The Trudeau government is proposing new privacy measures to give people more control over their information in the digital age, with potentially stiff fines for companies that flout the rules.
The legislation tabled in the House of Commons on Tuesday is designed to flesh out the 10 principles of the federal digital charter and bring Canada’s much-maligned privacy regime for businesses into the modern era.
Advocacy groups and business organizations generally applauded the bill, but there were concerns about how comprehensive the practical effects will be.
Under the legislation, companies would have to obtain consent from customers through plain language, not a long legal document, before using their personal data.
The government says the bill, the Digital Charter Implementation Act, would also give consumers the ability to more easily transfer their data from one business to another. For example, people could direct their bank to share their personal information with another financial institution.
The bill would arm the federal privacy commissioner with order-making powers, including the ability to demand that a company stop collecting data or using personal information.
In addition, the commissioner would be able to recommend that the planned Personal Information and Data Protection Tribunal impose a fine.
The legislation would provide for administrative monetary penalties of up to three per cent of global revenue or $10 million, whichever is higher, for non-compliant organizations.
It also contains harsher penalties for certain serious infractions, including a maximum fine of five per cent of global revenue, or $25 million, bringing Canada into line with Europe.
“The fines are there to provide accountability,” said Innovation Minister Navdeep Bains.
“If we want Canadians to feel confident online … they need to make sure that their privacy is protected, and that they have greater control over their data.”
The government says the law would also ensure Canadians could demand their information on social-media platforms, such as Facebook or Twitter, be permanently deleted.
To reinforce this, the privacy commissioner would have the ability to order a social-media company to comply.
The legislation would also give the privacy commissioner powers to audit organizations, an enforcement tool that Daniel Therrien, the current commissioner, has repeatedly advocated.
The bill is a “big win for privacy in Canada,” said Laura Tribe, executive director of OpenMedia, which has long pushed for stronger laws.
“For years, people have been calling on the government to increase protections for our digital privacy, to no avail,” she said.
“As a result, protecting the data and privacy of Canadians has been an afterthought for many companies, knowing that there were no meaningful penalties or consequences for bad behaviour.”
The group noted the legislation says consent is not required when an organization lacks a direct relationship with a person, which could water down the protections.
The bill is a step in the right direction, said Jim Balsillie, founder of the Centre for Digital Rights. “However, what seems to be missing is a clear recognition of privacy as a fundamental human right.”
Goldy Hyder, president of the Business Council of Canada, said the legislative proposals set out clear rules to protect consumers, promote innovation and strengthen Canadians’ confidence in the emerging digital economy.
The Canadian Internet Registration Authority, which manages .ca domains, welcomed the bill by saying trust is critical to the digital economy and central to a well-functioning internet. “Canadians must be able to trust that their personal data will be protected and not abused.”
The legislation would also:
— Require businesses to to be transparent about how they use automated decision-making systems like algorithms and artificial intelligence to make significant predictions, recommendations or decisions about people;
— Clarify that depersonalized information, for instance through removal of a name, must be protected and that it can be used without a person’s consent only under certain circumstances;
— Allow businesses to disclose de-identified data to public organizations in some cases for socially beneficial purposes, such as health or environmental initiatives.
Jim Bronskill, The Canadian Press
Want to support local journalism during the pandemic? Make a donation here.