Every day we generate more and more data, and we hope that companies use that data to develop better products and services. But, hope, as they say, is not a strategy.
Data protection legislation is now a global reality, and we are constantly being bombarded with requests to access, use, and share our personal information. Data breaches are almost routine, and recent figures from Risk Based Security reveal that 2020 was the “worst year on record” with 36 billion publicly reported breaches. With the introduction of new technologies like the use of artificial intelligence (AI) in profiling and facial recognition software, it’s not clear to most of us how our personal information is being used or abused.
For the past 20 years, Canada has relied on the “Personal Information Protection and Electronic Documents Act” (PIPEDA) when it comes to the protection of personal data collected by the private sector. The year was 2000, and Canada was scrambling to build consumer confidence around a new online commerce model. So a set of rules (which became known as PIPEDA) was quickly drafted and tacked on to the existing “Canadian Standards Association Model Code for the Protection of Personal Information.” In reality, it was a piece of cobbled-together legislation without much in the way of substance or enforceability.
Legislators around the world have been working to change legislation when it comes to the protection of personal information. Europe led the charge in 2016 with the “General Data Protection Regulation” (GDPR), and then California introduced the “California Consumer Privacy Act” (CCPA) in 2018. Quebec and Canada are not far behind.
On June 12, 2020, Quebec introduced Bill 64 — ”An Act to modernize legislative provisions are regards the protection of personal information.” Then on November 17, 2020, the Canadian government proposed Bill C-11, the Digital Charter Implementation Act, (DCIA), with a view to modernizing the framework for the protection of personal information in the private sector, and give us confidence that our data is safe and our privacy is respected.
This legislation takes a number of important steps to ensure that Canadians will be protected by law, even as technology continues to evolve. Some highlights:
Meaningful consent: The legislation provides specific guidelines for what is considered meaningful, valid consent for the collection and use of personal information.
Control and transparency: The law allows individuals to ask for an explanation of how their personal information was used or obtained.
Data mobility: The legislation opens the door to data portability, and the freedom to move information from one organization to another in a secure manner.
Penalties: The law provides for the strongest fines among G7 privacy laws—with fines of up to 5% of revenue or $25 million, whichever is greater, for the most serious offences.
Canadian government officials have indicated that there will be a grace period for businesses to get ready for the new legislation, and no date has currently been set for when Bill C-11 will come into force. It’s never too early for businesses to start looking at their current practices and identify potential issues that could hinder their ability to meet their new compliance obligations.