Preparing for new privacy legislation in Canada: Part two

If you do business in Canada, get ready for this more rigorous (and more punitive) component of Bill C–27 - the Data Protection Tribunal Act

Neil Saddington, Privacy Program Director, OneTrust 
June 6, 2023

Earning and maintaining consumer trust is not just a good idea – it’s central to creating brand loyalty. Great companies know that loyalty is an asset that will pay dividends in terms of growth and profitability for years to come. And every company today recognizes that trust goes hand in hand with personal and data privacy. Protecting your customers’ information is more vital than ever before. 

Conversely, failing to protect your customers’ information is getting much more expensive, thanks to more laws and regulations and more costly penalties in jurisdictions around the world. Canada’s Bill C-27, introduced in 2022 and expected to become law this year, is one of the most recent examples of privacy statutes designed to give consumers more control over their personal information. The new legislation also amends the current approach to enforcement and penalties against companies. 

Bill C-27 – also known as the Digital Charter Implementation Act, 2022 – is designed to protect consumer privacy more fully through the Consumer Privacy Protection Act (CPPA); it also creates new requirements for “algorithmic transparency” through the Artificial Intelligence and Data Act. But Part 2 of Bill C-27 proposes a substantial transformation in the enforcement of the CPPA through a new organization, the Personal Information and Data Protection Tribunal, a specialized administrative body that will have the power to directly levy monetary penalties against organizations for contraventions of the CPPA. 

In other words, Bill C-27 demonstrates that Canada is taking personal and data privacy very seriously – and will give the country powerful new tools to ensure that companies doing business in Canada will do the same. The consequence is clear: If you don’t comply in Canada, you’re going to pay.  

Request a free trial. 


A new law with much stronger teeth 

It’s expected that Bill C-27 will become Canadian law sometime in 2023, and it will replace the Personal Information Protection and Electronic Document Act (PIPEDA) of 2000. It codifies into law the ten principles of Canada’s Digital Charter including “Strong Enforcement and Real Accountability.” Under PIPEDA, Canada’s federal Office of the Privacy Commissioner (OPC) is responsible for enforcement of the PIPEDA and substantial powers of investigation and audit, however reports are generally nonbidning – it could “name and shame” a company to nudge it towards compliance, but is required at the moment to apply to the federal court to request enforcement of recommendations.  

For example, consider the 2019 data breach at a Canadian financial services firm, which affected more than 40% of the company’s clients and members and went unreported for six months. The breach quickly became headline news, and eventually, the Privacy Commission issued a report highlighting the firm’s lack of oversight and accountability and made several recommendations. In this case, the OPC was restricted to issuing recommendations only and was unable to levy any administrative monetary penalty – although it is worth noting that a class action was brought directly by those affected by the breach. Under the proposed Personal Information and Data Protection Tribunal Act, this would change as the OPC would be able to make recommendations to the newly established Tribunal, and any decision of the Tribunal would be final and binding, and not subject to appeal. 

Consequently, both the OPC and the new Tribunal will have substantially more power to enforce certain provisions of Bill C-27 directly against organizations. If you do business in Canada, you’re going to have to be much more vigilant and accountable about how you’re gathering and using data. You’ll be required to create and maintain privacy management programs that reflect the volume and sensitivity of the information being collected. If you don’t comply, you can face administrative monetary penalties. 


Data breach notification under Bill C-27 

One area in particular will be the notification of data breaches. Companies doing business in Canada will have to be more proactive (and faster) about reporting data breaches and failing to do so will potentially cost  a substantial amount, in addition to any hit to your reputation. Under section 94(1) of the CPPA, failure to implement sufficient security safeguards that result in a data breach could see companies liable for AMPs of up to 3% of global annual revenue or CAN$10 million – whichever is higher. Significantly, failing to report a data breach is even more expensive: the maximum fine is 5% of global revenue or CAN$25 million (again, whichever number is higher).  

If this sounds a bit like the European Union’s General Data Protection Regulation (GDPR), you’re right. Canada and others (notably several states in the U.S.) have used GDPR as a model for the monitoring and enforcement of data privacy.  

Data breaches, of course, generate headlines but Now they can also result in substantial penalties. And is important to note that data breaches are not the only situations where AMPs may be levied. Under the new law, the Tribunal will be able to impose fines for misusing personal information or not enabling proper access to collected information by consumers. They have a right to know what’s been collected about them and the right to have it disposed of properly, if desired. Finally, under section 107(1) of the new privacy legislation, individuals whose privacy rights have been violated will be able to bring a private right of action against the company responsible – another potential source of reputational damage and financial exposure. 

The Tribunal will also hear appeals of decisions made by Canada’s Privacy Commissioner, so companies can contest those decisions. 


What you should be doing to prepare

Your company should already be actively engaged in ensuring that you closely govern what kind of information you gather from customers and users as well as how you collect, store, and manage that data – legislation or no legislation. Failing to do this will put your reputation at risk.  

But given the likely passage of Bill C-27 and the establishment of the new Tribunal, you should also make sure your privacy management strategy is up to date. Put automated systems and guardrails in place to ensure compliance with the new provisions of the law in general and to monitor for data breaches. Doing so will help you avoid problems in the first place – and if a problem does occur, you should be able to identify it and report it quickly, which will help you avoid penalties.  

Companies doing business in Canada can leverage OneTrust to comply with Bill C-27. Our consent and preference management, privacy rights automation, and digital policy management solutions, along with our DataGuidance research, help companies worldwide to manage the collection, protection, and transferability of personal information.  


To see how OneTrust can help you prepare for the reality of Bill C-27, request a free trial today.

You may also like


Privacy Management

Managing data transfers within the UK & EU

Join our experts as we discuss ways to effectively manage data transfers between the UK & EU while staying compliant with the latest privacy regulations.

October 31, 2023

Learn more


Data Discovery & Security

A guided tour of OneTrust Data Discovery magic

Our expert speaker will demonstrate how common real-world data challenges can be identified, addressed, and reported on, leading to better data governance, security, and alignment with business goals. 

October 26, 2023

Learn more


Data Discovery & Security

Data minimization and risk assessment in data discovery

Explore the concept of data minimization and its crucial role in enhancing security, privacy, and reducing risk.

October 19, 2023

Learn more