The Government of Canada has proposed a new privacy bill that could significantly reshape the country’s privacy framework. The law was due for a review in order to bring it more in line with both EU and US legislation, especially in light of the Privacy Shield ruling last summer.
Privacy Law in Need of An Update
There are a number of laws in Canada that relate to privacy. Some are sector-specific, others are health-related or only apply to provincial governments. Various government organizations and agencies handle the enforcement of these laws. Who enforces the laws depends on the nature and location of the organization involved, as well as the type of information.
On a federal level, there are two applicable laws. The oldest is the Privacy Act. This law came into effect in 1983 and covers how the federal government handles personal information. The second is the Personal Information Protection and Electronic Documents Act (PIPEDA), which was introduced in 2000. This law covers how businesses should handle personal information.
In fact, PIPEDA helped shape global privacy standards. When PIPEDA was introduced, on the eve of a rapidly changing internet landscape, it was a very forward-looking piece of legislation. When the GDPR came into effect in 2018 however, it became clear that some aspects of the legislation were now outdated. This urged lawmakers to start looking into possible changes.
New Bill Includes Big Fines
Bill C-11 will essentially overhaul Canada’s existing federal privacy laws. Back in January, Innovation Minister Navdeep Bains promised that the new regulations would be “significant and meaningful”. They would also “make it very clear that privacy is important”. To ensure this, compensation was an important aspect of the bill from the start.
Just like the GDPR, the new bill includes big fines – the biggest in the G7. For the most serious offenses, the maximum penalty is the higher of $25 million or 5% of the organization’s gross global revenue. For other violations, the fine is set at the higher of $10 million or 3% of the organization’s gross global revenue.
Moreover, the new regulations will enhance the powers of the Privacy Commissioner. It is also expected that the new measures will create a greater incentive for broad compliance by organizations. Additionally, the new law will ensure that individuals have access to adequate remedies to protect their privacy.
It’s All About Consent
One of the major differences between Canada’s current Privacy Laws and, for example, the GDPR, is their approach to “consent”. Essentially, the consent of each individual person is needed before a Canadian organization can collect, use and disclose personal information.
However, in practice, organizations still have the choice of whether they seek express or implied consent. For example, if an organization deems the information necessary to complete a certain transaction, implied consent may suffice. PIPEDA also does not contain a minimum age of consent.
Besides modernizing the definition of consent, the new framework will also provide individuals with the means to control their online identity. They can, for example, withdraw consent. They can request an organization to explain how a prediction, recommendation or decision was made by an “automated decision-making system”. And they can also ask an organization to transfer their data to another organization.
Increased Protection and Greater Transparency
If passed, the new legislation will significantly increase the level of protection for Canadian’s personal data and give individuals more control over how their personal information is handled. For organizations, on the other hand, the consequences for non-compliance are much more severe than with current laws. The Canadian government published a fact sheet that highlights and further explains the above mentioned and other key changes (original file not to be found anymore).
The new legislation could not have come at a better time. According to IBM’s Cost of Data Breach Report 2020, released in July, the average cost of data breaches in Canada rose 6.7%, totaling $6.35 million over the past year. 42% of data breaches in Canada were the result of a cyberattack. 35% were caused by a system glitch. And in 23% of the incidents, human error was at fault.
One rather dismal case came to light last month when Alberta and B.C. privacy commissioners found that the real estate company behind some of Canada’s biggest malls collected five million images of people’s faces through digital information kiosks in malls across Canada.