December 7th, 2020

The Canadian government has proposed the most significant changes to Canadian privacy law since the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada's federal private-sector privacy law, came into force in April, 2000.

The changes are set out in the new Bill C-11, which proposes the enactment of two new statutes: the Consumer Privacy Protection Act (CPPA), and the Personal Information and Data Protection Tribunal Act (PIDPTA). If these new laws are passed, the privacy provisions of PIPEDA will be replaced and a new Personal Information and Data Protection Tribunal (Tribunal) will be established. These laws will apply to a wide range of entities that collect, use and disclose personal information in the course of commercial activities inside Canada or across the borders of Canada or its provinces.

Bill C-11 will have to successfully pass through a long legislative process before becoming law.. Subject organizations should be aware of it now, however, to start preparing for the changes it may bring. The following summarizes the key changes that will be made to Canadian privacy law if the CPPA and PIDPTA are enacted.

Enforcement

The CPPA will grant the Office of the Privacy Commissioner of Canada (OPC) new powers to make orders regarding CPPA non-compliance. The OPC will also receive new powers to make recommendations to the Tribunal that it impose fines on an organization, up to the greater of $10,000,000 or 3% of the organization’s global gross revenues for the previous fiscal year, where the organization has violated the CPPA’s key provisions. The most egregious CPPA violations will constitute offences punishable, upon prosecution, with a fine up to $25,000,000 or 5% of the organization’s global gross revenues.

The CPPA will also introduce a new private right of action whereby an individual may bring a claim against an organization for damages for loss or injury suffered as a result of the organization's contravention of the CPPA, provided the Tribunal determined the organization contravened the CPPA, or the OPC found the organization contravened the CPPA and the finding may no longer be appealed.

Consent

Consent to collect, use or disclose personal information will remain at the core of Canada's privacy law. New exceptions to the consent requirement will be established such that organizations will be permitted to collect or use personal information without the individual's consent:

• to provide the individual a requested product or service;
• to exercise due diligence or reduce the organization's commercial risk;
• to carry out an activity that is necessary for the organization's information system or network security;
• to carry out an activity that is necessary for the safety of a product or service that the organization provides or delivers; or
• to carry out an activity where obtaining the individual's consent would be impracticable because the organization does not have a direct relationship with the individual.

These exceptions will not apply where the personal information is collected or used to influence an individual's behaviour or decisions. Further, as is currently the law under PIPEDA, an organization will not be permitted to collect a person's electronic address through a computer program without their knowledge or consent.

New Individual Rights

In addition to the private right of action described above, the CPPA will grant individuals a number of rights they do not currently have under PIPEDA. These include rights to:

• be informed of automated decision-making;
• require organizations to delete personal information about the individual that was collected from them; and
• direct an organization to transfer the individual's personal information to another organization under limited circumstances.

Automated Decision-Making

The CPPA will require organizations to make information readily available to individuals that explains the organization's use of automated decision systems to make predictions, recommendations or decisions about them that could have significant impacts on them.

Privacy Management Programs

The CPPA will require each organization to implement a “privacy management program” that includes the policies, practices, and procedures the organization implements to fulfil its CPPA obligations. These policies will have to address the organization's:

• protection of personal information;
• handling of inquiries and complaints;
• training of staff on policies and procedures; and
• development of materials to explain the policies and procedures.

When developing its privacy management program, each organization will be required to consider the volume and sensitivity of the personal information under its control. The CPPA will also require each organization to give the OPC access to its policies and procedures upon request.

Business Transactions

If passed as currently proposed, the CPPA may create problems for business mergers and acquisitions. Unlike the broad exception under section 7.2(1) of PIPEDA, the CPPA will permit organizations to use and disclose an individual’s personal information without the individual's knowledge or consent for purposes of a proposed business transaction only if the information has been de-identified. This may be problematic for purchasing businesses where value is placed on specific human resource assets. It is unclear how this requirement will work along with the new consent exception for due diligence purposes outlined above.

Codes of Practice and Certification Programs

The CPPA will enable organizations to create “codes of practice” and “certification programs” for approval by the OPC. The OPC may approve these codes and programs only if they provide the same, or greater, level of protection as the CPPA requires. Compliance with such a code or program will not relieve the organization from its obligations under the CPPA.

Peter Murphy is a partner at Shibley Righton LLP in Toronto.

Peter Murphy, HBA, JD

November 12, 2020

It appears the wait for Ontario's Not-for-Profit Corporations Act (“ONCA”) will continue into 2021. 

Currently, Ontario not-for-profit corporations are governed by the Corporations Act, R.S.O. 1990.  The Government of Ontario has made a number of amendments to this statute over the years, including recent changes to loosen the rules about how and when AGMs may be held during the COVID-19 emergency period.  While these amendments have been helpful, a major overhaul of the Corporations Act is still widely considered to be necessary. 

The Government of Ontario took steps to replace the Corporations Act back in 2010 when it passed the more modern ONCA.  Although ONCA was passed, it did not come into force – a situation that remains the case today.  The new statute must be proclaimed by the Lieutenant Governor to come into effect.  Until this happens, the Corporations Act continues as the governing legislation for not-for-profits incorporated in Ontario.

Ontario's Ministry of Government and Consumer Services previously indicated that ONCA would take effect in 2020.  However, the Ontario Legislative Assembly recently passed a resolution extending the proclamation period for ONCA until December 31, 2021.

When ONCA comes into force Ontario not-for-profit corporations will have a three-year transition period to conform their governing documents, including their by-laws, to the new law. 

This article is provided as general information and does not constitute legal advice. If you have any particular legal questions, please contact us.

In the aftermath of a seemingly unsatisfactory examination for discovery of a corporate representative, many lawyers will look to Rule 31.03 for recourse to examine a second representative. Justice Perell released a decision[3] that offers guidance on the requirements for leave to examine a second witness.

Please click here for the full Article