Backgrounder Article from  Innovation, Science and Economic Development Canada

Archived - Canada's Digital Privacy Act

Archived Content

Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.

In a digital world, Canadians need to have confidence that their online transactions are secure, their privacy is protected and their families are safe from online threats.

Canada's Digital Privacy Act provides important improvements to Canada's private sector privacy legislation, the Personal Information Protection and Electronic Documents Act (PIPEDA).

The Digital Privacy Act will ensure that Canadians are safer and more secure when they surf the web or shop online. The proposed amendments will:

  • better protect consumers;
  • simplify rules for businesses; and
  • increase compliance with PIPEDA.

Protecting Consumers

The Digital Privacy Act will require organizations to tell individuals if their personal information has been lost or stolen and if there is a risk that they could be harmed as a result—for example that their identity could be stolen. Organizations will also have to tell individuals what steps they can take to protect themselves. In addition, organizations will be required to report these potentially harmful data breaches to the Privacy Commissioner of Canada. These changes will empower consumers and encourage businesses to have better information security. Companies that deliberately fail to report a data breach or notify individuals could face fines of up to $100,000 for every individual not told.

With the new amendments, organizations will be required to keep records of all data breaches and provide this information to the Privacy Commissioner upon request. This will allow the Privacy Commissioner to fulfill the required oversight role and make sure that companies are reporting potentially harmful breaches. Companies that deliberately cover up a data breach by not keeping these records, or destroying them, could face fines of up to $100,000 per offence.

New requirements for obtaining an individual's approval to collect, use or share his/her personal information are also being proposed to establish stronger privacy protection for more vulnerable Canadians, such as children. Changes will require organizations to communicate clearly with their target audience when obtaining consent and to consider whether their target audience is able to understand the consequences of sharing their personal information.

The Act also sets limited exceptions to allow personal information to be shared in situations where it is needed to help protect individuals from harm, such as to protect seniors from financial abuse, communicate with the family of an injured or deceased individual, or detect and prevent fraud.

Streamlining Rules for Businesses

The Digital Privacy Act will also reduce unnecessary red tape by making sure that companies are able to use personal information to support their normal day-to-day business activities without undermining individual privacy. The Act will make it easier for businesses to collect, use and share information in order to manage employees, conduct due diligence when buying another company or process insurance claims.

Increasing Compliance

Ensuring that the Privacy Commissioner has effective tools to protect Canadians' privacy is an important part of the Digital Privacy Act. These changes will give the Commissioner the ability to negotiate voluntary compliance agreements with organizations. These agreements enable organizations to make a binding commitment to take action to ensure compliance with the Act and avoid costly legal action. At the same time, they will allow the Commissioner to hold organizations accountable when they fail to protect their customers.

The Digital Privacy Act will also give complainants, including the Commissioner, up to a year after an investigation has been completed to ask the Federal Court of Canada to order an organization to comply with the law or to award damages to an individual who has been harmed as the result of a privacy violation. This allows enough time for an organization to voluntarily take corrective action or negotiate a compliance agreement, while maintaining the ability to take the matter to court.

Finally, the Digital Privacy Act will provide more flexibility to publicly release information about non-compliant organizations, if the Commissioner considers it to be in the public interest to do so, so that Canadians can be aware and take action to protect themselves.


Search for related information by keyword

Innovation, Science and Economic Development Canada Information and Communications

Date modified: