December 1, 2020
A recent announcement by Canada’s Minister of Innovation, Science, and Industry suggests the federal government is willing to listen to critics who have been calling for an overhaul of Canada’s existing privacy legislation for some time. Currently, the Personal Information Protection and Electronic Documents Act (“PIPEDA”) and the Privacy Act are the main federal laws governing privacy in the country, along with a patchwork of provincial legislation. Bill C-11 would repeal and replace PIPEDA with the Consumer Privacy Protection Act (“CPPA”) and the Personal Information and Data Protection Tribunal Act (“PIDPTA”).
The new regime would include a number of changes including the addition of various privacy rights similar to those found in the EU’s General Data Protection Regulation (“GDPR”). The right to algorithmic transparency would mean that where organizations employed automated decision systems (such as predictive analytics) consumers could request an explanation as to how their personal information was obtained and used by the decision-making system. The right of disposal would allow individuals to request organizations dispose of information collected about them. The Bill also includes expanded powers for the Privacy Commissioner and significantly harsher penalties for contraventions of the law.
Privacy Commissioner Daniel Therrien recently warned of damage to public confidence and relations with European commercial partners, should the government fail to update Canada’s privacy legislation. Therrien’s message comes as the European Privacy Commissioner determines whether Canadian laws are sufficiently in line with the GDPR. In a recent report, the Commissioner lauded the human rights-based GDPR and noted the ability of European companies to continue to operate successfully despite tougher restrictions under the regulation.
To the south, change is also on the way. California’s Silicon Valley is well known for being home to power players in the technology space. Yet it is also home to some of the most stringent privacy laws in North America. The state recently passed the Consumer Privacy Rights Act (or Proposition 24). The law will allow consumers to bar businesses from selling or sharing their personal information. It will also limit the ability of websites to track and sell data to advertising partners. This law is in addition to existing privacy legislation such as the California Consumer Privacy Act (“CCPA”), which also provides for various rights of consumers over the collection of their personal information. Passage of Proposition 24 in many ways represents North America playing catch up with European regulations like the GDPR.
Privacy legislation intersects with the tech sector in many ways. In recent years consumers have become more sophisticated, with increased knowledge of how collection of personal data is integral to companies like Google, Facebook, and Instagram. In addition, as COVID-19 has led to changes in consumer habits and increased e-commerce, the privacy concerns of Canadians have come further to the fore. Whether new legislation amounts to meaningful change remains to be seen, but the trend toward more robust privacy protections is clear. As Canadian cities increasingly consider themselves tech hubs, vying for the title of “Silicon Valley North”, players in the Canadian tech sector would do well to monitor developments in this space. For more information on the proposed changes see Goodmans Client Update: “Federal Privacy Regulation 2.0: Now with Bite and Bark.”
Author: Emma Baumann