In a long-awaited move, Navdeep Bains, Canada’s Minister of Innovation, Science and Industry, introduced Bill C-11 — the Consumer Privacy Protection Act. The Minister described the new law as a significant update of PIPEDA, and acknowledged that the last time Canada’s privacy laws were updated was 20 years ago, when PIPEDA was first introduced — before social media and the Internet of Things.
The new CPPA provides a range of remedies that have long been recommended by the Privacy and Access Council of Canada, privacy advocates, Commissioners, and civil society groups.
Features of the new legislation include a requirement that consent be in plain language, “not a 30-page legal document.” Companies will have to provide better transparency, to enable Canadians to understand how their information is collected and used.
With the increase in ‘artificial intelligence’ systems determining everything from criminality and creditworthiness to eligibility to rent an apartment, it is important to note that CPPA also provides algorithmic transparency — the right to have businesses explain how decisions about them are made by automated decision-making systems.
Under the new law Canadians consumers who withdraw consent will have a right to demand their information be destroyed, and may complain to the Office of the Privacy Commissioner of Canada if their request is not fulfilled.
The CPPA will also provide the Privacy Commissioner of Canada with order-making power, the power to conduct inspections, and the ability to recommend Administrative Monetary Penalties of up to 5% of global revenue for non-compliance. The OPC’s recommendations will be given to a new tribunal, which will help keep complaints out of the Courts.
In his introduction of the CPPA, MP Bains characterized it as providing the strongest privacy protections of any G7 country, including GDPR and the CCPA . The Minister also indicted that the OPC’s budget will receive “the appropriate resources” to make sure that they are able to execute their powers to protect Canadians.
While this new CPPA appeared at first glance to be a good start, digging deep, it appears to be little more than PIPEDA with fines. The key differentiator of the GDPR, which the Privy Council stated would be the “starting point” of Canada’s new privacy law, is that it treats personal information and data subjects from a Human Rights perspective. Canada’s federal government has authority over human rights (c.f.. The Human Rights Act). There are a number of areas where this new act must be improved if it is to be a meaningful upgrade to Canada’s archaic and impotent privacy frameworks. (a) The basis of the Act must be that data privacy is a fundamental human right worthy of strong protections, (b) types of data should be segregated, as with the GDPR, and robust protections added for vulnerable data subjects, (c) the Privacy Commissioner must be given the ability to penalize those who do not comply with CPPA, (d) and finally, the framework details of the GDPR should be a baseline starting point. I strongly encourage the federal government to sit down with their provincial counterparts and work out a national data privacy set of standards, similar to GDPR, encompassing all data subjects in Canada, merging public, private, corporate, non-profit and individual use of personal data into one, comprehensive and robust set of standards that protects all Canadians at all times, regardless of where they are located in the world. This current act is little more than PIPEDA with muscle, and passing it would not significantly improve data protection rights in Canada.