics.

Related articles

Easy tutorials to
get you started

May 25, 2023

In this Compliance Works How To video we show you how to add users to your Compliance Works account!

May 25, 2023

In this video we will show you how to create reports. Reports are automatically updated to show any changes in the law and can be downloaded as a pdf to share with others.

May 25, 2023

In this video we show you how to find recent changes in the law.

You’re all set! Our team will be in touch in the next 24 hours to schedule your personal demo. In the meantime, you can learn more about our software or explore our HR compliance resources.