The new Act would coexist with Canada’s Privacy Act and replace the Personal Information Protection and Electronic Documents Act (PIPEDA).5 Not unlike its U.S. namesake, the Privacy Act regulates the federal government’s use of personal information.6 The Privacy Act governs the collection, use and disclosure of personal information in the contexts of government pensions, employment insurance, national security, federal law enforcement and tax collection.7 PIPEDA, on the other hand, is a comprehensive consumer privacy law that governs how private sector organizations collect, use and disclose information in the commercial setting.8 The DCIA aims to replace PIPEDA by rehoming PIPEDA’s rules on electronic documents in the newly proposed Electronic Documents Act and modernizing PIPEDA’s privacy provisions by creating the Consumer Privacy Protection Act.9 Finally, the DCIA will likely coexist with provincial privacy laws that provide more tailored guidance for certain provinces in areas such as general data privacy, health privacy and financial privacy.10
The DCIA is in the earliest stages of the legislative process and has yet to be assigned to a committee.11 As such, it is difficult to predict whether the bill will be signed into law. While Canadian Prime Minister Justin Trudeau enjoys a Liberal majority in the House of Commons, there are early signs that some Conservatives might not be on board with the new bill.12 Conservative Member of Parliament James Cumming promised that he and other Conservative lawmakers will review the legislation to ensure that it does not impose burdensome regulations on small business, especially in light of the pandemic.13 While there may be signs of early skepticism, the proposed Act adopts many established and widely accepted principles found in similar authorities such as Europe’s General Data Protection Regulation and the California Consumer Privacy Act (CCPA).
If enacted, the DCIA will likely apply extraterritorially and across a wide range of different entities. The proposed Act covers data that is collected both interprovincially and internationally, and applies to “every organization in respect of personal information that . . . the organization collects, uses or discloses in the course of commercial activities.”14 The Act will also cover data collected in the context of employment. “Organization” is broadly defined to include associations, partnerships, persons and trade unions.15 Interestingly, the definition does not include any limitations on where an organization is located. This lack of geographic specificity, coupled with the DCIA’s application to data collected internationally, strongly suggests that businesses in the U.S. and around the world will have to comply with the Act’s requirements. Further, the DCIA has the potential to apply to even more businesses than the CCPA because the Act does not establish any revenue threshold requirements like its U.S. counterpart.
Phillips Lytle is committed to monitoring the bill as it makes its way through the legislative process to ensure our clients stay up-to-date on the latest developments.