The impact of privacy reform on individual rights
By Andy Teichholz
By Andy Teichholz
Concerns over data privacy have been growing in Canada. COVID-19 has amplified these concerns as more individuals provide their personal data and use digital platforms more frequently.
From the transactional side of purchasing goods and services from the comfort of our mobile devices, everyday millions of Canadians are sharing their personal information with businesses across Canada and around the world. In conjunction with this trend is the growing mistrust of personal data sharing. For instance, the controversy surrounding the potential launch of the Google Sidewalk Labs project in Toronto would have unilaterally built the first smart city of its kind in the country and functioned on the usage of population data. After much backlash at the hands of concerned citizens, including the Digital Strategy Advisory Panel, which questioned the proposed usage of data, the project was abandoned by Google Affiliate Sidewalk Labs, given the impact of COVID-19 and the uncertain economic conditions that lie ahead.
Concerns of this magnitude have also been generated by the abundant media stories that showcase the alarming number of data breaches and the misuse of personal information through malicious actors which serve to undercut the public trust when it comes to fully digitizing and sharing information in a data-first economy.
To keep up with innovation and greater compatibility with an emerging global framework, the federal government is now taking the necessary steps to modernize Canada’s protective measures, giving individuals more expansive data rights and the protective measures they need.
A new era of data privacy reform
Since the turn of the 21st century, the Personal Information Protection and Electronic Documents Act (PIPEDA) has been a key piece of legislation within the Canadian federal private-sector privacy regime. PIPEDA applies to private-sector organizations across Canada that collect, use or disclose personal information for commercial activity. Organizations must comply with the 10 fair information principles and responsibilities that include, among other requirements, individual rights related to consent, information requests and to understand who is collecting personal information and the purposes for which that information is being gathered.
Efforts to modernize and reform data privacy rights and protections have accelerated significantly over the past few years on a global scale. Since its implementation in 2018, the European Union (EU) General Data Protection Regulation (GDPR) has become a model for other countries as they develop or enhance their existing privacy regulations. This past September, the Brazilian General Data Protection Law (LGPD) went into effect providing fundamental privacy rights to its data subjects. And, this past November, in the U.S., California passed a ballot initiative approving the California Privacy Rights Act (CPRA) that will modify and expand consumer rights and protections under the California Consumer Privacy Act (CCPA). Both examples illustrate a movement towards a greater alignment with the GDPR.
Impact of the Digital Charter Implementation Act
When the Digital Charter was launched in 2019, it set out a government-wide approach to modernize the rules that “govern the digital sphere in Canada and rebuild Canadians’ trust in these institutions.” A key objective was to ensure that Canadians can trust new digital technologies and that their data and privacy will be safe. Efforts were also undertaken to consider how to improve upon PIPEDA in the digital and data-driven economy. Thus, it should come as no surprise, that late in 2020, then-Minister of Innovation, Science and Industry, Navdeep Bains introduced Bill C-11, the proposed Digital Charter Implementation Act, 2020 (DCIA) comprised of two parts: Part I which would enact the new Consumer Privacy Protection Act (CPPA). The second part would enact the Personal Information and Data Protection Tribunal Act to establish an administrative tribunal to support enforcement activities.
This proposed legislation would usher in sweeping changes to the Canadian privacy landscape – providing significantly enhanced individual rights and greater enforcement powers. If passed as is, much of PIPEDA will be repealed and replaced by the CPPA. Among its many proposed changes, the CPPA will provide stronger and more meaningful consent. Additional individual rights include greater transparency related to automating decision-making systems, data portability, rights around de-identification and disposal of information.
The Bill also provides more comprehensive regulatory oversight and enforcement power. Currently under PIPEDA, the Office of the Privacy Commissioner of Canada (OPC) can investigate and report complaints, suggest recommendations and enter into compliance agreements with organizations, but it has no power to levy fines or penalties. Under the new proposed legislation, among other things, the Commissioner will have the ability to force organizations to cease collection activities or curtail the use of personal information. It can also recommend penalties. The penalty for non-compliant organizations is up to three per cent of its global gross revenue or $10 million in the financial year before the one in which the penalty was imposed. There is also a range of penalties for serious offences too (up to five per cent of global revenue or $25 million). The newly created tribunal will be empowered to impose penalties for non-compliance and hear any appeals of orders and decisions of the OPC.
Enabling data rights in the 21st century
Canada’s newly proposed legislation offers an approach to data privacy that is warranted in the 21st century. As countries are creating frameworks modeled after the GDPR, Canada is also determining its path forward. After two decades of technological advancement, including the widespread availability of information and biometric data through the internet and cloud-based platforms, protecting personal information has become paramount. Without taking these necessary steps, the country risks falling behind that of other nations and governing bodies who are choosing to address innovation prevalent in a modern digital economy. This reform effort signifies a large shift in the expansion of enforcement into the private realm. And these changes would provide individuals with more privacy protections increasingly in line with its global neighbours.
Canada’s decision to act now is moving the country and its privacy considerations in a positive direction. This new framework sets the stage for a robust approach that supports both the need to remain in control and to endorse a data-driven economy. While many policy advisors, scholars and businesses (who will be impacted) will continue to track the bill’s movement with great interest, the implications of data privacy reform will be far reaching as individuals are endowed with greater rights and remedies over their personal information in this emerging digital first era.
Andy Teichholz is the Sr. Industry Strategist for Compliance and Legal at OpenText. He has over 20 years of experience in the legal and compliance industry as a litigator, in-house counsel, consultant, and technology provider.