This morning, the Canadian government announced that the federal privacy commissioner will gain the ability to recommend companies be fined for not complying with updated and stiffer privacy legislation.
Innovation Minister Navdeep Bains told reporters the commissioner will have broad order-making powers under the proposed new Consumer Privacy Protection Act (CPPA), including the ability to force an organization to comply with requests and order a company to stop collecting data or using personal information. If passed, the CPPA would replace the Personal Information Protection and Electronic Documents Act (PIPEDA).
Bains said the commissioner will be able to recommend fines to a new body called the Personal Information and Data Protection Tribunal. The fines that the tribunal could levy would be the strongest among G7 nations — up to 5 per cent of global revenue or CAD$25 million, whichever is greater, for the most serious offences, he explained. A serious offence would include obstructing an investigation of the Privacy Commissioner.
For less serious offences the maximum fines could be up to 3 percent of global revenue or CAD$10 million.
By comparison, the maximum fine levied under the European Union’s General Data Protection Regulation (GDPR) is up to 4 per cent of a company’s global revenue.
Bains talked in general terms to reporters about the proposed legislation, which had just been introduced to Parliament and wasn’t publicly available for detailed examination.
UPDATE: The proposed legislation says members of the Tribunal would be appointed by the government and would comprise between three and six individuals. At least one would have to be an expert in information and privacy law. All decisions of the Tribunal would be final except for appeals on legal grounds, which would be heard by the Federal Court.
The CPPA also gives individuals the right to sue a business for damages in the Federal Court or a provincial superior court if the Privacy Commissioner has made a finding that the firm has violated the act by not protecting their data.
Bains said the CPPA would ensure that when Canadians go online and are asked to give consent to have their personal data used, it will be in “plain simple language” and not a 30-page legal document. “It will mean greater transparency. That means Canadians will better understand how their data is collected and how that data is used.”
Specifically section 15(3) of the proposed law says consent is only valid if a person is given information in “plain language” including what data is being collected, and the names of any third parties or types of third parties to which the organization may disclose the personal information.
Canadians will also be able to demand an organization let them take the personal data it has collected and transfer or share it elsewhere– from one bank to another, for example. They will also have a chance to demand that an organization delete or destroy personal information if they withdraw consent.
Bains tried to portray the new legislation as good for business, suggesting it will improve Canadian residents’ confidence to buy goods and services online.
“It enables businesses to have the predictability they need to pursue responsible innovation. And because Canadians will have more trust [online] that will enable businesses to make investments, they need to leverage the data in a meaningful way to grow their businesses, create jobs, access markets and become more competitive and productive.”
The proposed CPPA also has new transparency requirements that apply to automated decision-making systems like algorithms and artificial intelligence that make predictions. Under Section 63 (3) businesses would have to be transparent about using such systems to make significant predictions, recommendations or decisions about individuals. Individuals would also have the right to request that businesses explain how a prediction, recommendation or decision was made by an automated decision-making system and explain how the information was obtained.
The legislation will clarify that de-identified information (data that doesn’t have a person’s name) must be protected and that it can be used without an individual’s consent only under certain circumstances.
The CPPA would give Canadians the ability to demand that their information on social media platforms be permanently deleted. When consent is withdrawn, or information is no longer necessary, Canadians can demand that their information be destroyed. The privacy commissioner will have the ability to order a social media company to comply and even order it to stop collecting data or using personal information.
The new legislation and changes to existing legislation are wrapped up under a new Digital Charter Implementation Act (Bill C-11).
In an interview Halifax privacy lawyer David Fraser of the McInnes Cooper law firm said it’s fair to separate the Privacy Commissioner’s fine-making ability from a tribunal, which would actually levy fines and give reasons. That would make it similar to the Competition Bureau Tribunal, he said.
In a statement the Retail Council of Canada said it supports a clear and consistent privacy framework across Canada that helps retailers know what they need to do to protect consumer and employee personal information. “While it is good that the government has recognized the need for updating Canadian privacy legislation so that it keeps pace with the digital, omnichannel world of retail, it is important that this framework remain realistic. The Digital Charter Implementation Act mentions clarity on de-identified information standards and simplified consent. These seem, at first glance, positive, and we look forward to learning more when the Bill is released.
“However, the large fines and other compliance strategies mentioned in the fact sheet are cause for concern for us.”