Ottawa to overhaul privacy rules to give Canadians more control over how companies use data

Open this photo in gallery:

Ottawa plans to overhaul its two-decade-old private-sector privacy rules to give Canadians greater control over how companies handle their data, while threatening some of the highest penalties in the world for violations.

Innovation Minister Navdeep Bains tabled a bill Tuesday that would introduce the Consumer Privacy Protection Act and additional legislation that could align Canada’s approach to privacy with jurisdictions such as California and the European Union that have stricter regulations. The bill would give Canada’s privacy commissioner sweeping powers to force companies to comply with data-protection rules and, if necessary, order offenders to stop collecting personal information altogether.

For the worst offenders, fines for breaching the new legislation could cost as much as $25-million or 5 per cent of a company’s global revenue – whichever is greater. That is a percentage point more than the EU’s maximum fines.

“We do have very clear accountability measures, the strongest fines among the G7, but ultimately the focus is on compliance,” Mr. Bains said in an interview. He added that the design of the legislation was to give a “clear framework” for companies, especially small and medium-sized ones, to collect data responsibly while remaining competitive. If the legislation passes, companies would have 12 to 18 months to become compliant.

Privacy advocates have argued for years that Canada needs to upgrade its laws for the modern digital era – not just to strengthen individual rights, but to align with jurisdictions that have tougher privacy laws to avoid threatening trade relationships.

Still, the federal Liberals have been slow to upgrade Canada’s consumer privacy laws, which federal Privacy Commissioner Daniel Therrien has been pushing for over many years. In May, 2019, Mr. Bains unveiled a “digital charter” for Canadians to rein in the power of Silicon Valley tech giants, but it came with few specifics.

In an e-mailed statement, Mr. Therrien said that while some of his long-time recommendations appear in Tuesday’s bill, he was hesitant to immediately comment on it. “We will need to carefully assess how its several components work together and how well they would improve protections for the privacy rights of Canadians,” he wrote.

Mr. Bains said Tuesday that the government had planned to introduce the new legislation in March, but was delayed by pandemic emergency measures. The legislation seeks to ensure organizations respect individual privacy while outlining how they can “collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances.”

This includes requiring companies to describe the purposes of data collection “in plain language,” and to dispose of it after the purposes for its collection is over. Organizations must also strip all identifying information if data are used for research and development or prospective business transactions.

The new legislation would also ensure Canadians have the right to request what information a company has collected about them, and to withdraw their consent to data collection at any time. And it would give Canadians the right to move their information from one organization to another, such as when they switch banks.

Running data through algorithms can help organizations learn about behavioural patterns to help them understand and – more profitably – predict or reinforce certain behaviours. As an example, sometimes digital companies will use behaviours to make recommendations – such as advertising a pair of shoes to someone who had looked them up in a search engine.

Monetizing data is a key function of what’s sometimes called the “intangible economy,” which has given Silicon Valley giants some of the world’s highest profits and market capitalizations. The new legislation aims to make their use of algorithms more transparent. It would allow Canadians to ask companies using algorithms that make “a prediction, recommendation or decision” about them to request how their personal information was used in those processes.

Mr. Therrien has said that his office lacks the enforcement powers of his peers internationally and even provincially, in some cases. Tuesday’s legislation proposes to grant the commissioner sweeping investigative and order-making powers.

Former Ontario privacy commissioner Ann Cavoukian, who now consults globally on privacy issues, applauded the legislation’s increased control for individuals and the increased power for the federal commissioner. “The fact that you have order-making powers makes [companies] want to work with you,” Ms. Cavoukian said.

The Consumer Privacy Protection Act sets out a system in which companies would propose privacy codes of practice for approval and certification by the commissioner. The commissioner, who is an independent officer of Parliament, could also launch investigations, inquiries or audits in response to public complaints or on the office’s own initiative. The bill would also give the commissioner new powers to acquire information, including summoning individuals and documents.

The legislation includes protection for private-sector whistle-blowers who raise concerns with the commissioner. The bill says an employer must not dismiss, suspend or demote an employee who raises a potential violation in good faith to the commissioner.

After an investigation, the commissioner would be able to order a company to comply with a specific order and could recommend financial penalties of up to $10-million or 3 per cent of a company’s gross global revenue, whichever is higher.

Violations of other sections of the new law, such as failing to disclose a security breach or punishing an employee who reports potential violations to the commissioner, could face larger fines.

Tuesday’s Bill C-11 also would enact legislation to create a tribunal to review proposed fines made by the privacy commissioner. The tribunal would also hear appeals of the commissioner’s decisions.

Ms. Cavoukian warned that the tribunal might actually undermine the commissioner’s newfound order-making authority. NDP MP Charlie Angus said in an interview that he is pleased to see that the bill gives strong enforcement powers to the commissioner – but echoed Ms. Cavoukian’s concerns about the proposed tribunal, specifically where government-appointed members could overrule the commissioner’s decisions.

Conservative MP James Cumming said his party will be reviewing the bill closely.

Both MPs said they were still reviewing the bill and neither stated how their parties will ultimately vote on the legislation.

Representatives from Facebook and Google, two of the highest-profile data-collecting technology companies operating in Canada, declined to immediately comment on the legislation.

Your time is valuable. Have the Top Business Headlines newsletter conveniently delivered to your inbox in the morning or evening. Sign up today.