Written by Tiffany Wang, IPilogue Contributing Writer and J.D. candidate at Osgoode Hall Law School (Class of 2023).
Big Tech companies like Facebook and Google collect and store users’ personal and potentially sensitive information. Canadians are generally compelled to accept this practice; however, the ongoing COVID-19 pandemic has sparked new concerns over surveillance practices, like tracking and recording individuals. In an interview with CTVNews.ca, Samuel Woodhams, a digital rights activist, indicates that 25 percent of the 53 contact-tracing apps used globally lack privacy policies. Without privacy protection, the risks of personal data leakage are too high to ignore.
On November 17, 2020, the federal government introduced Bill C-11, the Digital Charter Implementation Act, 2020 (DCIA). It proposes three major changes:
- Repeal Part 1 of the Personal Information Protection and Electronic Documents Act (PIPEDA) governing personal information and privacy;
- Enact the Consumer Privacy Protection Act (CPPA); and
- Introduce a Personal Information and Data Protection Tribunal (Tribunal) governed by PIPEDA.
These recommendations would strengthen the impact of Canada’s privacy laws on the private sector. They underscore the federal government’s attempt to balance individuals’ fundamental right to privacy and the crucial function of information in advancing business, innovation, and commerce.
Consumer data is subject to heightened protection pursuant to Bill C-11. If enacted, the DCIA would, barring consumer consent, shield sensitive medical, financial, and social information and data from private entities. In effect, individuals would have increased autonomy over their online identity, by allowing them to meaningfully consent to the sharing of their data.
The DCIA’s new transparency requirements also address algorithmic transparency concerns. For example, businesses must be transparent about how they deploy automated decision-making systems to generate recommendations. These requirements will entitle consumers to request that businesses explain how they process and use personal information. In turn, businesses must comply with the DCIA to clarify how their algorithmic systems generate and analyze consumer data. Bill C-11 expands the definition of automated decision systems and will implicate a larger number of computer systems than those currently captured by PIPEDA.
It is important that the federal government balances privacy concerns with advancing Canada’s innovation and technology sector. Bill C-11 notes Canada’s ambition to keep pace with the European Union and the United States in simplifying privacy and e-protection laws for commerce and businesses. For example, Bill C-11 adds a new “business activities” exception for requiring consent. Businesses will not be required to obtain consumer consent for every transaction in the process of delivering products or services.
Additionally, Bill C-11 promotes the sharing of data between private and public spheres to leverage data pools. Under Bill C-11, the federal government possesses increased oversight and enforcement powers over private parties. If the CPPA were successfully implemented, the Privacy Commissioner will reside above business entities, enabling the Government to stop organizations from collecting certain data. In addition, the Privacy Commissioner may, through the Tribunal, impose administrative fines up to three percent of a business entity’s global revenue, or $10 million for breaches.
Bill C-11 is attractive from both consumer and business standpoints. Not only do its recommendations strengthen individual autonomy and information transparency, but they also simplify business transactions by making it easier to obtain consent and foster increased dialogue between governmental agencies and private companies in sharing de-identified data.
Perhaps there is a silver lining to the pandemic to pave way for more robust privacy laws. As Canadian technology and commercial innovation increasingly depend upon data collection, it is prudent to bolster privacy.