Advocates welcome major overhaul to Canada’s privacy law

Bill C-11 provides much-needed protections for individuals’ data privacy

November 17, 2020 — Today Innovation, Science and Industry Minister Navdeep Bains introduced Bill C-11, the Digital Charter Implementation Act, 2020, which promises to considerably strengthen Canada's private sector privacy legislation. The introduction of binding enforcement powers for the Privacy Commissioner and significant financial penalties for noncompliance provide much needed reinforcement of Canada’s privacy requirements. 

The Act is in response to years of calls from privacy advocates to bring Canada’s private sector privacy laws up to date, after countless data breaches and privacy violations that have been allowed to pass without penalty.  With a maximum penalty for repeated violations of up to 5% of global revenue, the new Act could see Canada match or exceed those penalties in the European Union’s GDPR. 

“Bill C-11 is a big win for privacy in Canada. For years, people have been calling on the government to increase protections for our digital privacy, to no avail,” said OpenMedia Executive Director Laura Tribe. “As a result, protecting the data and privacy of Canadians has been an afterthought for many companies, knowing that there were no meaningful penalties or consequences for bad behaviour. Bill C-11 takes critical steps towards changing that status quo, making privacy a core business value, and restoring trust online. As the pandemic has forced so many of our most sensitive activities online this year, it couldn’t come at a better time. While some questions remain about the specific details, OpenMedia is optimistic about its potential impact, and we’ll keep engaging the government to ensure the final Act’s protections are as strong as possible. ”

Some questions remain over C-11’s exceptions to requiring express consent for collection and use of personal data. According to the text of the bill, consent is not required when the organization does not have a direct relationship with the individual, alongside other business need exceptions. If interpreted broadly, these limitations could significantly reduce the bill’s practical protections. 

Key takeaways:

• C-11 maintains and strengthens our right to request access to our personal data held by an organization, and request that organization delete it, or transfer it to another organization.
• The maximum non-compliance penalty of 5% of global revenue brings Canada into alignment with global leaders like the European Union.
• The bill grants order-making enforcement power to the Privacy Commissioner, subject to approval by a Tribunal body, which will bring teeth to legislation that has for years lacked any clout. 
• A plain language requirement is included for organizations to explain the data they will collect and purposes they will use it for before they collect it.
• Broad business exemptions included in the bill are a source of potential weakness and concern.
• Updated definition of what consent is required, and when, requires clarity.

Over 50,000 people have called on the government to reform its privacy laws over the past 3 years. Nearly 8,000 people have called for enforcement powers for Canada’s Privacy Commissioner at www.openmedia.org/fixprivacy.

-30-