Data privacy in translation: how Canada’s language industry will respond to CPPA

When it comes to embracing technological advances, the translation services industry can be considered to be among the list of quick adopters. Translation technology has a long history in parallel with major advancements in tech in general, the most significant being the rise of computer-assisted translation (CAT) tools in the 1990s with the public and commercial boom of the internet. Today, language technology has become an essential component of how the industry operates.

Being an early adopter isn’t without its challenges. Translation services tend to collect and work with massive amounts of linguistic data. In Canada, this puts them in the crosshairs of attempts to modernize national privacy policy through its Consumer Privacy Protection Act (CPPA).

What is the CPPA?

Before we can talk about where translation services fit into the picture, we need to understand what the CPPA is, and where it currently stands.

The CPPA is one of the major components of 2020’s Bill C-11, or the Digital Charter Implementation Act. The other is the Personal Information and Data Protection Tribunal Act (PIDPTA). Taken together, these two documents would serve to replace the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s existing legislation on the collection and use of personal information by private institutions and businesses, which passed into law on April 13, 2000.

Bill C-11 was tabled in the House of Commons on December 2, 2020. The bill was polarizing from its original iteration, with critics pointing out that its provisions appeared to be designed to give individuals less control over their data than in existing legislation. Daniel Therrien, then Privacy Commissioner, called Bill C-11 “a step back” and “needs significant changes if confidence in the digital economy is to be restored.”

At the time, endeavours to modernize Canada’s privacy laws were under heavy scrutiny in the wake of the Cambridge Analytics scandal in 2018, where personal information of tens of millions of Facebook users were used without consent in the election campaign of Donald Trump for President of the United States. Several data firms in the UK and Canada were implicated in the scandal.

The Office of the Privacy Commissioner submitted a number of proposed revisions to the bill in order to address a number of issues, including:

  • Rebalancing provisions regarding businesses’ need for flexibility in the use of personal information, within a more human rights-oriented framework
  • Updating definitions regarding valid vs meaningful consent
  • Reasserting the authority of the OPC as an expert regulator with the power to proactively inspect and investigate businesses for compliance
  • Requiring businesses to apply Privacy By Design

Despite continued parliamentary discussion, Bill C-11 died in late 2021 with the fall election. Plans are underway to reintroduce the bill for further discussion under the new administration, but these have yet to move forward. For now, PIPEDA remains in effect as the authoritative legislation on data privacy.

The stakes for the translation services industry

Canada holds 10 per cent of the global market for the translation services industry, despite constituting 0.5 per cent of the world’s population. Translation services accumulate massive amounts of data in the form of text, audio and video as part of the course of business. As such, the industry is one among those likely to be hardest hit by changes to Canadian privacy policy.

As such, the Canadian government’s efforts to reform PIPEDA through the CPPA are of great interest to companies offering translation services within Canada.


The CPPA is modelled after the European Union’s General Data Protection Regulation (GDPR). Because of the aggressive stance by the EU when it comes to data privacy and protection, GDPR is now seen as the gold standard when it comes to privacy and protecting the data of citizens. PIPEDA is not as strict as GDPR. In fact, the European Commission only considers PIPEDA to be partially adequate when it comes to data protection.

But with the introduction of the CPPA, all of that might be changed. It would create new obligations for companies when handling data of consumers, and also impose harsher penalties for those who violate it.  

Just how harsh are the proposed penalties under the CPPA? Under the proposed legislation, the most serious offences may be fined up to five per cent of the global revenues of a company or C$25 million, whichever of those two options is larger. Those are the most drastic of penalties imposed by any G7 country to date for privacy violations if it becomes law.

Data privacy for translation services in Canada

Translation technology and service providers that are working in Canada must ensure that the personal information and documents of their clients must stay safe. Under the PIPEDA, Canadians must give their consent to have their personal data collected, and this is likely to become even more affirmed through the CPPA. They should also be informed as to how their personal data will be used. Consumers can also demand from the organizations that collected their data documents showing how their personal information will be used. They can also check if the information collected about them is accurate.

Companies offering translation technology and services to Canadians must keep these things in mind whenever they are gathering data from users and when using those data. 

Getting consent

One of the major provisions of the PIPEDA is to ensure that businesses and organizations get consent from consumers when getting data. There are several important aspects of getting content that organizations must not forget.

  1. The privacy notice should emphasize essential aspects like what personal data will be collected, who will have access to the information, the purpose for collecting the information, and the risks involved with the data collection.
  2. Organizations must give the consumers control over the number of details that they want to receive with regards to the data collection and handling. Organizations must be ready to provide more details if consumers request it.
  3. Consumers must be given clear options on whether they will give consent or not. For example, they should have Yes or No options for whether they will allow their data to be collected.
  4. Organizations and businesses are encouraged to be creative when getting consent for data collection. They can use data interfaces, for example, or interactive tools.

These are just some principles that companies providing translation should keep in mind when giving privacy notice to consumers. 

The Canadian government takes data privacy seriously. The PIPEDA may not be as strict as Europe’s GDPR, but it is still quite rigorous when it comes to how the personal data of Canadians will be collected. Any company offering translation technologies and services working with people in Canada should take heed of what this law is all about. Once the CPPA becomes law, Canada will become at par with Europe when it comes to data privacy.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada
Shashank Jain
Shashank Jain
Shashank Jain is the Technical Manager of the Development Team at Tomedes, a company that handles translation technology and services and has assisted businesses in their globalization efforts. He has spearheaded the company’s tech-related campaigns, including data privacy and security.

Featured Download

IT World Canada in your inbox

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Latest Blogs

Senior Contributor Spotlight