Companies could face hefty fines under new Canadian privacy law
The federal government is threatening to impose fines that could run to millions of dollars on private companies that violate Canadians’ privacy.
Innovation Minister Navdeep Bains introduced the Digital Charter Implementation Act today — officially called an “Act to enact the Consumer Privacy Protection Act and the Personal Information and Data Protection Tribunal Act and to make consequential and related amendments to other Acts.” It represents one of the biggest shakeups in Canada’s privacy law in decades.
If the bill passes, companies could face fines of up to five per cent of global revenue or $25 million — whichever is greater — for the most serious offences. Bains said the legislation provides for the heaviest fines among the G7 nations’ privacy laws.
“The fines are there to provide accountability,” Bains told reporters.
The legislation also would give the federal privacy commissioner order-making powers — something Privacy Commissioner Daniel Therrien has long asked for — including the ability to force an organization to comply and to order a company to stop collecting data or using personal information.
Bains said the commissioner also would be able to recommend fines to a new Personal Information and Data Protection Tribunal, which would levy administrative monetary penalties and hear appeals of orders issued under the new law.
According to the wording of a government press release, the legislation also would give Canadians the option of demanding that their personal online information be “destroyed”.
The federal government has been signalling a more user-friendly system since it first floated the idea of a digital charter.
if the draft legislation passes, companies would have to obtain consent from customers through plain language — not a long, jargon-filled legal document — before using their personal data.
The Canadian Internet Registration Authority, the not-for-profit agency that manages the .ca internet domain, praised the new bill.
WATCH | Bains explains how fines would be laid if companies contravene the new privacy legislation
“Trust is critical to the digital economy, and central to a well-functioning internet. Canadians must be able to trust that their personal data will be protected and not abused,” said CIRA president Byron Holland in a media statement.
“Companies that handle massive troves of personal data must be held accountable for protecting that data, be transparent about how they use it and face real consequences should they break the trust of their users.”
Conservative MP James Cumming, the party’s innovation, science and industry critic, said that if the Liberals truly cared about Canadians privacy rights they’d ban the Chinese telecom giant Huawei from operating in Canada.
“While other countries have taken decisive action to stand up for the privacy of their citizens and banned Huawei, the Trudeau Liberals have failed to make a decision and stand up for the privacy of Canadians. There is no excuse for this delay by the Trudeau government,” he wrote in a statement.
“When it comes to Liberal legislation, the devil is always in the details. Conservatives will review the legislation to ensure that it protects privacy without imposing burdensome regulations on small businesses who are struggling to keep their doors open during the second wave of the pandemic.”
Canada already has two privacy laws. The Privacy Act covers government agencies and federally regulated industries, while the Personal Information Protection and Electronic Documents Act applies to private-sector organizations.
Statistics Canada said that about 57 per cent of Canadians online reported experiencing a cyber-security incident in 2018.
WATCH | Bains on Privacy Commissioner’s powers
The bill is a “big win for privacy in Canada,” said Laura Tribe, executive director of OpenMedia, which has long pushed for stronger laws.
“For years, people have been calling on the government to increase protections for our digital privacy, to no avail,” she said.
“As a result, protecting the data and privacy of Canadians has been an afterthought for many companies, knowing that there were no meaningful penalties or consequences for bad behaviour.”
The group noted the legislation says consent is not required when an organization lacks a direct relationship with a person, which could water down the protections.
The bill is a step in the right direction, said Jim Balsillie, founder of the Centre for Digital Rights. “However, what seems to be missing is a clear recognition of privacy as a fundamental human right.”
Goldy Hyder, president of the Business Council of Canada, said the legislative proposals set out clear rules to protect consumers, promote innovation and strengthen Canadians’ confidence in the emerging digital economy.
B.C.’s Information and Privacy Commissioner Michael McEvoy told CBC News that while the bill is a good start, he has issues with how it limits a privacy commissioner’s authority to recommending to a tribunal that a company be fined for breaching the law.
“It seems to me there is no reason why the commissioner shouldn’t have the power to administer those fines — subject, of course, to the courts,” he said.
McEvoy said that requiring a tribunal to review a commissioner’s recommendation to impose a fine adds an extra layer of bureaucracy that puts people one step further away from getting justice.
He said he likes the provision in the proposed law that would require privacy companies to state in plain and easy-to-understand language how they collect information and how they use it.