Here’s what you need to know about Canada’s newly proposed Privacy Bill

More and more personal data is being used by businesses and organizations to implement marketing strategies, facilitate transactions, deliver goods and services, and provide after-sales support. This makes the data of private individuals a valuable resource in the Canadian economy. However, if an organization misuses such data, then trust in our increasingly information-driven economy will be eroded.

Trust is the foundation upon which human relationships are built and society is formed. If Canadians begin to withhold their personal information — such as by paying for everything in cash and eschewing the use of online accounts — then the growth of our economy will be stalled.

Furthermore, with less personal data to work with, we’ll have difficulty arriving at the insights we need to drive innovation. Thanks to our ability to capture large amounts of information about individuals, industries can use de-identified (i.e., anonymized) and aggregated data to determine relevant communal trends that they can then act upon.

For instance, de-identified and aggregated medical data helps pharmaceutical companies discover more side effects of their drugs as well as how these affect patients who are also on other medications. However, if Canadians grow to distrust the systems that gather and utilize personal data and choose to be off-grid, the drop in digital participation may impede the discovery of such important medical insights.

For the sake of keeping that trust intact, the government worked with its constituents to come up with the Digital Charter along with laws such as the Personal Information Protection and Electronic Documents Act (PIPEDA). After nearly two decades of being enforced, PIPEDA may soon be replaced by a new law that hopes to better fulfill the principles set in the Charter.

Simply called Digital Charter Implementation Act, 2020, this new data privacy law for the private sector contains two acts. The first is the Consumer Privacy Protection Act (CPPA), which is a more modern version of PIPEDA. The second is the Personal Information and Data Protection Tribunal Act, a law that will establish a Personal Information and Data Protection Tribunal, or simply Tribunal.

If the Digital Charter Implementation Act becomes law, it will mean the following for individuals and organizations:

Organizations must expand their record of purposes

PIPEDA requires entities to note down their purpose for collecting personal information during or before the time of collection. CPPA will go further than PIPEDA by requiring organizations to also record their purposes for using and disclosing such info.

Consent provided by individuals must be meaningful

For individuals to meaningfully allow an organization to collect, use, and/or disclose their personal information, they must understand the nature, purpose, and consequences of such a decision. However, when privacy policies, terms of use, and consent forms are thousands of words long and chock full of legalese, people tend to just tick the ‘I agree’ checkbox to get giving consent over and done with. In short, they end up having no clue as to what they’re giving their consent to.

CPPA will counter this by requiring organizations to provide people with an abridged version of privacy information, one that is written in plain language and emphasizes key items such as:

  • What personal information is being collected about them
  • The purpose of collecting, using, and/or disclosing the information
  • To whom will their info be shared with, if ever it will be shared

These key items must be provided so that individuals can make quick but meaningful decisions when it comes to their personal information.

Individuals will gain extra rights with regard to their personal information

To let Canadians exercise greater control over their data, CPPA will grant them rights such as:

  • Have their personal information securely transferred from one organization to another (which means that organizations must develop the means to facilitate this)
  • Have their personal information be deleted by an organization
  • Withdraw their consent for the use of their information, provided that such use required their consent in the first place
  • Bring a claim against an organization for damages caused by that organization’s non-compliance with the CPPA

Businesses must be transparent with their automated decision-making systems

Firms that use algorithms or artificial intelligence to come up with significant recommendations, predictions, and decisions about individuals must be able to explain how such automated systems arrive at those things. In fact, the CPPA will grant individuals the right to request such explanations from businesses.

The Office of the Privacy Commissioner will be granted the power to issue orders

Once the CPPA is law, the Commissioner will have the authority to order organizations to do the following:

  • Implement measures to comply with the CPPA
  • Cease doing something that violates the CPPA
  • Abide by a compliance agreement
  • Publicly disclose the measures they are taking to correct practices, processes, and policies

The Personal Information and Data Protection Tribunal will have the power to impose onerous penalties

Once the Digital Charter Implementation Act is enacted and the Tribunal is created, that Tribunal will be granted the authority to make organizations pay dearly for their CPPA violations. The most serious of offenses can result in fines of up to $25 million or 5% of global gross revenues of their previous fiscal year, whichever is greater. When compared to existing rules, such penalties are some of the heaviest in the G7.

Past and projected timeline of the Digital Charter Implementation Act, 2020 (Bill C-11)
Nov. 17, 2020 Bill C-11 was introduced by Hon. Navdeep Bains, Minister of Innovation, Science and Industry.
Nov. 24, 2020 Second reading of the bill commenced; its general scope received support from each of the opposition parties in Parliament.
Jan. 25, 2021 Second reading of the bill concludes. If it passes a House vote, the bill will be referred to the Standing Committee on Access to Information, Privacy and Ethics (ETHI).
End of 2021 The bill is expected to be ratified into law by the end of this year, provided the government prioritizes this and it continues to enjoy opposition support.
2022 to early 2023

If Bill C-11 becomes law by end of 2021, its coming into force date — i.e., the date it becomes enforceable and organizations will have to follow its rules — will be “on a day to be fixed by order” of the federal Cabinet.

Minister Bains projects that the legislation he introduced will come into force 1 to 1½ years after royal assent. This means that companies will likely have the entirety of 2022 and perhaps even the first few months of 2023 to become ready for its implementation.

Businesses like yours must always be aware of proposed laws that may significantly affect operations. With XBASE as your IT partner, you can rest assured that, when it comes to new data regulations, your company will be among the first to be compliant. Drop us a line today to learn more about our Exponentially Better™ services.