Legislative Summary of Bill C-11: An Act to enact the Consumer Privacy Protection Act and the Personal Information and Data Protection Tribunal Act and to make consequential and related amendments to other Acts

Legislative Summary
Legislative Summary of Bill C-11: An Act to enact the Consumer Privacy Protection Act and the Personal Information and Data Protection Tribunal Act and to make consequential and related amendments to other Acts
Sabrina Charland, Legal and Social Affairs Division
Alexandra Savoie, Economics, Resources and International Affairs Division
Ryan van den Berg, Economics, Resources and International Affairs Division
Publication No. 43-2-C11-E
PDF 2025, (30 Pages) PDF
2020-12-10

Contents

Any substantive changes in this Legislative Summary that have been made since the preceding issue are indicated in bold print.


1  Background

On 17 November 2020, the Minister of Innovation, Science and Industry introduced Bill C-11 in the House of Commons.1 The bill creates two new pieces of legislation: the Consumer Privacy Protection Act (CPPA) and the Personal Information and Data Protection Tribunal Act (Tribunal Act). The bill repeals Part 1 of the Personal Information Protection and Electronic Documents Act (PIPEDA) and changes the short title to the Electronic Documents Act.

This is the first bill to fully reform the federal legislation on privacy in the private sector since PIPEDA was adopted in 2000.2

In general, the CPPA:

  • codifies the contents of the fair information principles set out in Schedule 1 of PIPEDA by rewording them as legislative provisions;
  • maintains valid consent as the legal basis for the collection, use or disclosure of personal information by an organization (section 15);
  • includes several exceptions to the requirement for consent, including two new exceptions related to the business activities of an organization and the disclosure of personal information for socially beneficial purposes (sections 18 and 39);
  • includes the right to erasure (section 55);
  • incorporates the concept of algorithmic transparency in the form of a right to an explanation concerning decisions made by an automated decision system (sections 62 and 63);
  • incorporates the concept of data portability by allowing two organizations to disclose personal information between them under a data mobility framework provided under the regulations (section 72);
  • sets out obligations to de‑identify personal information (sections 74 and 75);
  • grants the Privacy Commissioner (the Commissioner) additional powers, including the ability to make decisions, issue orders and recommend that the new administrative tribunal created by the bill impose a maximum penalty that is the higher of $10,000,000 and 3% of an organization's gross global revenue (sections 92 to 94); and
  • provides for a maximum fine not exceeding the higher of $25,000,000 and 5% of an organization's gross global revenue in the case of a conviction for contravening certain specific provisions of the CPPA or in the case of obstructing the Commissioner's work (section 125).

As for the Tribunal Act, it establishes the Personal Information and Data Protection Tribunal (the Tribunal) and defines the internal operation and principles on which its proceedings are founded.

1.1  Canada's Digital Charter

The short title of the bill is the Digital Charter Implementation Act, 2020. Canada's Digital Charter (the Charter) was unveiled by Innovation, Science and Economic Development Canada (ISED) in 2019.3 The Charter is the result of consultations that began in June 2018 with many stakeholders.4 The 10 principles set out in the Charter include:

  • control and consent;
  • transparency, portability and interoperability; and
  • strong enforcement and real accountability by imposing clear and meaningful penalties for violations of the laws and by adopting regulations that support the principles set out in the Charter.

After releasing the Charter, ISED issued a discussion paper on PIPEDA reform, outlining issues and possible legislative amendments.5 The bill appears to stem from those consultations.

1.2  Calls for Reform of the Personal Information Protection and Electronic Documents Act

The bill responds to several calls for reform, including by the Commissioner and the House of Commons Standing Committee on Access to Information, Privacy and Ethics (the Committee).

For example, in his 2018–2019 annual report on privacy law reform, the Commissioner recommended the modernization of federal privacy laws, including PIPEDA. Among other things, he recommended a rights-based approach for protecting the privacy of Canadians, proactive inspection powers without grounds and privacy by design obligations.6

In his 2019–2020 annual report on privacy in a pandemic, the Commissioner reasserted the need to reform federal privacy laws, including PIPEDA. He noted that “[t]he law is simply not up to protecting our rights in a digital environment.” 7 More recently, he made proposals for regulating artificial intelligence, including suggestions for amending PIPEDA.8

The Committee has recommended a number of amendments to be made to PIPEDA in recent years, including in its 2018 report on the review of PIPEDA.9 Numerous recommendations for modernizing PIPEDA were also made in the two reports the Committee published in 2018 as part of its study of the breach of personal information involving Cambridge Analytica and Facebook.10

The bill appears to address some of the past recommendations made by the Commissioner or the Committee, particularly by granting additional powers to the Commissioner, introducing a tougher regime of monetary penalties and incorporating the concepts of data portability and algorithmic transparency into the CPPA.

1.3  Adequacy Status with the European Union

Under the General Data Protection Regulation (GDPR) of the European Union (EU), personal data may be transferred to a third country or an international organization when the European Commission (EC) finds that the third party or international organization ensures an adequate level of protection.11

In 2001, under Directive 95/46/EC in effect at that time, the EC recognized that PIPEDA adequately protected personal data with respect to the disclosure of personal information in the course of commercial activities. That adequacy was reaffirmed in 2006.12

The GDPR replaces that directive. It came into effect on 25 May 2018 and provides for the continuity of existing EU adequacy decisions until they are reassessed.13 Canada, therefore, maintains its adequacy status for the moment. However, the EU must soon reassess the adequacy of the federal legislation on privacy in the private sector against the GDPR.

The adequacy status ensures that data processed in accordance with the GDPR can be transferred from the EU to Canada, or vice versa, without requiring additional data protection guarantees (e.g., a contractual agreement).14

Since 2016, the EC is required to monitor the development of Canada's legal framework to determine whether Canada continues to ensure an adequate level of protection. The Government of Canada submits update reports to the EC regarding developments in data protection law in Canada.15 The exact date of the reassessment of Canada's adequacy status is not known, but the GDPR provides for a reassessment every four years, which would mean no later than 2022.16

2  Description and Analysis

The bill contains 37 clauses and is divided into three parts:

  • Part 1 contains the full text of the new CPPA, the consequential and related amendments, terminology changes, transitional provisions and coordinating amendments (clauses 2 to 34).
  • Part 2 contains the text of the Tribunal Act (clauses 35 and 36).
  • Part 3 contains the coming into force provision (clause 37).

Other than clause 34, which contains coordinating amendments, the bill's provisions come into force on a day to be fixed by order of the Governor in Council.

The following describes selected aspects of the bill; it does not review all of its provisions or those of the two Acts created by the bill.

2.1  The Consumer Privacy Protection Act and Other Provisions (Clause 2 of the Bill)

Clause 2 presents the CPPA as legislation “to support and promote electronic commerce by protecting personal information that is collected, used or disclosed in the course of commercial activities.” The CPPA is divided into two parts.

Part 1 of the CPPA deals with the organizations' obligations as they relate to the protection of personal information (sections 7 to 75). Part 2 of the CPPA deals with the Commissioner's powers, duties and functions and contains general provisions (sections 76 to 126).

The CPPA reiterates several elements of PIPEDA, but structured more like standard legislative text. The wording in PIPEDA refers to fair information principles in Schedule 1 (the principles set out in Schedule 1 of PIPEDA). These principles are not worded using legislative language.17 In the CPPA, these principles are incorporated into the text of the Act, using conventional legislative wording.18

The CPPA imposes numerous obligations on the organization to which it applies, including the development of a privacy management program and data minimization obligations.

The relevant provisions of the CPPA are described in greater detail below.

2.1.1  Authorized Representatives (Section 4 of the CPPA)

The CPPA states that the rights and recourses provided under the Act may be exercised by a person authorized by law to administer the affairs or property of a minor or a deceased individual, or by any person authorized in writing to do so by the individual. There is no such provision in PIPEDA.

2.1.2  Purpose (Section 5 of the CPPA)

The purpose of the CPPA remains essentially the same as that of PIPEDA: to establish rules governing the protection of personal information in a manner that recognizes individuals' right of privacy and organizations' need to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances (section 5).

In his statement concerning the tabling of the bill, however, the Commissioner stated:

Bill C-11 opens the door to new commercial uses of personal information without consent but does not specify that such uses are conditional on privacy rights being respected. Rather, the Bill essentially repeats the purpose clause of the current legislation, which gives equal weight to privacy and the commercial interests of organizations.19

Although the purpose remains essentially the same, the context in which these rules governing the protection of personal information are established has nevertheless been modified to indicate that they are established “in an era in which data is constantly flowing across borders and geographical boundaries and significant economic activity relies on the analysis, circulation and exchange of personal information” (section 5).

2.1.3  Application (Section 6 of the CPPA)

The CPPA applies to every organization in respect of personal information that it collects, uses or discloses in the course of commercial activities or the personal information of its employees or job applicants (section 6(1)). The application of the CPPA is the same as that of PIPEDA.

However, under the CPPA, the definition of “commercial activity” has changed. It means “any particular transaction, act or conduct or any regular course of conduct that is of a commercial character, taking into account an organization's objectives for carrying out the transaction, act or conduct, the context in which it takes place, the persons involved and its outcome” (section 2).

The title of the CPPA identifies the “consumer” as the beneficiary of the protections it offers. However, the term “individual” is used in the provisions of the CPPA.

The CPPA states that it also applies to the collection, use or disclosure of personal information by an organization interprovincially, internationally, and except if the organization is exempt from the application of the CPPA under section 119(2)(b), within a province (section 6(2)). Section 119(2)(b) sets out the process by which a province may have its provincial legislation recognized as “substantially similar” to PIPEDA.20

PIPEDA does not contain any explicit provision concerning its extraterritorial application to organizations that do not operate in Canada.21

2.1.4  Accountability of Organizations (Sections 7 to 11 of the CPPA)

Under the CPPA, all organizations are accountable for personal information under their control.22 Information is under the control of an organization when it determines the purposes for its collection, use or disclosure. The CPPA states that an organization retains this accountability, even if a service provider carries out the activities on its behalf. The obligations set out in the CPPA do not apply to a service provider in terms of the information transferred to it by an organization (unless it collects, uses or discloses it for purposes other than those for which the information was transferred to the organization). The organization also ensures that all service providers to which it transfers personal information provide the same protection that it provides under the CPPA, itself (sections 7 and 11).

Each organization designates at least one individual to be responsible for matters related to the organization's obligations under the CPPA and implements a privacy management program. This program covers the policies, practices and procedures the organization has put in place to fulfill its obligations under the CPPA. It takes into account the volume and sensitivity of the personal information under the control of the organization (sections 8 and 9).

The organization also gives the Commissioner access to the program, when requested (section 10).

2.1.5  Appropriate Purposes for the Collection, Use and Disclosure of Personal Information and Applicable Limitations (Sections 12 to 14 of the CPPA)

Sections 12 to 14 of the CPPA apply a necessity and proportionality test for the collection, use and disclosure of personal information.23

The CPPA states that an organization can only collect, use or communicate personal information “for purposes that a reasonable person would consider appropriate in the circumstances” (section 12(1)). It lists the factors to consider when determining whether the purposes are appropriate. These factors are:

  • the sensitivity of the personal information;
  • whether the purposes represent legitimate business needs of the organization;
  • the effectiveness of the collection, use or disclosure in meeting these needs;
  • the existence of less intrusive means of achieving those purposes at a comparable cost and with comparable benefits; and
  • whether the individual's loss of privacy is proportionate to the benefits.

The appropriate purposes must be determined at or before the time of the collection and these purposes must be recorded (section 12(3)). The CPPA does not specify how they are to be recorded.

The organization may collect, use or disclose only the personal information that is necessary for the purposes determined for collection. If it wants to use or disclose information gathered for a new purpose, it must record that new purpose and obtain the individual's valid consent, unless an exception to consent applies (sections 12(4), 13 and 14).

2.1.6  Consent (Sections 15 to 17 of the CPPA)

Consent remains the default legal basis for an organization to collect, use and disclose personal information under the CPPA (section 15). Without consent, an organization must justify the collection, use or disclosure of personal information based on an exception. There are many exceptions to consent under the CPPA, and they are summarized in section 2.1.7, below.

Under the CPPA, consent is valid only if the organization provides certain information, in plain language, to the individual (section 15(3)). The information is as follows:

  • the purposes for the collection, use or disclosure of the personal information;
  • the way in which the personal information is to be collected, used or disclosed;
  • any reasonably foreseeable consequences of the collection, use or disclosure of the personal information;
  • the specific type of personal information that is to be collected, used or disclosed; and
  • the names of any third parties or types of third parties to which the organization may disclose the personal information.

In comparison, PIPEDA provides that consent “is only valid if it is reasonable to expect that an individual to whom the organization's activities are directed would understand the nature, purpose and consequences of the collection, use or disclosure of the personal information to which they are consenting” (section 6.1 of PIPEDA).

Under the CPPA, an organization may determine that implied consent is appropriate in certain circumstances, taking into account the reasonable expectations of the individual and the sensitivity of the personal information that is to be collected, used or disclosed (section 15(4)). An organization must not obtain or attempt to obtain an individual's consent using deceptive or misleading practices (section 16). Moreover, an individual may, at any time, withdraw their consent, with reasonable notice, and unless prevented by the CPPA, a federal or provincial law, or a “reasonable” contract (section 17).

2.1.7  Exceptions to Requirement for Consent (Sections 18 to 52 of the CPPA)

There are six categories of exceptions that allow for the collection, use or disclosure of personal information without the individual's knowledge or consent:

  • the organization's business activities (sections 18 to 28);
  • public interest (sections 29 to 39);
  • investigations (sections 40 to 42);
  • disclosures to government institutions (sections 43 to 48);
  • required by law (sections 49 and 50); and
  • publicly available information (section 51).

The exceptions set out in sections 23 to 38 and 40 to 51 contain essentially the same content as in sections 7 and 7.2 to 7.4 and sections 10.2(3) and 10.2(4) of PIPEDA. The new exceptions set out in the CPPA are examined below.

A new exception to consent related to “business activities” allows an organization to collect or use personal information about an individual without their knowledge or consent, if the collection or use is made for a business activity. The collection or use must also meet two conditions: a reasonable person would expect such a collection or use, and the personal information is not collected or used for the purpose of influencing the individual's behaviour or decisions (section 18(1)).

The business activities covered by this exception include the organization's activities that are necessary to provide or deliver a product or service requested by an individual, and “an activity in the course of which obtaining the individual's consent would be impracticable because the organization does not have a direct relationship with the individual” (section 18(2)).

Under the CPPA, an organization may also transfer an individual's personal information to a service provider without the individual's knowledge or consent (section 19). It can also use an individual's personal information without their knowledge or consent to de‑identify the information (section 20). In section 2 of the CPPA:

de-identify means to modify personal information – or create information from personal information – by using technical processes to ensure that the information does not identify an individual or could not be used in reasonably foreseeable circumstances, alone or in combination with other information, to identify an individual.

An organization may use de-identified information for internal research and development purposes without the individual's knowledge or consent (section 21). It may also use or disclose personal information without consent as part of a prospective business transaction, but under the CPPA, that information must be de‑identified and it must be necessary to determine whether the transaction will take place. The organization receiving the personal information must also commit, in an agreement between the two organizations that will be party to a potential business transaction, to disclose the information only for the purposes of the transaction and to protect it, and if the transaction does not take place, to return it to the organization that disclosed it or dispose of it within a reasonable time (section 22).

The CPPA also provides a new exemption to consent that allows an organization to disclose personal information without the individual's knowledge or consent for a “socially beneficial purpose.” This means “a purpose related to health, the provision or improvement of public amenities or infrastructure, the protection of the environment or any other prescribed purpose” (section 39). Information can only be disclosed for socially beneficial purposes if the following conditions are met:

  • the information is de-identified;
  • the information is disclosed to a public organization (government institution, health care institution or post-secondary educational institution or public library in Canada), an organization mandated under a federal or provincial law, or by a prescribed entity to carry out a socially beneficial purpose; and
  • the disclosure is made for a socially beneficial purpose.

Section 52 states that an organization cannot rely on certain exceptions to consent if it collects an individual's electronic address without their knowledge or consent using a specialized computer program or using an email address collected this way. An organization also cannot rely on an exception if it collects an individual's personal information, without their knowledge or consent, by using a computer or having one used in contravention of federal legislation. It essentially reiterates the terms of section 7.1 of PIPEDA.

2.1.8  Retention, Disposal and Accuracy of Personal Information (Sections 53 to 56 of the CPPA)

Sections 53 to 56 of the CPPA cover the limitations that apply to the period for retention of personal information and its accuracy:24

  • personal information is only retained for the time needed to fulfill the purposes for which the information was collected, used or disclosed, or to comply with the requirements of the Act, federal or provincial law or any reasonable terms of a contract (section 53);
  • an organization that uses personal information to make a decision about an individual must retain the information for a sufficient period of time to permit the individual to make a request for information or access (section 54); and
  • an organization must take reasonable steps to ensure that personal information under its control is up to date, accurate and complete, and the extent to which the information must be up to date, accurate and complete takes into account the individual's interests and other factors, such as the possibility that the information is used to make a decision about the individual, the fact that the information is used on an ongoing basis, and the fact that the information is disclosed to third parties (section 56).

The CPPA introduces a new explicit right to dispose of personal information that an organization has collected from an individual (right to erasure). At an individual's request, the organization proceeds with disposal unless doing so would result in the disposal of personal information about another individual and the information is not severable, or legal requirements or reasonable terms of a contract prevent it from doing so. If the organization refuses to dispose of an individual's personal information, it informs the individual in writing of its refusal and its reasons and notify the individual of their right to file a complaint with the organization or the Commissioner. The organization must also notify all service providers to which the information was transferred that a request for disposal has been made, and obtain confirmation from the service provider that it has disposed of the information (section 55).

2.1.9  Security Safeguards (Sections 57 to 61 of the CPPA)

Under the CPPA, an organization must protect the personal information that it holds25 through physical, organizational or technological security safeguards, and the level of protection must be proportionate to the sensitivity of the information. The safeguards must also take into consideration the quantity, distribution, format and storage method of the information (section 57).

The CPPA also imports the content of sections 10.1 to 10.3 of PIPEDA, which set out a system for reporting breaches of security safeguards (sections 58 to 60).

The system requires an organization to report to the Commissioner any breach of security safeguards concerning personal information under its control “if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual.” It must also inform the individual as soon as possible (section 58). Significant harm can happen in various forms, for example bodily harm, humiliation and damage to reputation or relationships (section 58(7)).

An organization that notifies an individual of a breach of security safeguards that concern them must also notify any other organization or government institution that may be able to reduce or mitigate the risk of harm that could result from the breach (section 59). It keeps a record of breaches of security safeguards involving personal information and gives the Commissioner access to the record upon request (section 60). Where a service provider determines that a breach of security safeguards involving personal information has occurred, it must, as soon as feasible, notify the organization that controls the personal information (section 61).

2.1.10  Openness and Transparency (Section 62 of the CPPA)

The CPPA requires that an organization make readily available information on its policies and practices aimed at complying with the Act.26 The information that an organization must make accessible includes:

  • whether it carries out any international or interprovincial transfer or disclosure of personal information that may have reasonably foreseeable privacy implications; and
  • a general account of its use of automated decision systems to make predictions, recommendations or decisions that could have a significant impact on individuals.

In the first category of information, an organization is required to make available information about its cross-border data flows, but only if it has determined that these exchanges may have privacy implications for the individuals involved.

With respect to the second category of information an organization must provide, the term “automated decision systems” is defined as follows in section 2 of the CPPA:

Technology that assists or replaces the judgment of human decision‑makers using techniques such as rules-based systems, regression analysis, predictive analysis, machine learning, deep learning and neural nets.

Section 62, therefore, introduces the concept of algorithmic transparency into the CPPA, in the form of a right to explanation. This right to explanation is also found in section 63 of the CPPA.

2.1.11  Access to and Amendment of Personal Information (Sections 63 to 71 of the CPPA)

Upon request by an individual, an organization indicates whether it has personal information about them, how it uses the information and whether it has disclosed it. If the organization has used an automated decision system to make a prediction, recommendation or decision about an individual, that individual may request an explanation from the organization about the prediction, recommendation or decision. The organization must then indicate how the personal information used to make the prediction, recommendation or decision was obtained. The individual makes an access request in writing (sections 63 and 64).27

The CPPA introduces the obligation to provide all the information requested in plain language (section 66), which should prevent the provision of lengthy documents written in complex legal terms.

The organization responds to the information request no later than 30 days after it is received, unless the organization informs the individual, within 30 days following the receipt of the request, that the time limit will be extended (for a maximum of 30 additional days) or that a longer period is needed to convert the personal information into an alternative format. Refusal to comply with the information request must be justified; in this case, the organization explains to the individual the reason for refusal and advises them of any recourse they may have (section 67). The organization may charge a minimal fee for processing a request (section 68). Personal information that is the subject of a request for information or access must be retained long enough to allow the individual to exhaust any recourse they may have under the CPPA (section 69).

The organization must not give an individual access to personal information that reveals personal information about another individual, unless the information is severable, the other individual consents to the disclosure, or the requester needs the information because an individual's life, health or security is threatened (sections 70(1) and 70(2)).

If an individual asks an organization to notify them of any disclosure made to a government institution under the exceptions to consent set out in sections 44 to 48 or 50 of the CPPA, or of the existence of any information it has relating to such a disclosure, the organization notifies the government institution involved. Within 30 days of receiving the request, the institution notifies the organization that it does or does not object to providing the requested information to the individual. The institution can only object in certain circumstances, such as when it is of the opinion that fulfilling the request for information or access could pose a risk to national security or law enforcement (sections 70(3) to 70(5)).

If an institution objects, the organization refuses to fulfill the request for information or access, notifies the Commissioner in writing of the refusal and does not give the individual access to any information relating to a disclosure to a government institution. In that context, the organization does not give the individual the name of the government institution it notified, nor does it inform the individual about the institution's objection to the organization fulfilling their request (section 70(6)).

The organization may also refuse to disclose personal information to an individual who requests information in certain specific cases (section 70(7)):

  • the information is protected by solicitor–client privilege or the professional secrecy of advocates and notaries or by litigation privilege;
  • disclosure would reveal confidential commercial information;
  • disclosure could threaten the life or security of another individual;
  • the information was collected without the individual's knowledge or consent in the course of an investigation into a breach of an agreement or a violation of federal or provincial law and collecting it otherwise would have compromised the availability or the accuracy of the information;
  • the information was generated in the course of a formal dispute resolution process; or
  • the information was created for the purpose of making a disclosure under the Public Servants Disclosure Protection Act or in the course of an investigation into such a disclosure.

With respect to amendment of personal information, if an individual has been given access to their personal information and demonstrates to an organization that the information is outdated, inaccurate or incomplete, the organization must make the necessary amendments, and if appropriate, transmit the amended information to any third party that has access to the information. If a disagreement arises between the organization and the individual concerning the amendments to be made, the organization must record the disagreement and the third parties must be informed (section 71).

2.1.12  Mobility of Personal Information (Section 72 of the CPPA)

The CPPA incorporates the concept of data portability into the Act as a right to the mobility of personal information. This right allows an individual to request that the personal information collected from them by one organization be transmitted to another organization chosen by the individual. However, this transfer is only allowed if both organizations involved are subject to a data mobility framework set out in future regulations.

2.1.13  De-identification of Personal Information (Sections 74 and 75 of the CPPA)

The CPPA provides that, when an organization de-identifies personal information, it must use technical and administrative measures that are proportionate to the purpose for which the information is de-identified and the sensitivity of the personal information. It does not define the term “technical and administrative measures” (section 74). It also prohibits the use of de-identified information, alone or in combination with other information, to identify an individual. In other words, it prohibits the re-identification or personal information (section 75).

2.1.14  Codes of Practice and Certification Programs (Sections 76 to 81 of the CPPA)

Under section 24 of PIPEDA, the Commissioner encourages organizations to develop detailed policies – particularly codes of practice – to comply with the requirements of the Act.

The CPPA includes a more comprehensive regime that allows an organization to ask the Commissioner to approve a code of practice or a certification program under criteria to be established by regulation. The certification program must include several elements, including a code of practice, guidelines for interpreting and implementing the code and a mechanism for the independent verification of an organization's compliance with the code. The Commissioner's decision to approve a code of practice or a certification program is made public (sections 76 to 79). Compliance with a code of practice or a certification program does not relieve an organization of its obligations under the CPPA (section 80). Under this regime, the Commissioner has certain powers, for example, the authority to request information from any entity that manages a certification program or to revoke a certification program in accordance with the regulations (section 81).

2.1.15  Investigation of Complaints, Inquiries, Penalties and Appeals (Sections 82 to 95 and 100 to 105 of the CPPA)

Sections 82 to 87 of the CPPA set out the complaint process under the Act and the circumstances in which the Commissioner can refuse to investigate a complaint or discontinue an investigation. They substantially replicate the content of sections 11, 12 and 12.2 of PIPEDA.28 The CPPA, however, contains a new ground based on which the Commissioner can refuse to investigate a complaint deemed inadmissible, namely if “the complaint raises an issue in respect of which a certification that was approved by the Commissioner … and the organization is certified under that program” (section 83(1)(d)). The Commissioner may also discontinue the investigation of a complaint if the circumstances set out in section 83(1)(d) exist (section 85).

The Commissioner may attempt to resolve a complaint through mediation or conciliation and may enter into a compliance agreement with an organization to ensure compliance with the CPPA (sections 84 and 86). If the Commissioner discontinues the investigation of a complaint, or if the Commissioner determines upon concluding the investigation that an inquiry will not be conducted, the Commissioner must notify both the complainant and the organization involved in the complaint and give reasons for the decision (section 87).

The inquiry process under the CPPA replaces sections 14 to 17 of PIPEDA, which provided for the possibility of recourse before the Federal Court following the investigation of a complaint by the Commissioner and the Commissioner's summary report of findings and non-binding recommendations.

Under the CPPA, once the investigation of a complaint is completed, the Commissioner can give notice to the complainant and the organization that an inquiry into the complaint will be conducted. The Commissioner can also conduct an inquiry if reasonable grounds exist to believe that a compliance agreement has not been complied with (sections 88 and 89). In an inquiry under the CPPA, the Commissioner is not bound by the legal or technical rules of evidence. Rather, the Commissioner tries to deal with the matter informally and expeditiously, and is free to establish the procedure to be followed in the conduct of an inquiry. The Commissioner must make that procedure public (sections 90 and 91).

Upon completing the inquiry, the Commissioner makes a decision that sets out their findings as to whether the organization contravened the CPPA or failed to comply with a compliance agreement, any order made, or any recommendation to the Tribunal to impose a penalty. The Commissioner also specifies the reasons for their findings, orders or decisions to make recommendations (section 92). Under section 92(2) of the CPPA, the Commissioner can order an organization to:

  • take measures to comply with the CPPA;
  • stop doing anything that is in contravention of it;
  • comply with the terms of a compliance agreement to which it is a party; or
  • make public any measures it takes to correct its policies, practices or procedures for safeguarding personal information.

The order made by the Commissioner (or by the Tribunal as the result of an appeal) may be made an order of the Federal Court for the purpose of its enforcement (sections 103 to 105).

The CPPA does not give the Commissioner the power to impose a penalty. Only the Tribunal can impose a penalty by recommendation of the Commissioner or of its own initiative as the result of an appeal, if the Commissioner has not made any such recommendation.

The Commissioner recommends a penalty if it is determined that an organization has contravened one or more specific provisions of the CPPA.29 The Commissioner must consider certain factors, including the nature and scope of the violation, any compensation paid voluntarily by the organization to the individual and the organization's history of compliance with the CPPA. The Commissioner cannot recommend a penalty if it is determined that, at the time of the violation of a CPPA provision, the organization was compliant with the requirements of an approved certification program in relation to that provision (section 93).

Any decision, finding or order by the Commissioner can be appealed to the Tribunal, which may dismiss the appeal or allow it and substitute its own finding, order or decision for that of the Commissioner. The standard of review for an appeal is set out in the CPPA (sections 100 to 102).

The Tribunal may, by order, impose a penalty on an organization, if it has received a recommendation from the Commissioner, or if, in an appeal under section 100(1) of the CPPA, it determines that it is appropriate to impose one, even if the Commissioner has not recommended it. In deciding whether to impose a penalty on an organization, the Tribunal relies on the findings set out in the Commissioner's decision (or its own findings, if it substitutes them for those of the Commissioner in an appeal) (sections 94(1) and 94(2)). A penalty cannot be imposed on an organization for contravening the CPPA if a prosecution for the act or omission that constitutes the contravention has been instituted against the organization, or if the organization establishes that it exercised due diligence to prevent a violation of the CPPA (section 94(3)).

The maximum penalty for all violations is the higher of “$10,000,000 and 3% of the organization's gross global revenue in its financial year before the one in which the penalty is imposed” (section 94(4)). To determine the amount of the penalty, the Tribunal must consider:

  • the factors to be considered by the Commissioner before making a recommendation to the Tribunal;
  • the organization's ability to pay the penalty and the likely effect of paying the penalty on the organization's ability to carry on its business; and
  • any financial benefit that the organization obtained from contravening the CPPA.

The CPPA states that the purpose of a penalty is not to punish, but to promote compliance with this Act (section 94(6)).

2.1.16  Audits (Sections 96 and 97 of the CPPA)

The Commissioner may, with reasonable notice, audit the personal information management practices of an organization if the Commissioner has reasonable grounds to believe that the organization has contravened Part 1 of the CPPA. After the audit, the Commissioner presents his findings and recommendations considered appropriate to the organization (sections 96 and 97).

2.1.17  Commissioner's Powers, Duties and Functions (Sections 98, 99 and 108 to 118 of the CPPA)

Most of the Commissioner's powers, duties and functions under the CPPA are the same as under PIPEDA.

For instance, in terms of investigations, inquiries and audits, the Commissioner can summon and enforce the appearance of witnesses before the Commissioner or visit any premises occupied by an organization. However, under the CPPA, the Commissioner may also make an interim order or order an organization to retain relevant information for as long as is needed to investigate a complaint, or to conduct an inquiry or audit (sections 98 and 99).

In addition, in carrying out the Commissioner's duties and functions, the Commissioner also takes into account the purpose of the Act, the organization's size and revenues, the volume and sensitivity of the personal information under the organization's control, and matters of general public interest (section 108).

The Commissioner retains the mandate of promoting the purpose of the CPPA and can now also advise an organization on its privacy management program (section 109). The Commissioner must also make public information about how they exercise the duties and functions entrusted to them under the CPPA (section 111).

Under section 112, the Commissioner and persons acting on the Commissioner's behalf or under the Commissioner's direction must not disclose any information they receive in carrying out almost all of their duties and functions set out in the CPPA. However, the Commissioner may make public any information learned in the exercise of his powers or the performance of his duties or functions under the Act, if he considers it in the public interest to do so (section 112(3)). The Commissioner can also disclose or authorize the disclosure of information in some circumstances, for instance at a hearing or an appeal before the Tribunal or to the Attorney General of Canada, or if the Commissioner is of the opinion that evidence exists of the commission of offences under federal or provincial law by an officer or employee of an organization (sections 112(4) to 112(8)).

The Commissioner and persons acting on behalf or under the direction of the Commissioner may be called to testify on matters that come to their knowledge as a result of exercising the Commissioner's duties or functions under the CPPA, but only in three circumstances: as part of the prosecution for an offence under section 125 of the CPPA; as part of the prosecution for an offence under the Criminal Code (perjury) concerning a statement made under the CPPA; or, as part of a proceeding or an appeal before the Tribunal (section 113).

No criminal or civil proceedings may be brought against the Commissioner or persons acting on behalf or under the direction of the Commissioner for anything done in good faith while exercising their duties. They also have immunity from defamation proceedings (section 114).

Under the CPPA, the Commissioner may enter into agreements or arrangements with the Canadian Radio-television and Telecommunications Commission (CRTC) or the Commissioner of Competition in order to undertake research on issues of mutual interest and publish the findings (section 115). The Commissioner may consult with provincial counterparts to ensure that the protection of personal information is as consistent as possible and to enter into agreements or arrangements with them, particularly to coordinate the activities of their respective offices by providing mechanisms to handle any complaint in which they both have an interest. Under the procedure set out in the agreement or arrangement, the Commissioner can also provide information that may be of use to the Commissioner's counterparts or assist them as they carry out their duties and functions to protect personal information (section 116).

The Commissioner may also disclose some information to a person or organization that, under foreign legislation, has powers, duties and functions similar to those of the Commissioner, or is responsible for suppressing conduct similar to that which contravenes CPPA. Information can only be disclosed if the two parties have entered into a written agreement (section 117).

The Commissioner tables, in each House of Parliament, an annual report on the application of the CPPA, on the extent to which the provinces enacted substantially similar legislation and on the application of any such provincial legislation (section 118).

2.1.18  Private Right of Action (Section 106 of the CPPA)

The CPPA introduces a private right of action that gives a cause of action for damages to an individual affected by the acts or omissions of an organization that has contravened the CPPA. Action can only be brought if the Commissioner or the Tribunal finds that the organization has contravened the CPPA or if the organization is fined for a contravention of the CPPA under section 125. A limitation period of two years applies to this right.

2.1.19  Fines (Section 125 of the CPPA)

Section 125 provides that any organization that contravenes certain specific provisions of the CPPA (sections 58, 60(1), 69, 75 and 124(1)) or an order made by the Commissioner, or that obstructs the work of the Commissioner's office during an inquiry or audit, is:

  1. guilty of an indictable offence and liable to a fine not exceeding the higher of $25,000,000 and 5% of the organization's gross global revenue earned in its financial year before the one in which the organization is sentenced; or
  2. guilty of an offence punishable on summary conviction and liable to a fine not exceeding the higher of $20,000,000 and 4% of the organization's gross global revenue in its financial year before the one in which the organization is sentenced.

This represents a considerable increase in the fines set out in section 28 of PIPEDA, where the maximum fine for an offence under that Act was $100,000. These fines are imposed not by the Tribunal, but by a court following prosecution for an offence, at the discretion of the Attorney General of Canada.

2.1.20  General Provisions (Sections 119 to 124 and 126 of the CPPA)

The Governor in Council may make regulations for carrying out the purposes and provisions of the CPPA, for example, to govern the scope of the business activities set out in section 18 (section 119(1)(a)). The Governor in Council may also, by order, provide for certain things, particularly, which organizations are exempt from the application of the CPPA when provincial legislation recognized as being substantially similar to CPPA applies (section 119(2)). The Governor in Council may also establish, by regulation, the criteria and processes for determining that a province has enacted substantially similar legislation, and the processes for reconsidering that determination (section 119(3)).

The Governor in Council may also make regulations respecting the data mobility frameworks set out in section 72 and the codes of practice and certification programs set out in sections 76 to 81 of the CPPA (sections 120 and 122). Regulations for applying the CPPA made under section 119(1) or section 120 may distinguish different classes of activities, government institutions and parts of such institutions, information, organizations or entities (section 121).

Any person who has reasonable grounds to believe that another person has contravened or intends to contravene Part 1 of the CPPA may report that person to the Commissioner and request confidentiality (section 123). The CPPA prohibits an employer from dismissing, suspending, demoting, disciplining, harassing or otherwise disadvantaging an employee who, in good faith, informs the Commissioner of a violation of the CPPA, refuses to do anything that is in contravention of Part 1 of the CPPA, or has done or stated an intention of doing anything that is required to prevent a contravention of Part 1 of the CPPA. This prohibition also applies if the employer believes that the employee will take one of the actions noted above (section 124).

A parliamentary committee will review the CPPA every five years (section 126).

2.2  Consequential and Related Amendments, Terminological Amendments, Transitional Provisions and Coordinating Amendments (Clauses 3 to 34 of the Bill)

The bill makes consequential and related amendments to other Acts. It amends PIPEDA by repealing several parts and replacing its short title by the Electronic Documents Act. The amendment reduces the scope of the Electronic Documents Act to the federal government's use of electronic means to record or communicate information (clauses 3 to 8). The content of the repealed parts of PIPEDA is reflected in parts 1 and 2 of the CPPA.

Consequential and related changes are also made to other Acts to make reference to the CPPA and its relevant provisions or to the Tribunal, for example:

  • Schedule II of the Access to Information Act, which identifies the provisions of other Acts that limit the disclosure of personal information and may thus justify a federal institution's refusal to disclose certain documents, is amended to strike out the reference to PIPEDA and its section 20(1.1) and to replace it with a reference to the CPPA and its section 112(2).
  • Section 4.83(1) of the Aeronautics Act, which deals with information requests made by foreign states, is amended to replace the reference to PIPEDA with a reference to Part 1 of the CPPA.
  • Items 14 and 17 of the Schedule to the Canada Evidence Act (which contains a numbered list of entities designated for the purposes of other Acts) are amended. References to PIPEDA in items 14 and 17 of this Schedule are replaced by references to the CPPA. Item 17 of this Schedule identifies the Personal Information and Data Protection Tribunal as the designated entity for the purposes of the CPPA, rather than the Federal Court.

The bill amends the Canadian Radio-television and Telecommunications Commission Act and the Competition Act to give the CRTC and the Commissioner of Competition the power to enter into research agreements with the Privacy Commissioner and to establish the procedure for disclosing information to the Privacy Commissioner (clauses 13 and 14).

The bill amends a few other Acts to replace any reference to PIPEDA with a reference to the CPPA and its relevant parts or provisions (clauses 15 to 31). The bill also amends terminology in 13 Acts to replace all references to PIPEDA with a reference to the Electronic Documents Act (clause 32).

The transitional provisions of the CPPA specify how a pending complaint will be dealt with once its section 82 comes into force. For example, a complaint initiated before section 82 of the CPPA comes into force will be dealt with in accordance with PIPEDA. If the Commissioner has reasonable grounds to believe that the contravention in question is continuing after the initial date on which the complaint was filed, it is dealt with in accordance with the CPPA (clause 33).

2.3  Personal Information and Data Protection Tribunal Act (Clauses 35 and 36 of the Bill)

Part 2 of the bill contains two clauses. The first enacts the Tribunal Act, which creates the Tribunal (clause 35). The second provides for a related amendment to the Administrative Tribunals Support Service of Canada Act to add the Tribunal to the list of administrative tribunals in the schedule to that Act (clause 36).

2.3.1  Introductory Provisions and Definitions (Sections 2 and 3 of the Tribunal Act)

Under the Tribunal Act, the minister responsible for enforcing the Act is a member of the Queen's Privy Council for Canada designated by order of the Governor in Council, or if there is no designation, the Minister of Industry.

2.3.2  Establishment and Jurisdiction of the Tribunal (Sections 4 and 5 of the Tribunal Act)

Section 4 of the Tribunal Act establishes the Tribunal, with limited jurisdiction. The Tribunal can rule only on appeals made under section 100 or 101 of the CPPA or in respect of penalties imposed under section 94 of that Act (section 5).

The Tribunal hears all appeals from inquiries by the Commissioner, a compliance order issued by the Commissioner to an organization or a decision by the Commissioner not to recommend that a penalty be imposed on an organization that may have contravened the CPPA (section 100 of the CPPA). The Tribunal can also grant leave to appeal an interim order that the Commissioner considers appropriate as part of a complaint, inquiry or audit (section 101 of the CPPA). Lastly, the Tribunal has jurisdiction to impose a penalty on an organization when the conditions set out in section 94 of the CPPA are met.

Thus, it seems impossible for a complainant or organization to address the Tribunal without first going through the Commissioner.

2.3.3  Composition of the Tribunal (Sections 6 to 12 of the Tribunal Act)

The Tribunal consists of three to six full-time members – or a combination of full-time and part-time members – appointed by the Governor in Council on the recommendation of the Minister. At least one of the members must have experience in the field of information and privacy law (section 6).

2.3.4  Chairperson and Vice-Chairperson (Sections 7 to 9 of the Tribunal Act)

The Governor in Council must designate a full-time member as chairperson (section 7). The chairperson has supervision over the Tribunal and directs its work. For example, the chairperson is responsible for the distribution of work among the members, the conduct of the work of the Tribunal and the management of its internal affairs (section 8(1)).

The Governor in Council may also designate a vice-chairperson responsible for performing the duties of the chairperson in the chairperson's absence or incapacity, or if the position of chairperson becomes vacant (section 8(2)). If the chairperson and vice-chairperson are not able to perform their duties, a member designated by the Minister acts as chairperson for a period of no more than 90 days. After that period, any renewal requires approval by the Governor in Council (section 9).

2.3.5  Members of the Tribunal (Sections 10 to 12 of the Tribunal Act)

The Tribunal Act guarantees the independence and impartiality of administrative decision-makers and contains measures that allow members to conclude certain ongoing matters, despite the expiry of their mandate.

Tribunal members are appointed to hold office during good behaviour for a term not exceeding five years, unless removed for cause by the Governor in Council (section 10). The Tribunal Act does not specify the conditions for removal for cause.

The mandate of Tribunal members can be renewed for one term or more, not exceeding three years each (section 10(2)). A member whose appointment has expired can receive a term extension of up to six additional months at the request of the chairperson so that the member can take part in decisions on matters that they heard as a member, in which case the former member is deemed to be a part-time member (section 10(3)).

Tribunal members receive remuneration fixed by the Governor in Council, and they are entitled to travel and living expenses associated with their duties. Full-time members are paid travel and living expenses when their duties must be carried out away from their ordinary place of work, while part-time members are paid expenses when their duties are carried out away from their ordinary place of residence. Members may also receive specific compensation for illness, injury or accident as government employees or employees in the federal public administration. Only full-time members of the Tribunal are employees in the public service for the purposes of the Public Service Superannuation Act.

A member who holds a pecuniary or other interest in a current matter that could be inconsistent with the proper performance of their duties cannot hear the matter, either alone or as a member of a panel. The member must inform the Tribunal's chairperson of the situation without delay (section 12).

2.3.6  Tribunal Hearings and Decisions (Sections 13 to 21 of the Tribunal Act)

2.3.6.1  Principal Office and Sittings (Sections 13 to 14 of the Tribunal Act)

The Tribunal Act provides that the principal office of the Tribunal is designated by the Governor in Council, and if no place is designated, is in the National Capital Region (section 13). The dates, times and manner in which the Tribunal sits are designated by its chairperson (section 14).

2.3.6.2  Hearings and Rules of Evidence (Section 15 of the Tribunal Act)

The Tribunal is not bound by the formal technical rules of evidence at hearings, allowing for the much more flexible administration of evidence. In particular, the Tribunal relies on fairness and natural justice to act expeditiously, freely and informally insofar as the circumstances of the hearing permit. The burden of proof is discharged by proof on the balance of probabilities. However, the Tribunal must not receive or accept any evidence that would normally be inadmissible in a court of law. The parties may choose to represent themselves before the Tribunal or appoint a representative, including legal counsel.

2.3.6.3  Proceedings, Decisions and Reasons (Sections 16 to 21 of the Tribunal Act)

The Tribunal and its members have the same investigative powers as do commissioners appointed under Part I of the Inquiries Act and may make interim decisions. They may summon and compel witnesses to appear before the Tribunal verbally or in writing or require that documents deemed necessary for the inquiry be produced (section 16).

The Tribunal must provide its decisions in writing, with reasons. The Tribunal ensures that its decisions and reasons are publicly available, while protecting the privacy of any complainant who has not consented to the disclosure of information that could be used to identify them (sections 17 and 18).

The Tribunal may establish its own procedural rules in accordance with the Tribunal Act and the CPPA, with the approval of the Governor in Council. More specifically, the Tribunal can make its own rules about when decisions are to be made public and the factors to be considered in deciding whether to name an organization affected by a decision. The Tribunal makes the procedural rules it establishes publicly available (section 19).

The Tribunal may award costs, at its discretion, in accordance with its rules (section 20).30

The Tribunal's decisions are final and binding. They are not subject to appeal or review by any court, other than judicial review under the Federal Courts Act (section 21).


Notes

*  Notice: For clarity of exposition, the legislative proposals set out in the bill described in this Legislative Summary are stated as if they had already been adopted or were in force. It is important to note, however, that bills may be amended during their consideration by the House of Commons and Senate, and have no force or effect unless and until they are passed by both houses of Parliament, receive Royal Assent, and come into force.Return to text ]

  1. Bill C-11, An Act to enact the Consumer Privacy Protection Act and the Personal Information and Data Protection Tribunal Act and to make consequential and related amendments to other Acts, 43rd Parliament, 2nd Session. The Department of Justice tabled a Charter Statement in the House of Commons on 2 December 2020. [ Return to text ]
  2. For a more comprehensive history of the Personal Information Protection and Electronic Documents Act (PIPEDA) and of the calls for reform over the past 20 years, see Alexandra Savoie and Maxime‑Olivier Thibodeau, Canada's Federal Privacy Laws pdf (2.03 MB, 28 pages), Publication no. 2007-44-E, Library of Parliament, 17 November 2020. [ Return to text ]
  3. Innovation, Science and Economic Development (ISED), Canada's Digital Charter: Trust in a digital world. Canada's Digital Charter illustrates the government's plan to establish the trust that is the foundation of the digital and data-driven economy. It is not a legally binding legislative instrument; rather, it is a set of principles that the government will take into account when developing future policies, programs and legislation on the digital economy. [ Return to text ]
  4. ISED, Canada's Digital Charter in Action: A Plan by Canadians, for Canadians. [ Return to text ]
  5. ISED, Strengthening Privacy for the Digital Age. [ Return to text ]
  6. Office of the Privacy Commissioner of Canada (OPC), Privacy Law Reform: A Pathway to Respecting Rights and Restoring Trust in Government and the Digital Economy pdf (2.04 MB, 87 pages), 2018–2019 Annual Report. Privacy by design is a concept that refers to considering privacy from the initial design of a product or service through to its deployment and long-term implementation, for example, using a privacy impact assessment. [ Return to text ]
  7. OPC, Privacy in a pandemic, 2019–2020 Annual Report. [ Return to text ]
  8. OPC, Commissioner issues proposals on regulating artificial intelligence, News release, 12 November 2020; and OPC, A Regulatory Framework for AI: Recommendations for PIPEDA Reform, November 2020. [ Return to text ]
  9. House of Commons, Standing Committee on Access to Information, Privacy and Ethics (ETHI), Towards Privacy by Design: Review of the Personal Information Protection and Electronic Documents Act, Twelfth report, February 2018. [ Return to text ]
  10. ETHI, Addressing Digital Privacy Vulnerabilities and Potential Threats to Canada's Democratic Electoral Process, Sixteenth report, June 2018; and ETHI, Democracy Under Threat: Risks and Solutions in the Era of Disinformation and Data Monopoly, Seventeenth report, December 2018. [ Return to text ]
  11. EUR-Lex, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance), art. 45. [ Return to text ]
  12. EUR-Lex, Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data; and Government of Canada, “The European Union's General Data Protection Regulation,” Export guides and statistics. [ Return to text ]
  13. EUR-Lex, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance), art. 45, para. 9. [ Return to text ]
  14. European Commission, Adequacy decisions. [ Return to text ]
  15. Government of Canada, Sixth Update Report on Developments in Data Protection Law in Canada, Report to the European Commission, December 2019. [ Return to text ]
  16. EUR-Lex, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance), art. 45, para. 3. [ Return to text ]
  17. See, for example, Johnson v. Bell Canada, 2008 FC 1086 (CanLII), para. 21; and Fahmy v. Bank of Montreal, 2016 FC 479 (CanLII), para. 49. [ Return to text ]
  18. To see where the principles from Schedule 1 of PIPEDA were integrated into the Consumer Privacy Protection Act (CPPA) and what provisions of PIPEDA were included in whole or in part in the CPPA, see Teresa Scassa, “Comparison Chart for Bill C-11's CPPA and PIPEDA,” Scholars Portal Dataverse, 2020. [ Return to text ]
  19. OPC, Statement from the Privacy Commissioner of Canada following the tabling of Bill C-11, 19 November 2020. [ Return to text ]
  20. At this time, Alberta, British Columbia and Quebec have enacted legislation that is substantially similar to PIPEDA. In those provinces, PIPEDA is not applicable, except as concerns the commercial activities of federally governed businesses (as defined in the Act). Note that the French term used in the CPPA is “essentiellement semblable” while the French term used in PIPEDA is “essentiellement similaire.” In English, the term “substantially similar” is used in both. [ Return to text ]
  21. PIPEDA does not include a provision related to the extraterritorial application of the Act, but the Federal Court decision in A.T. v. Globe24h.com affirmed that it can apply abroad when there is a real and substantial link between the cross-border activities of an organization and Canada. The same reasoning should be applicable to the CPPA. See A.T. v. Globe24h.com, 2017 FC 114 (CanLII), para. 50. [ Return to text ]
  22. The provisions on the accountability of organizations in sections 7 to 11 of the CPPA reflect the content of Principle 1 set out in Schedule 1 of PIPEDA. [ Return to text ]
  23. Sections 12 to 14 of the CPPA reflect the content of Principle 2, Principle 4 and Principle 5 set out in Schedule 1 of PIPEDA. [ Return to text ]
  24. Sections 53 to 56 of the CPPA reflect the content of Principle 5 and Principle 6 set out in Schedule 1 of PIPEDA concerning the limitations applicable to the use, disclosure, retention and accuracy of personal information. [ Return to text ]
  25. The obligation set out in section 57 of the CPPA reflects the content of Principle 7 set out in Schedule 1 of PIPEDA concerning security safeguards. [ Return to text ]
  26. Section 62 of the CPPA reflects the content of Principle 8 set out in Schedule 1 of PIPEDA concerning openness. [ Return to text ]
  27. Sections 63 to 71 of the CPPA reflect the content of Principle 9 set out in Schedule 1 of PIPEDA concerning access to personal information. [ Return to text ]
  28. Sections 82 to 87 of the CPPA reflect the content of Principle 10 set out in Schedule 1 of PIPEDA. [ Return to text ]
  29. Sections 13, 14(1), 15(5), 16, 53, 55(1), 55(3), 57(1), 58(1) and 58(3) of the CPPA. [ Return to text ]
  30. Costs are expenses that the winning party can be paid by the other party. See, for example, Department of Justice, Frais de justice : dépens et autres frais [available in French only]. [ Return to text ]

© Library of Parliament