Federal Government Introduces New Privacy Legislation

Vanessa Deschênes, Tara D’aigle-Curley & Étienne Nadeau
Lawyers, patent and trademark agents

On June 16, 2022, the federal government introduced Bill C-27[1] (“Bill C-27“), which was anticipated as a major reform of the Canadian Digital Charter. This new version of Bill C-11 (“Bill C-11″), which was abandoned in the wake of the 2021 election, aims to strengthen the protection of individuals’ personal information by establishing a legislative framework that balances the fundamental right to privacy with the growth of organizations operating in the digital and data-driven economy. It should be noted that a significant portion of Bill C-11, which we reported on in a previous publication, has been transferred to Bill C-27.

Therefore, Bill C-27 is divided into three parts: Part 1 covers the Consumer Privacy Protection Act[2] (“CPPA“), Part 2 covers the Personal Information and Data Protection Tribunal Act[3] (“Tribunal Act”) and Part 3 covers the Artificial Intelligence and Data Act[4] . This article will deal only with Parts 1 and 2, with Part 3 being dealt with in a subsequent article.

The provisions of Bill C-27 abrogate Part 1 of the Personal Information Protection and Electronic Documents Act[5] (“PIPEDA”), which dates back to the beginning of the millennium, and replace it with the new legal framework of the CPPA, which is specifically designed to deal with the challenges of the digital age. Focusing on giving individuals control over their personal information, protecting minors, giving new powers to the Privacy Commissioner and increasing enforcement against non-compliant businesses, this bill differs from its predecessor (Bill C-11) in some respects. However, the substance and structure of the Bill are the same, with the addition of new rights, exceptions, definitions and penalties.

This article provides a summary of the key details of Parts 1 and 2 of the proposed Bill C-27, including highlights of some of the new provisions (as compared to Bill C-11).


Part 1: The New Privacy Regime

 New rights for individuals

As was the case in Bill C-11, the new provisions of the CPPA provide individuals with new rights, in addition to the rights of access and rectification that already existed under PIPEDA. These rights include a right to information about automated decision-making systems[6] , a limited right to the mobility of personal information[7] (data portability) and a right to the removal (erasure) of personal information where applicable[8].

While the first two rights were already considered by Bill C-11, the right to erasure represents a major change brought about by the CPPA. Although subject to a number of exceptions[9] , this new right would make it possible to require the permanent and irreversible deletion of personal information. It should be noted that this right appears to be different from the right to de-index found in the amendments to the Act respecting the protection of personal information in the private sector (“AIPPS“) or to the “right to be forgotten” provided for in the General Data Protection Regulation (GDPR”)[10] .

Another important and noteworthy change from Bill C-11 is the exclusion of de-identified information from the definition of personal information for the purpose of exercising individual rights. Indeed, the rule of interpretation in section 2(3) of the CPPA states that personal information that has been de-identified is not considered to be personal information for the purposes of, among other things, the right of withdrawal, the right of access or rectification, and the right of portability. This means that de-identified information cannot be erased, corrected or made available at the request of the individual, nor can it be transferred as part of a mobility agreement between two organizations.  

Finally, Bill C-27 introduces a new private right of action in favour of an individual who suffers loss or damage as a result of an act or omission of an organization in contravention of the CPPA. The limitation period is two years from the date the individual becomes aware of a finding by the Commissioner, a decision by the Tribunal or a conviction for a violation of the Act, as the case may be.[11]

Notion of control and service providers

With respect to the notion of control as well as the provisions concerning service providers, it should be noted that Bill C-27 does not introduce any changes compared to Bill C-11. It should be noted that an organization is responsible of the personal information that is « under its control »[12]  even if it uses a service provider. [13]

With respect to service providers, Bill C-27 states that Part 1 of the CPPA regarding the obligations of organizations does not apply to them, except for sections 57 and 61.[14] Service providers will therefore be required to protect the personal information entrusted to them by means of physical, organizational and technical security measures[15] and to notify the organization to which they belong as soon as possible if they notice a breach of these security measures. [16]

Privacy Management Program

The requirement to implement privacy policies and practices[17] , which was already in the form of a “Privacy Management Program” under C-11[18] , remains and is enhanced by two additional requirements, namely to take into account the volume and sensitivity of personal information when developing the program[19] and to provide access to the program’s policies, practices and procedures to the Commissioner upon request.[20] Upon review, the Privacy Commissioner may provide advice or recommend corrective measures to the organization with respect to its privacy management program.[21]

Unlike the new version of AIPPS, Bill C-27 does not include a requirement to publish detailed information about an organization’s personal information management program.

Notion of acceptable ends

As was the case in Bill C-11, Bill C-27 codifies the case law that an organization may collect, use or disclose personal information only in a manner and for purposes that a reasonable person would consider appropriate in the circumstances, whether or not consent is required. [22]

As noted in our publication regarding the release of Bill C-11, the CPPA provides for assessing the legitimate interest for the collection, use and disclosure of personal information by an organization. This assessment must consider, among other things, the sensitivity of the personal information, the legitimate business needs of the organization and the availability of alternative means.

It should also be noted that a minor’s personal information is deemed sensitive[23] , which has an impact on, among other things, determining the legitimate interest of the purposes for which personal information is collected, used or disclosed.

New flexibility in consent requirements

It is interesting to note that Bill C-27 takes into account some of the recommendations made in the submissions on Bill C-11. Indeed, Bill C-27 clarifies the need to assess the notion of meaningful consent against objective standards. It also ensures that organizations understand the importance and impact of availing themselves of broader consent exceptions. 

Obtaining consent from the individual concerned by an organization collecting, using or disclosing personal information remains the rule, although the CPPA strikes a better balance by introducing some exceptions.[24] Section 15(4) of the CPPA creates an obligation for an organization to provide the information necessary for consent in plain language that is reasonably understandable to an individual affected by the organization’s activities. The Bill also introduces two new exceptions to consent. The first, the “business activities” exception, exempts an individual from the requirement to obtain consent if the collection or use of the individual’s personal information is for any of the following activities:

  • activities necessary to provide a product or service requested by the individual from the organization;
  • activities necessary for the security of the organization’s information, systems or networks;
  • the activities necessary to ensure the safety of a product or service that the organization provides;
  • any other prescribed activity.[25]

It is important to note, however, that an organization cannot presume implied consent when it collects or uses an individual’s personal information for a “business activity.[26] In addition, it should be noted that unlike Bill C-11, Bill C-27 no longer includes activities undertaken for the purpose of due diligence to reduce or prevent business risks in these “business activities”.

Finally, there is a second exception that allows an organization to collect or use an individual’s personal information without the individual’s knowledge or its consent if the collection or use is for an activity in which the organization has a legitimate interest that outweighs any negative impact the collection or use may have on the individual. [27]

Enhanced Commissioner’s Powers and Sanctions

The CPPA expands the Commissioner’s powers to audit the personal information management practices of organizations, allowing him to do so if he has reasonable grounds to believe that an organization is “contravening” or “likely to contravene” Part 1 of the CPPA, rather than only if he has grounds to believe that it “has contravened” that Part.[28] In addition to a general power to issue compliance orders[29] , he is given the power to recommend that a penalty be imposed by the Personal Information and Data Protection Tribunal on an offending organization in many cases, such as where an organization fails to ensure that its service provider protects personal information in its custody in a similar manner to the requirements of the CPPA, or where an organization fails to document the purposes for which personal information is collected, used or disclosed. [30]

In making this determination, the Commissioner shall consider the precautions taken by the organization to prevent the contravention, the reasonable efforts made by the organization to mitigate or offset the impact of the contravention, and any other matter prescribed by regulation.[31]

With respect to possible penalties, based on the findings set out in the decision that is rendered by the Commissioner, or on its own findings in appeal[32] , the Tribunal established under the Tribunal Act will have the power to impose penalties of up to the greater of $10 million or 3% of the organization’s aggregate gross revenues in its fiscal year preceding the year in which the penalty is imposed.[33]

The new CPPA also creates an offence for more serious violations of the law, with a maximum penalty of $25 million or, if greater, an amount equal to 5% of gross receipts in the fiscal year preceding the year of conviction.[34] Thus, any organization that knowingly violates :

  • The obligation to report to the Commissioner any breach of security measures that involves personal information under the control of the Commissioner if it is reasonable to believe that, in the circumstances, the breach poses a real risk of serious harm to an individual.[35]
  • The obligation to keep and maintain a record of all security breaches that relate to information under its control.[36]
  • The obligation to retain personal information that is the subject of an individual’s request for information or access for as long as necessary to allow the requester to exhaust all available recourses.[37]
  • A prohibition on the use of de-identified personal information, alone or in combination with other information, to identify an individual, subject to the specific exceptions to this prohibition.[38]
  • Prohibition of retaliation against a bona fide employee who complies with the law.[39]
  • A compliance order by the Commissioner[40]

Or who obstructs the Commissioner – or his or her delegate – in the course of an audit, investigation or complaint review.[41]

Anonymization and depersonalization

Bill C-27 makes significant changes to PL C-11, with respect to anonymization and de-identification. It introduces the definition of “anonymize” and modifies the definition of “de-identify”.

Thus, anonymization means to :

“Irreversibly and permanently modify personal information, in accordance with generally accepted best practices, to ensure that no individual can be identified from the information, whether directly or indirectly, by any means “[42]

While de-identify is now defined as :

“Modifying personal information so that an individual cannot be directly identified from it, though a risk of the individual being identified remains.”[43]

The distinction between these processes is not unimportant, as section 6(5) of the Act states that the Act does not apply to personal information that has been anonymized.

Part 2: Tribunal Act

Part 2 of Bill C-27 enacts the enabling legislation that establishes the Personal Information and Data Protection Tribunal, which has jurisdiction over any appeal under sections 101 or 102 of the CPPA and the imposition of penalties under section 95 of that Act.[44] The Tribunal is composed of three to six members appointed on the recommendation of the Minister (of Industry, if not otherwise designated)[45] , and is not bound by the legal or technical rules of evidence applicable to hearings, provided that it cannot admit evidence that is inadmissible in a court of law.[46] It is also responsible for establishing its own rules of procedure, in accordance with the Tribunal Act and the CPPA. Its decisions are based on the burden of proof on a balance of probabilities[47] and must be reasoned, communicated to the parties and made public.[48] Decisions are not subject to appeal or judicial review, subject to judicial review under the Federal Courts Act.[49]


As we pointed out in our article on Bill C-11, the many legislative changes in the country with respect to the protection of personal information are likely to cause some headaches for businesses. Indeed, the analysis of Bill C-27 highlights the fact that the federal law, as well as the Quebec law recently amended by Bill 64[50] , are not, in every respect, similar. Add to this the anticipated changes in Ontario, Alberta and British Columbia and we have a nice potential mix of legislative inconsistencies if these considerations are not put forward by legislators. It will certainly be interesting to follow the evolution of this work across Canada!

[1] An Act to enact the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Act and to make consequential and related amendments to other Acts. Short Title: The Digital Charter Implementation Act of 2022.

[2] An Act to facilitate and promote electronic commerce through the protection of personal information collected, used or disclosed in the course of commercial activities.

[3] An Act to establish the Personal Information and Data Protection Tribunal.

[4] An Act respecting artificial intelligence systems and the data used in such systems.

[5] Personal Information Protection and Electronic Documents Act (S.C. 2000, c. 5).

[6] Art. 63(3).

[7] Art. 72.

[8] Art. 55(1).

[9] Art. 55(2).

[10] Art. 17 GDPR.

[11] Art. 107(3).

[12] Principle 4.1 in Schedule 1 of PIPEDA.

[13] Art. 7(2).

[14] Art. 11(2).

[15] Art. 57(1).

[16] Art. 61.

[17] Principle 4.1.4 of Schedule I of PIPEDA.

[18] 9(1) C-11.

[19] Art. 9(2).

[20] Art. 10(1).

[21] Art. 10(2).

[22] Art. 12(1) and (2).

[23] Art. 2(2).

[24] Art. 15(1).

[25] Art. 18(2).

[26] Art. 15(6).

[27] Art. 18(3).

[28] Section 97 of the CPPA and section 96 of Bill C-11.

[29] Art. 93(2).

[30] Art. 94(1).

[31] Art. 94(2).

[32] S. 95(2)

[33] Art. 95(4).

[34] Art. 128.

[35] Art. 58.

[36] Art. 60(1).

[37] Article 69.

[38] Article 75.

[39] Art. 127 (1).

[40] Art. 128 and 93(2).

[41] Art. 128.

[42] Art. 2.

[43] Id.

[44] Sections 4 and 5 of the Act.

[45] Art. 6(1), s. 2 CPPA.

[46] S. 15(1)(2) CPPA.

[47] Art. 15(5) Personal Information and Data Protection Tribunal Act (PIDPTA).

[48] Art. 17, art. 18 PIDPTA.

[49] Art. 21 PIDPTA.

[50] Art. 122(2)b).