Bill C-11, also known as the Digital Charter Implementation Act, was introduced in the House of Commons in Canada, on December 2, 2020. Its aim is to amend current acts while creating new guidelines to bolster consumer privacy.
Three Key Act Amendments:
What's Happening to the Personal Information Protection and Electronic Documents Act (PIPEDA)?
The Digital Charter Implementation Act would repeal parts of (PIPEDA). It would replace them with a new set of rules related to the collection, use, and disclosure of personal information for commercial activity in Canada.
What's Happening to the Consumer Privacy Protection Act (CPPA)?
Bill C-11 will also spur changes to the creation of the (CPPA) in order to both maintain and modernize rules around the way private sector organizations handle the protection of personal information. This new act will grant powers to extend or impose new rules at any time.
The role of the Privacy Commissioner in overseeing compliance will also be expanded to go above and beyond existing investigation and auditing capabilities. These new powers will include the authority to demand the production of records and enter private places, except homes, for the purpose of checking records and speaking with employees and other individuals inside. They will also be able to share information gathered with other federal regulatory bodies if it is warranted.
What is the Personal Information and Data Protection Tribunal Act?
The Personal Information and Data Protection Tribunal Act would be created to hear challenges and appeals to orders issued by the Privacy Commissioner. It would also set new monetary penalties for infractions cited under the Consumer Privacy Protection Act. The new fines would be the highest privacy-related penalties in the G7 group of nations.
What Does This Mean for Retailers in Canada?
Once it passes, Bill C-11 will become the law that governs the handling of personal information in all Canadian provinces and territories with the exception of British Columbia, Alberta, and Quebec. According to the Retail Council of Canada, there are a number of ways in which Bill C-11 will impact Canadian businesses. Some of the most prominent are outlined below:
- A mandatory privacy management program is now required: Retailers will now be required to have privacy management programs in place. They will need to be strong enough to handle the new, more demanding privacy and data protection compliance requirements under the CPPA. The federal Office of the Privacy Commissioner of Canada can request to see a retailer's privacy program at any time.
- New fines that are larger: The Privacy Commissioner would be able to issue more significant penalties for privacy violations. These fines could be up to 3% of global turnover or $10 million dollars for more significant infractions.
- Consumers have more control over their data: As part of provisions within the CPPA, consumers can request that a retailer destroy any personal information they have on hand. This is referred to as the "right to deletion".
- Privacy policies should be re-written in plain terminology - if not done so already: The CPPA will require retailers to use "plain language" in their privacy policies. It will also provide a guide as to exactly what information is to be included.
- Retailers can obtain consent more easily under this new bill: Consent is still required when looking to collect, use and disclose personal Information. However, there are now new exceptions to consent that include some for standard business activities.
- Retailers need to provide more information on the automated systems they use: The CPPA will require retailers to disclose more information on the automated systems used to handle customers' personal information. Bill C-11 defines an automated decision system as any technology that either assists or replaces the judgement of humans.
The Bottom Line: Retailers Should Prepare for the Provisions of Bill C-11
Overall, Bill C-11 aims to amend and strengthen several existing acts to better protect consumers' personal information in the retail setting. This is being done by taking one of the most aggressive approaches of all G7 countries through more rigorous enforcement ability and penalties. Retailers must remain on guard as the new Data Protection Tribunal Act provides the Privacy Commissioner more power to randomly audit individual retailers.
Above all, retailers should be compelled to continue their efforts to better safeguard customer data in order to maintain and build trust, while abiding by the law.
Learn more about Bill C-11.