We recently wrote that significant changes to Canada’s privacy law regime were expected, particularly in light of the increasing ubiquity of digital technologies. The Federal Government of Canada has now confirmed this by proposing several substantial amendments to current federal private sector privacy laws which would fundamentally alter the legal landscape.
On November 17, 2020, Canada’s Minister of Innovation, Science and Industry, Navdeep Bains, introduced a new Bill, the Digital Charter Implementation Act, 2020. The Bill proposes to the modernize the framework for the protection of personal information in the private sector and in the commercial context, and to clarify the rules around privacy and personal information. The Bill sets out to provide:
rules to govern the protection of personal information in a manner that recognizes the right of privacy of individuals with respect to their personal information and the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances.
Among significant provisions being proposed are the following:
- Empowering the Privacy Commissioner to make orders, including ordering an organization to comply with the Act or to stop acting in contravention of the Act. The Privacy Commissioner could also recommend the imposition of penalties on an organization for breaching the Act.
- Creating a new tribunal, the Personal Information and Data Protection Tribunal. The Tribunal would be empowered to impose administrative monetary penalties on organizations in contravention of the law based on the decisions of the Privacy Commissioner. The Tribunal can also hear appeals from orders made under the Act and from decisions of the Privacy Commissioner.
- An organization could be liable to for a penalty up to the higher of $10 million or 3% of the organization’s gross global revenue. The purpose of a penalty would be to promote compliance, and not to punish. Among other things, the Tribunal could take into account any financial benefit that the organization obtained from the contravention.
- Criminal penalties would also be available for certain of the most serious offences, such as an organization failing to report to the Privacy Commissioner any breach of security safeguards involving personal information under its control, if the breach creates a real risk of significant harm to an individual, or where an organization is obstructing the Privacy Commissioner’s investigations. Such penalties, at their most serious, include indictable offences and fines of up to the higher of $25 million or 5% of the organization’s gross global revenue.
The Bill also proposes new privacy rights. For example, individuals would have “mobility of personal information” rights - the right to request that an organization disclose the personal information that it has collected from the individual to an organization designated by the individual, provided the organizations are both subject to a data mobility framework. These rights exist within the new data mobility frameworks envisioned as Regulations to the Act, which will set out safeguards that must be put in place by organizations to enable the secure disclosure and collection of personal information, and parameters for the technical means for ensuring interoperability in respect of the disclosure and collection of that information. The Regulations will also specify which organizations are subject to these frameworks and what limited exceptions exist.
The Bill also proposes to legislate standards for the de-identification of personal information, namely that de-identification measures applied to the information are proportionate to the purpose for which the information is de-identified and the sensitivity of the personal information and that an organization cannot use de-identified information alone or in combination with other information to identify an individual, except in limited security-testing circumstances.
While the legislation is in its early days, this bill is another signal that Canada is on the precipice of significant changes to the privacy landscape and is taking steps to modernize its privacy laws in response to an increasingly digital world.