It’s time for Canadian privacy law reform, so where do we go from here?
Find out how privacy rights in Canada compare on the world stage.
This is the second of two blogs that looks at the privacy rights that are available to Canadians and how they compare internationally. The first blog is available here.
What Are Canadian Privacy Rights?
With The Personal Information Protection and Electronic Documents Act (PIPEDA), under its belt, the Canadian government has a tool in place to protect the personal information of people in Canada on a federal level. Under this privacy legislation, organizations are only obligated to obtain consent when collecting or using consumer data. Consumers are granted the right to access any personal information being held by an organization. Though PIPEDA has protective measures in place, there are significant shortcomings that prevent this act from requiring organizations to be more transparent about their data collection practices.
For starters, the Privacy Commissioner of Canada is not granted the authority to administer penalties to organizations for neglecting to obtain user consent or for misusing consumer data. Additionally, while Canadians have the right to access their personal information, Data Access Requests (DARs) are often highly inaccessible. They can be difficult to access on organizational websites and often lead to users having to provide more personal information in order to verify their identity. To gain a better understanding of the barriers of current Canadian privacy laws, this blog post is a great place to start.
Where Do Canadian Privacy Laws Stand on the International Stage?
To better understand the privacy rights that are afforded to Canadians, it’s worthwhile to take a look at the state of international privacy laws, particularly the European Union’s General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA).
Implemented in May 2018, the GDPR is a groundbreaking piece of privacy legislation that has created uniformity among all European Union nations in how data privacy is addressed and handled. Not only does the GDPR protect EU citizens within their jurisdictions, but its penalties apply against organizations who violate the GDPR apply anywhere -- so long as the personal data of EU citizens are involved and compromised. According to a GDPR website, an organization can incur punishments for exploiting user data if they “process the personal data of EU citizens or residents, or [...] offer goods or services to such people” regardless of whether the organization operates within the EU. The fines administered to violating organizations are significant , reaching either €20 million or 4% of global revenue, whichever is higher.
The GDPR also establishes that consent must be freely given. When consent is to be given in a written declaration, the GDPR states that “the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language”. When a user is able to understand what they are consenting to, they are able to freely do so. With policies such as the “Right to be Forgotten”, an organization is obligated to immediately remove all existing data at the request of the user, a move that rightfully prioritizes user privacy over corporate interest.
Under the GDPR, a user can also opt-out of having their data sold by an organization. The GDPR defines pseudonymized data differently than raw data that contains identity markers. While organizations must still work to protect users and can be subject to penalties for the breach or misuse of data, those that use pseudonymized data are faced with a more relaxed approach than those who do not.
Similarly, the CCPA (also enacted in 2018), aims to provide more agency to Californians over their personal data. The act’s key principles include the right to know how your personal information is being used, the right to remove your personal information from an organization’s database, (with some limitations to this principle), and the right to opt-out from having your personal information be sold. According to the CCPA, personal information includes anything that can be reasonably linked to the user, such as a name, social security number, or email address. Key rights afforded to Californians under the CCPA include an “opt-out request” tab that all organizations must clearly feature on their website for users to opt-out of consenting to the sale of their data. Californians can also sue an organization, either independently or in a class-action lawsuit, if it can be proven that their personal information was subject to a data breach or that the organization failed to uphold the security measures necessary to protect them. Unlike the GDPR, the CCPA does not require businesses to provide clear and concise consent forms to users. Further, while the GDPR distinguishes between pseudonymized data and raw data, the CCPA does not.
While people in Canada also have the right to access their data, there are limitations to PIPEDA that do not provide users in Canada with the same degree of agency as their Californian and EU counterparts. Canadian privacy law is missing the tough penalties that would push organizations to protect user privacy. The Commissioner’s inability to administer fines or implement policies reduces the chance for privacy law reform in Canada. While class-action lawsuits for data breaches exist in Canada, the ability for an individual to sue independently for a data breach is not an option; people in Canada can not go head-to-head with organizations that are exploiting their personal information. While people in Canada have the right to access their data, opting out of the sale of their data is not an option. This places people in Canada in a form of ‘digital hostage’, keeping them confined to having their data exploited in exchange for the ability to use the organization’s service.
GDPR | CCPA | PIPEDA | |
---|---|---|---|
Right to be Forgotten | ✓ | Some circumstances | X |
Financial Penalties | ✓ | ✓ | X |
Right to Access Data | ✓ | ✓ | ✓ |
Private Right of Action | X | ✓ | X |
Customizable Opt-Out Options | ✓ | ✓ | X |
Incentive for Pseudonymized Data | ✓ | X | X |
Discussion of Clear and Concise Consent Forms | ✓ | X | X |
The Time for Canadian Privacy Law Reform is Now
So what changes are necessary for Canadian privacy law to keep up with other international privacy laws? For starters, providing more enforcement power to the Privacy Commissioner of Canada will allow punishments to be rightfully imposed on large tech giants such as Facebook or Google when they misuse or compromise user data. Personal agency over one’s data must also be improved, which may include more accessible DARs that can be found on any organization’s website. Following in the footsteps of the GDPR, the request for immediate removal of personal data should also be considered in order to protect user privacy. Consent materials should be more concise and easy to comprehend, so that they are more likely to be read and understood by the user. There should be a distinction between pseudonymized and identifiable data. By imposing the same penalty regardless of the nature of the data, organizations may be less compelled to pseudonymize a user’s data. This extra measure would promote user privacy.
With reform in place, Canadian privacy law will be better equipped to protect its citizens and provide them with the mechanisms to negotiate how their data is handled. With the implementation of both the GDPR and CCPA as proof, the possibility of a more rigid and strongly enforced data privacy act can be in our future. The only barrier standing in its way is the failure of the Canadian government to act.