As the number of high-profile online consumer security breaches continues to grow, the federal government is expected to introduce a bill to shake up Canada’s privacy laws — possibly as soon as today.
Innovation Minister Navdeep Bains signalled plans to introduce the legislation late last week on the House of Commons notice paper.
The bill — officially called “An Act to enact the Consumer Privacy Protection Act and the Personal Information and Data Protection Tribunal Act and to make consequential and related amendments to other Acts” — would be the first major attempt to change Canada’s privacy law in decades.
Details of the bill won’t be available until the legislation is tabled, but a spokesperson for Bains pointed to the promises outlined in the minister’s mandate letter.
That letter — essentially the minister’s marching orders from Prime Minister Justin Trudeau — tasked him with drafting a “digital charter” that would include legislation to give Canadians “appropriate compensation” when their personal data is breached.
It also promised to introduce new regulations for large digital companies to better protect Canadians’ personal data and encourage more competition in the digital marketplace, and to appoint a new data commissioner to oversee those regulations.
“It will be significant and meaningful to make it very clear that privacy is important. Compensation, of course, is one aspect of it,” Bains said back in January, adding that the government also wants “to demonstrate to businesses very clearly that there are going to be significant penalties for non-compliance with the law. That’s really my primary goal.”
The letter also calls for “enhanced powers for the Privacy Commissioner.” The office of Privacy Commissioner Daniel Therrien — who has been calling for more powers — said he will be briefed on the bill after it’s tabled.
“Our office has long been calling for federal privacy laws better suited to protecting Canadians in the digital age,” said Therrien’s spokesperson Vito Pilieci.
“We need a legal framework that allows for responsible innovation that serves the public interest and is likely to foster trust, but prohibits the use of technology in ways that are incompatible with our rights and values. The law should also provide for enforcement mechanisms that ensure individuals have access to quick and effective remedies for the protection of their privacy rights, and create incentives for broad compliance by organizations.”
The ‘right to be forgotten’
Earlier this month, a joint investigation by the federal, Alberta and B.C. privacy commissioners concluded that the real estate company behind some of Canada’s most popular shopping centres embedded cameras inside its digital information kiosks at 12 shopping malls in major Canadian cities to collect millions of images — and used facial recognition technology without customers’ knowledge or consent.
B.C. Information and Privacy Commissioner Michael McEvoy said the commissioners likely would have pursued fines against the company, Cadallic Fairview, if they’d had the power.
“Fines in a case like this would have been a consideration. It is an incredible shortcoming of Canadian law,” he said.
“We as privacy regulators don’t have any authority to levy fines on companies that violate peoples’ personal information and that should really change.”
Statistics Canada says that about 57 per cent of Canadians online reported experiencing a cyber security incident in 2018.
Bains’s mandate letter also hints at the introduction of a so-called “right to be forgotten” or “right to erasure” law by calling for the “ability to withdraw, remove and erase basic personal data from a platform.”
The European Union passed a law back in 2014 allowing citizens to ask Google to remove problematic web hits that pop up when their name is searched, after a Spanish lawyer fought successfully to remove old material about his past debt problems.
Under the EU’s law, “inadequate, irrelevant or excessive” web hits aren’t deleted, but in most cases Google hides them from their search results — a process known as de-listing or de-indexing.