Federal privacy laws are getting an update. The federal government has introduced a new bill which proposes to tighten and clarify the law around the protection of personal information and personal privacy and also give enforcement more teeth. The Bill, Bill C-11 The Digital Charter Implementation Act, 2020, passed first reading on November 17, 2020.
New laws and a new tribunal
The Bill would introduce a new law, the Consumer Privacy Protection Act, as well as change the existing Personal Information Protection and Electronic Documents Act. It further proposes the creation of a new tribunal via the Personal Information and Data Protection Tribunal Act. This tribunal would hear appeals of decisions of the Privacy Commission under the Consumer Privacy Protection Act and impose penalties for contraventions of the Consumer Privacy Protection Act.
New powers and big fines
The Bill would also empower the Privacy Commissioner to make orders to organizations regarding compliance and recommend penalties where breaches occur. The newly created Personal Information and Data Protection Tribunal would be empowered to impose penalties based on the decision of the Privacy Commissioner, as well as hear appeals from Orders made by the Privacy Commissioner.
Proposed penalties would be up to the greater of up to $10 million or 3% of an organization’s gross global revenue. Criminal penalties would also be available for certain of the most serious breaches. For example, a breach that creates a real risk of significant harm to an individual, or where an organization is obstructing the Privacy Commissioner’s investigations. These criminal penalties could carry fines of up to $25 million or up to 5% of an organization’s gross global revenue.
The Bill also proposed new privacy rights for individuals, for example, the right to “mobility of personal information.” This right is the right of an individual to request that an organization disclose the personal information that it has collected from the individual to an organization designated by the individual. So an individual could ask that one organization share their personal information with another — giving individuals the right to “mobilize” their personal information.
The Bill would also legislate standards for how information is de-identified.
The pandemic has only increased our reliance on virtual data, highlighting the importance of modernizing our privacy laws with respect to our digital footprints. We will keep you posted as this Bill moves through the legislative process.