The federal government has unveiled a 10-principle Digital Charter that promises to apply to future legislation and regulation, including the suggestion of unspecified serious fines to the private sector for not protecting privacy.
In many ways the proposals would bring federal privacy private sector legislation — the Personal Information Protection and Electronic Documents Act (PIPEDA) — close to the European Union’s General Data Protection Regulation.
For example, the government proposes giving consumers the right to transfer their personal data from one company to another in a digital format. It also proposes giving people the explicit right to request deletion of information about them that they provided, with some caveats.
However, there will be no immediate changes to the federal private sector privacy legislation, the Personal Information Protection and Electronic Documents Act (PIPEDA). The government’s legislative agenda is full and Parliament is expected to rise late in June to allow MPs to campaign for the October election. As such the Digital Charter can be seen as one plank in the Liberal Party platform.
The government has promised to consult with the private sector before making changes to PIPEDA. It released this document to guide the discussion. (See below).
“It’s important to support innovators who are job creators,” said Bains. “The digital charter will guide us, but government can’t do this alone. We need business, we must do this together. That’s the only way we’ll succeed, the only way we’ll develop trust in our digital institutions”
The digital charter itself has no legal status. The federal official made it clear it is an aspirational document of the government.
Innovation Minister Navdeep Bains, who announced the digital charter today before the Empire Club in Toronto, also said as part of the Charter the government will shortly announce steps to ensure the integrity of democratic institutions and reduce threats from hate and cyber bullying.
The principles of the charter, which would need changes in a number of pieces of legislation and regulations to be effective, include:
- Universal access: Canadians will have equal opportunity to participate in the digital world and the necessary tools to do so. This relates to access, connectivity, digital literacy and digital skills;
- Safety and security: Canadians will be able to rely on the integrity and authenticity of the services they use and feel safe online’
- Control and consent. Canadians will have control over the data they are sharing, who is using their personal data and for what purposes is it being used;
- Transparency portability and interoperability. Canadians will have clear manageable access to their personal data and will be free to share it or transfer it without any undue burden;
- Open government: Canadians will be able to access digital services from the federal government which are secure and simple to use;
- Level playing field by ensuring fair competition online;
- Data for good. “We will ensure the ethical use of data to create value and promote openness to improve lives of people at home and around the world,” Bains said;
- Strong democracy. The government will ensure transparency of political discourse, defend freedom of speech and protect against online threats and disinformation;
- Commitment that social media platforms will be free from hate and violent extremism;
- Strong enforcement and accountability. “There will be clear meaningful penalties for violations of the laws and regulations that support these principles,” said Bains.
The government’s goal is that the Digital Charter will apply to all federal legislation and regulation. However, PIPEDA, the federal Privacy Act (which governs the federal government), the Competition Act, the Canada Anti-Spam Legislation (CASL) and possibly the Competition Act would have to be changed.
A federal official briefing reporters this afternoon said there are no plans to introduce changes before the October election.
A discussion paper on possible changes to PIPEDA suggests clarifying what information individuals should receive when they provide consent; certain exceptions to consent; adding the right to data mobility; deletion and withdrawal of consent; incentives for certification, codes, standards, and data trusts; enhanced powers for the Office of the Privacy Commissioner; as well certain modernizations to the structure of the law itself and various definitions.
Among the proposals:
- Requiring organizations to provide individuals with the information they need to make informed decisions, including requiring specific, standardized, plain-language information on the intended use of the information, the third parties with which information will be shared, and prohibiting the bundling of consent into a contract;
- Providing for certain alternatives or exceptions to consent to facilitate use of personal information by business under specific circumstances, to cover, for example, common uses of personal information for standard business activities. Likewise, adding a definition of de-identified information, along with an exception to consent for its use and disclosure for certain prescribed purposes and penalties for re-identification, could also enable the use of such information for appropriate purposes, while at the same time ensuring that it is otherwise subject to the protections afforded under PIPEDA. Developing such a definition, however, will be challenging given that nearly any information can be personal information.
- Consent would still be required for those uses that have the biggest impact on individuals. This would of course not encompass those situations where consent is inappropriate or contrary to the activity, such as investigations, responding to subpoenas or other lawful means to compel the production of information.
- Informing individuals about the use of automated decision-making, the factors involved in the decision, and where the decision is impactful, information about the logic upon which the decision is based. Such a requirement would not extend to revealing confidential commercial information to an individual. As more complex data uses, especially those that do not involve human discretion, such as those supporting the development of artificial intelligence, increasingly move out of research labs and into the marketplace, automated decision-making will become the norm. With it comes the risk of misuse of personal information that can result in undue discrimination and bias. The purpose of shining more light on automated decisions is to assist individuals in better understanding how such decisions are made about them;
- Requiring enhanced transparency of practices, by explicitly requiring organizations to demonstrate their accountability, including in the context of trans-border data flows;
- Requiring organizations to communicate changes or deletion of personal information to any other organization to whom that data has been disclosed;
- Establishing a regime for use of de-identified data in PIPEDA. In other words, if personal identifiers are stripped from data the remaining information would be protected under law. That data could be legally processed and shared without consent when managed by a data trust. However, there would have to be prohibitions against intentional re-identification or targeting of individuals in data, or re-identification as the result of negligence or recklessness.
Although the government is only making proposals, Bains said Canada is now “the go-to jurisdiction when it comes to trust.” Businesses will want to come to Canada because of its privacy laws, he said, while the digital charter creates a framework that provides predictability for businesses to succeed.
There is no proposal to add a so-called right to forget in PIPEDA, a right included in the GDPR to ask organizations to de-index certain information — like a news story on an old criminal charge, bankruptcy or divorce — so it doesn’t come up first in a search. Instead the background paper notes that the federal privacy commissioner has launched a court case suggesting this right already exists in PIPEDA. The government is waiting for a judicial decision.
Federal privacy commissioner Daniel Therrien may comment on the proposals on Thursday when he speaks at the annual Canadian conference of the International Association of Privacy Professionals in Toronto.
His office did issue a statement saying it welcomes the government’s commitment to undertake legislative reform.
“Given the interests at stake for individual Canadians, the Commissioner’s view is that the starting point for modernizing Canada’s privacy framework is to give it a rights-based foundation. We emphasized that position in our response to the government’s digital and data consultation. The Commissioner called for the law to be updated to recognize that privacy is a fundamental right and a necessary precondition for the exercise of other fundamental rights, including freedom, equality and democracy. As we saw in the Facebook-Cambridge scandal, a lack of respect for privacy rights can lead to very real harms, such as attempts to influence voters in an election.”
Halifax privacy lawyer David Fraser wasn’t surprised Bains’ announcement lacked detail. “I expected something more fully formed, rather than something reads like a discussion document,” he said in an interview. But, he admitted, that’s because it has come close to the ending of this session of Parliament.
“Many of the things that are in here aren’t new or innovative ideas, but things that have been discussed for several years.”
He did note that the documents make no mention of the federal privacy commissioner’s recent change in guidance that cross-border data transfers need explicit consent.
Fraser did welcome debate on whether the privacy commissioner should have enhanced powers, including the abiltiy to levy fines, or whether there should be a privacy tribunal to handle violations of PIPEDA. Fraser noted there is a Canadian Human Rights Tribunal separate from the Human Rights Commissioner, for example, and a Competition Tribunal separate from the competition commissioner.
Angela Mondou, chief executive of the Information Technology Association of Canda (ITAC), which represents most of the big IT providers in the country, said a national Digital Charter “will set Canadian business and citizen’s up for success – while simultaneously addressing the overarching concern for data
privacy and sovereignty,”
Scott Smith, senior director for intellectual property and innovation policy at the Canadian Chamber of Commerce, noted that finding the right talent with the right skills and training at the right time remains one of businesses’ biggest challenges, particularly as industries adapt to new technologies. “We are pleased to see in this digital charter a recognition of connecting all Canadians and an approach to the digital economy that recognizes the importance of small business and digital skills that is balanced with privacy and security.”
Byron Holland, CEO of the Canadian Internet Registration Authority (CIRA) said his agency is pleased Ottawa is committed to modernize and strengthen Canada’s data, privacy and security regulations. “We believe regulating the internet should always be handled with a light touch and an eye towards maintaining Canada’s position as a global leader online. We look forward to working with the federal government to advance this initiative.”