Digital Charter Implementation Act also includes ‘right to be forgotten,’ plain language requirements
Federal privacy legislation tabled yesterday will impose heavier fines on businesses for breaching individuals’ digital privacy rights and give individuals greater control over their personal information.
The Liberal government’s Digital Charter Implementation Act proposes the most significant changes to privacy legislation in a decade. The act will, if passed, enact two new acts: the Consumer Privacy Protection Act and the Personal Information and Data Protection Tribunal Act, and amend some other acts.
“I would say it’s the most important privacy reform in 20 years,” says Chantal Bernier, head of Dentons Canada LLP’s Canadian Privacy and Cybersecurity practice group, and interim Privacy Commissioner of Canada from 2013 to 2014.
“From my standpoint, the most important change from an ombudsman’s model to an enforcement model, meaning the privacy commissioner will not only have powers of recommendation, it will now have order-making powers,” she says, including to demand a company stop collecting or using personal information. A tribunal would have the power to determine fines to be imposed, and to receive appeals from findings of the Office of the Privacy Commissioner of Canada.
The corporate fines that would be imposed for the most serious infractions of digital privacy are also significant: 5 per cent of an organization’s gross global revenue in its financial year before the one in which the organization is sentenced, or $25 million, whichever figure is higher. In announcing the legislation, Minister of Innovation, Science and Industry Navdeep Bains said these fines would be the highest among G7 countries.
“To me, that is the most important change,” says Bernier. “I think that the penalties will have a significant impact on the respect for privacy rights. Companies will now pay much more attention to that, I believe.”
A private right of action has also been created that will allow individuals to seek relief for violations of their privacy. Section 106 of the act gives affected individuals a cause of action against the organization for damages if the commissioner has made a finding that there was a contravention, the finding is not appealed or the tribunal has dismissed the appeal, Bernier says.
As well, the proposed legislation would require companies to get consent from customers using plain language, for the purposes of collection, use or disclosure of information; how the information will be used; any reasonably foreseeable consequences of such; the specific type of information that will be collected; and names of any third parties to which the organization may disclose the personal information.
Individuals will also have the right to direct the transfer of their personal information from one organization to another — for example, from their bank to another financial institution.
The act supports Canada’s Digital Charter announced by Minister Bains in May 2019; its “10 principles” include control and consent, and strong enforcement and accountability.
The act’s efforts to improve individual control over their personal information has been increased through greater transparency, buttressing consent, and the express right to obtain deletion of information from online sources under certain circumstances, Bernier says, and will facilitate individuals' ability to control their online identity and information available to the public.