It is a mysterious and slightly chilling feature of life online: search on the internet for exercise equipment, shoes or personal grooming products, and instantly your social media feed is dominated by ads for resistance bands, flip flops and beard trimmers. Couple those experiences with stories about massive data breaches and shadowy operators exploiting social media to influence elections and it’s no wonder that eighty-four per cent of Canadians are concerned that businesses willingly share users’ personal data with third parties without consent.
Our personal information and preferences are the currency of the digital age, the source of the fabulous wealth of many internet giants. But our privacy and data protection laws have not kept up.
The Personal Information Protection and Electronic Documents Act (PIPEDA), which governs how businesses collect and handle personal data was drafted twenty years ago, long before the rise of social media and artificial intelligence. We desperately need an overhaul to meet the privacy needs of Canadians in the digital age.
Sadly, just as an update appeared imminent, we face another delay.
In November 2020, the federal government introduced Bill C-11, The Digital Charter Implementation Act, legislation that aspired to help Canadians regain control over their data, while enabling innovation.
CIRA and many others believed Bill C-11 was a long overdue step towards securing Canadians’ fundamental right to privacy and a golden opportunity to restore users’ badly-shaken trust in the web.
But when the House of Commons rose at the end of June, with an election widely expected, it seemed that the legislation would die on the order paper. That is disappointing.
The bill had two components. First, it would enact the Consumer Privacy Protection Act (CPPA) that would replace PIPEDA. Second, it would implement the Personal Information and Data Protection Tribunal Act, which would establish an administrative tribunal to enforce the Privacy Commissioner’s decisions.
Words matter and so the CPPA should more properly be titled the Citizens’ Privacy Protection Act because the issues are more profound than simple retail transactions.
The CPPA would set new rules for the road for data protection in Canada, giving new powers to the Privacy Commissioner to crack down on infringements. The Commissioner could recommend fines that would be imposed by the new Personal Information and Data Protection Tribunal. The proposed penalties were serious: up to three per cent of global revenue for non-compliant organizations, and up to five per cent of global revenue for serious infringements. It addressed a common criticism of PIPEDA, which was that organizations like Facebook that have breached individuals’ privacy rights do not face significant consequences.
Like PIPEDA, a central component of the CPPA was the requirement that organizations obtain consent for the collection, retention, and use of personal data, at or before the collection of the data. Put simply, Canadians must be warned and give the OK before their sensitive, personal information is collected. The validity of this consent depends on plain language explanation of why, how, and what personal data is being collected, as well as any disclosure to third parties and any potential consequences of the information sharing.
The CPPA also granted individuals the right to so-called “data mobility.” This meant users could ask organizations to transfer their information to another of their choice. For example, this would have empowered you to transfer all your financial history and transactions from one financial institution to another. In addition, there was a modified “right to be forgotten,” where individuals could request that organizations delete their data from their databases, say, after a user chooses to leave a platform.
Recognizing that users are confused by why certain content is being recommended to them online, bill C-11 hoped to help make the process more open and understandable. The CPPA created transparency requirements for automated decision-making systems like recommendation algorithms. Platforms will have to explain why a recommendation was made to an individual.
Of course, the bill was not without its shortcomings. CIRA believed, for example, that there should be a greater emphasis on people over platforms.
The legislation’s aspiration to improve data protection was undermined by a long list of collection activities that are exempted from requiring consent or informing individuals about the use of their data; things like gathering information to ensure the safety of a product or service. These knowledge and consent exceptions were meant to facilitate business innovation, but in the age of the Internet of Things, where personal data is collected through driving cars and using medical devices, there are concerns that they created significant opportunities for businesses to harvest too much personal data.
Dr. Teresa Scassa, the Canada Research Chair in Information Law and Policy deemed them a “data protection disaster.” Chris Parsons from the Citizen Lab and Privacy Commissioner Daniel Therrien both emphasized how many of the Bill’s shortcomings are due to its foundations in commercial interests, rather than using a human rights framework. Parsons had also called for amendments to be made to the bill to increase requirements for openness, transparency, and accountability for organizations.
After the Bill’s first reading in November, the digital policy agenda was taken over by the controversial Bill C-10, which seeks to subject online platforms like Netflix and Disney+ to regulations under Canada’s Broadcasting Act. CIRA argued that C-11 was too important to be shunted to the sidelines.
Privacy reform in Canada is long overdue and badly needed. While there remains room for improvement in Bill C-11, an election should not be the end of the line. If indeed the legislation dies on the order paper, MPs should commit to reintroducing it when parliament reconvenes, with the necessary amendments and passing it as soon as possible to give Canadians the proper privacy protections they deserve. It is a fundamental right in the digital age, and vital to ensure a trusted, citizen-centric internet.
Bill C-11 is an opportunity for Canada to become a world leader in personal data protection, while helping our digital economy to thrive.
CIRA says let’s get on with it.