Privacy commissioner calls proposed privacy legislation a “step back” from current laws

The federal government’s proposed privacy legislation has received blowback from Canada’s privacy commissioner, who recently called the legislation a step back from current laws.

Daniel Therrien, Canada’s privacy commissioner, submitted his feedback and 60 recommendations on Bill C-11, which was first introduced in late 2020. Therrien said significant changes are needed to the bill as it currently stands in order for it to effectively protect the privacy rights of Canadians.

Therrien said the bill could arguably give more weight to commercial interests than the current laws.

Bill C-11, also known as the Digital Charter Implementation Act, is aimed to modernize Canada’s current privacy laws, which include the Privacy Act, and notably the Personal Information Protection and Electronic Documents Act (PIPEDA), which governs how private sector organizations collect, use and disclose personal information.

The proposed legislation would implement the Consumer Privacy Protection Act (CPPA) and the Personal Information and Data Protection Tribunal Act (PIDPTA). In November, former Minister of Innovation Navdeep Bains said the bill was designed to protect the privacy rights of individuals while also creating an environment that encourages rather than hinders innovation.

In his submission to the chair of Canada’s standing committee on access to information, privacy, and ethics, Therrien said the bill could arguably give more weight to commercial interests than the current laws in place, and give less weight to technology’s disruption of privacy rights over the last 20 years.

“Why do I say that the bill as drafted would represent a step back? In general terms, because the bill, although seeking to address most of the privacy issues relevant in a modern digital economy, does so in ways that are frequently misaligned and less protective than laws of other jurisdictions,” Therrien said.

One key issue in Bill C-11 Therrien highlighted is that the bill’s current provisions give individuals less control, not more, over their information. One of the proposed goals of Bill C-11 is to enhance consumers’ control over their personal information, and Therrien noted that rules governing consent must ensure that consent is “informed and meaningful.”

Therrien said the “understanding” requirement, which is key to the validity of consent, is absent from the bill, and that the bill instead simply prescribes elements that must appear in a privacy notice.

Therrien also noted that Bill C-11 includes new exceptions to consent obligations that are too vague to encourage innovation in companies without putting consumers’ privacy at risk. He said this indicates that the bill’s focus on certainty and flexibility for business supersedes the need to subject businesses to objective standards and oversight.

RELATED: Privacy Commissioner claims facial recognition company Clearview AI violated Canadian privacy laws

Another key issue the commissioner highlighted is the bill’s current administrative monetary penalties would not apply to “the most frequent and important violations.”

Bill C-11 lists monetary penalties that apply to companies that act in contravention of the new legislation. Therrien called the list of contraventions “narrow,” adding that obligations related to the form of consent and violations of accountability provisions are absent, rendering the proposed penalties “completely ineffective.”

Therrien also referenced laws in other jurisdictions, including in Singapore, the United Kingdom and provinces such as Ontario and Quebec, which generally give data protection authorities the ability to issue monetary penalties for almost any violation connected to the collection, use or disclosure of personal information. He recommended the federal government make the range of violations in Bill C-11 “much broader.”

Therrien acknowledged the bill provides more flexibility to businesses, but said this increased flexibility to use personal information without consent does not come with the “additional accountability one would expect.” The commissioner said though he agrees businesses need some level of certainty and flexibility, it must be within the law.

“The focus on checks and balances for the regulator and more certainty and greater flexibility for businesses seems misplaced,” he said. “It leads to the flaws identified earlier and to an imbalance in the law on the importance of rights and commercial interests.”

Bill C-11 is currently under parliamentary review. The legislation entered into second reading in late November. It must still pass third reading and through the Senate, for it to become enacted into Canadian law.

Image source Pixabay.

Isabelle Kirkwood

Isabelle Kirkwood

Isabelle is a Vancouver-based writer with 5+ years of experience in communications and journalism and a lifelong passion for telling stories. For over two years, she has reported on all sides of the Canadian startup ecosystem, from landmark venture deals to public policy, telling the stories of the founders putting Canadian tech on the map.

0 replies on “Privacy commissioner calls proposed privacy legislation a “step back” from current laws”