Prime Minister Justin Trudeau announced plans last week for a new Canadian digital charter featuring penalties for social-media companies that fail to combat online extremism. While the just-released proposed charter does indeed envision increased regulation of the tech sector, its foundation is not content-regulation but rather stronger rules on how companies use data. Leading the way is a promised overhaul of Canadian privacy law to ensure it is better-suited to the challenges posed by a data-driven economy.
The proposed privacy-law reforms seek to strike the balance between supporting an innovation-led economic agenda heavily reliant on access to data with mounting public concern over the use of that data without appropriate safeguards or consent. If enacted – the digital charter includes a detailed background paper on privacy-law reforms that suggests legislative action will only come after the fall election – the changes would constitute the most significant privacy-law amendments in decades.
After a national data consultation and several committee hearings, Innovation, Science and Economic Development Minister Navdeep Bains now acknowledges the obvious: Canadian privacy law badly needs a rewrite. In fact, the privacy background paper notes that current law is a legislative oddity given that the core rules are buried in an attached schedule using non-legal language. The approach may have made sense when the law was first introduced in 1998, but more than 20 years later, the government says it intends to embark on a full redrafting of the law.
As for the content of the new law, several proposals stand out, notably the approach to data collection and analysis. For example, the government would strengthen existing consent mechanisms by requiring increased transparency on how the information will be used and whether third parties will have access to it. Moreover, the government promises to stop companies from bundling consent into contracts, thereby enhancing consumer choice.
Given the widespread business use of consumer data, the government proposes to facilitate common uses for standard commercial activities by removing some consent requirements or promoting the de-identification of data. Yet, it also envisions new penalties for companies that attempt to re-identify de-identified data. In other words, the law would facilitate the use of anonymized data but would also punish organizations that try to link the data to an identifiable person.
The government promises another major regulatory safeguard for big data analysis. With the public often concerned about how their information is used or abused, the law would feature new algorithmic transparency requirements mandating that companies inform individuals about the use of automated decision-making and the factors used to reach the decision. The law would stop short of requiring the disclosure of confidential commercial information, but revealing how automated decisions are reached would be a game-changer in Canadian data law.
Supporting these changes would be increased control by users over their data, the use of data trusts and enhanced enforcement powers for the Privacy Commissioner of Canada. Canadians would be granted a new data-portability right that would allow for the transfer of personal information in standard data formats. Data portability is widely viewed as a key component in open-banking initiatives, since consumers need the power to easily move their financial data between providers.
The potential for data trusts, which contemplates using trusted third parties to manage access to sensitive data for research and development purposes, is viewed as another mechanism of striking a balance between innovation and appropriate data use.
Yet, data trusts are only effective if enforceable, and establishing limits on data use won’t matter if the limits are ignored without fear of penalty. That leads to the last major proposed change: new enforcement tools including order-making power for the Privacy Commissioner of Canada alongside substantially increased financial penalties for legal violations.
The proposed reforms represent a sea change in Canadian privacy law, but there remain several unaddressed issues. The government is deferring the question of a right to be forgotten (often referred to as a right-to-index), noting the issue is currently before the courts. It also limits the proposed reforms to private-sector privacy rules, leaving the rules that govern public-sector data use untouched for the moment.
Perhaps the biggest challenge is that both the privacy reforms and the broader digital charter have little prospect of becoming law before the federal election scheduled for the fall. Rather, their release suggests that the government views digital governance and privacy law as potential election issues. Mr. Bains and the Liberal government are first out of the gate, but with an outdated law and mounting fears about the emerging risks of a data-driven economy, they are unlikely to be the last.