The Canadian government proposed new legislation Tuesday that would reshape the nation's privacy framework. Bill C-11, which was introduced by Minister of Information Science and Economic Development Navdeep Bains, includes steep fines for companies — up to 5% of revenue or C$25 million, whichever is the higher sum.
In a fact sheet, the proposed Digital Charter Implementation Act, 2020, which includes the Consumer Privacy Protection Act, "would significantly increase protections to Canadians' personal information by giving Canadians more control and greater transparency when companies handle their personal information."
In a news release, Bains said, "As Canadians increasingly rely on technology we need a system where they know how their data is used and where they have control over how it is handled. ... For Canada to succeed, and for our companies to be able to innovate in this new reality, we need a system founded on trust with clear rules and enforcement."
The new framework would modernize consent rules, require data portability, provide users with a means to "control their online identity" and allow individuals "to request that organizations dispose of personal information and, in most cases, permit individuals to withdraw consent for the use of their information." The bill also addresses algorithmic transparency and includes deidentification rules.
In comments to the IAPP, nNovation's Constantine Karbaliotis, CIPP/C, CIPP/C, CIPP/US, CIPM, CIPT, FIP, said, "The (CPPA) updates the existing federal privacy law, the Personal Information Protection and Electronic Documents Act, in significant ways: requiring a privacy management program that must be provided to the Office of the Privacy Commissioner on demand; providing for fines of up to 5% or $25 million; algorithmic transparency rights to Canadians, as well as data mobility, enhanced access and rights of erasure. It also codifies previous guidance from Canada’s commissioners for meaningful consent, while also codifying 'legitimate interests' where consent is not required."
The federal revamp from the Trudeau government comes as international data flows have been challenged in the wake of the "Schrems II" judgment in the EU and as the U.S. considers its own federal privacy legislation.
"A key point made by Minister Bains was the goal interoperability with both EU and U.S. legislation and adequacy as the desired outcome of the legislation," Karbaliotis pointed out.
As part of Bill C-11, Bains also introduced the Personal Information and Privacy Protection Tribunal Act Tuesday. Karbaliotis said the PIPPTA "is established as a promised 'quicker' path to enforcement from orders of the OPC, and the minister also committed to resources to the OPC to meet its expanded role and providing strong enforcement."
On Twitter, law professor Michael Geist highlighted some of the key details in the new proposals under Bill C-11. "The enforcement side of the privacy is subject to a huge overhaul: order making power for the privacy commissioner, reviews of the orders by the new tribunal, and big penalties available for non-compliance. Privacy commissioner order has same effect as Federal Court order," he wrote, adding, "The bill also includes a new private right of action. Individuals can sue where the commissioner issues a finding of a privacy violation and it is upheld by the Tribunal. Case must be brought within two years."
The nonprofit organization that oversees the .ca internet domain, the Canadian Internet Registration Authority, applauded the bill. President Byron Holland said, "Companies that handle massive troves of personal data must be held accountable for protecting that data, be transparent about how they use it, and face real consequences should they break the trust of their users."
Photo by Toa Heftiba on Unsplash
