The Permanent and Irreversible Disposal of Personal Information

  • November 14, 2021
  • Claire Davis, Healthcare of Ontario Pension Plan

When federal Parliament was dissolved in August because of the federal election, several bills died on the Order Paper, including Bill C-11, the Digital Charter Implementation Act, 2020. Had that legislation passed, Part 1 of Canada’s federal private sector privacy legislation, the Personal Information Protection and Electronic Documents Act (“PIPEDA”), would have been replaced by the Consumer Privacy Protection Act (“CPPA”). Although there is presently no federal private sector privacy legislation under consideration by Parliament, the Liberal government’s re-election means that it can be reasonably expected that the CPPA will be reintroduced into Parliament in some form in the near future, and this commentary is written under that assumption.

One of the key areas in Bill C-11 that was subject to scrutiny and concern involved the requirements around the disposal of personal information. On its face, it may seem surprising that Canadian organizations were concerned about these obligations. After all, there are similar principles contained in PIPEDA and organizations that are compliant with the General Data Protection Regulation (EU) (“GDPR”) would have been operating under an analogous ‘Right to Erasure’ since 2018.

However, the CPPA’s disposal obligations—which would require “permanent and irreversible deletion of personal information”—may be more technically stringent than the obligations of other regimes and require organizations to consider new strategies for overwriting personal data.