Experts welcome Canada’s newly introduced privacy legislation, but say this is “the beginning of the story and not the end” for the government, which has a long road ahead before the country is ready with new privacy laws relevant for evolving technology.
Innovation, Science and Economic Minister Navdeep Bains introduced Bill C-11, the Digital Charter Implementation Act, which, if passed following debate and consultation, would update the existing Personal Information Protection and Electronic Documents Act (PIPEDA).
The proposed legislation tackles a number of privacy concerns, including imposing strong fines of up to 5 per cent of revenue for the most serious offences, giving the Privacy Commissioner broad order-making powers, and ensuring Canadians are free to move personal data from one organization to another in a secure manner, and are able to demand their digital information be destroyed.
The bill also proposes the creation of a tribunal that will “levy” administrative monetary penalties and hear appeals of the commissioner’s decisions.
Ann Cavoukian, former information and privacy commissioner of Ontario, said it was “high time” that the government did something to strengthen the privacy rights of individuals. In an interview, she added that giving the commissioner powers is something that has long been called for, but that a proposed tribunal process for decisions is wrong-headed.
“You’re giving the commissioner authority; why are you going to enact a tribunal? You’ll be able to challenge [the commissioner] by going to the tribunal. This makes no sense to me,” she said. “That’s going to create a lot of confusion.”
Cavoukian also expressed concern that the bill did not implement Privacy by Design, a concept that would require organizations not only to comply with the law, but to create systems with privacy in mind from the initial stages of development.
“They led everyone to believe that it was going to be included especially when the Ethics Committee put out its report after studying PIPEDA in 2018,” she said. “We no longer have essential equivalence with the E.U. because our privacy law is dated and not sufficient and we need to add Privacy by Design. They’ve done that in the E.U., Brazil is including it, Dubai is as well.”
Cavoukian said that while the bill was an important step, she wasn’t fully convinced the government will implement the laws in a timely manner.
“What are the odds of them walking the talk. The government made recommendations in 2018 and they haven’t done that. So using that as an example from two years ago, what are the odds of this being successful,” she said. “There is a lot of talk and it’s a great thing if it comes through.”
Momentum relatively slow: Bhatia
Sumit Bhatia, director of communications and knowledge mobilization with Ryerson's Cybersecure Catalyst, added that the pace it’s taken the government to get to introducing new legislation is “indicative of what’s going to happen in the future.”
“I’d say the momentum is still relatively slow. We are laying the groundwork, but we have not built a framework yet,” he said in an interview. “We are at the point of putting our foundation, which is a bit late already. I feel good but I don’t feel confident yet, and I think we have our work cut out for us.”
Bhatia added it was positive to see the government giving Canadians more power over how their data is used, but that there are many points left unanswered.
“I still want to know what consent means for Canadians. What are the types of data interactions that build consent? How do we make sure that certain platforms and social media platforms have explicit consent from Canadians? What are the encryption protocols?” Bhatia asked.
He added that if Canadians are going to be able to transfer data between organizations, the bill needs to explicitly indicate whether Canadians will know where data is going and if data will be sufficiently protected when transferred.
Like Cavoukian, Bhatia says having a tribunal takes away from acting fast on enforcing penalties.
“The new privacy bill is predicated on us demonstrating quick and rapid enforcement at the early stage for people to really understand that this is something we’re taking seriously, and the second that we create support structures for organizations to better understand how it impacts them,” he said.
Benjamin Bergen, Executive Director of the Council of Canadian Innovators (CCI), was pleased to see the government finally providing comprehensive legislation. He added that the legislation is “meaty,” requiring a lot of work for the government to get through, and ensure anything missing is filled. He also urged the government needs to focus on ensuring that legislation will consistently be monitored to reflect the evolving nature of technology and its relation to privacy.
“This is the beginning of the story and not the end. We know we have the rough outline of things but it’s the details that will determine [next steps],” he said. “This type of public policy is not a one time shot and you’re done. It needs to be iterative and that was a challenge with PIPEDA that it didn’t keep up. So as we look at how this space continues to grow as an economic force in our lives, the policy and the regulation needs to be iterative and it needs to happen constantly.”