New national privacy bill proposed in Canada, is expected to significantly increase protections to Canadians’ personal information.
Bill C-11, Canada’s newly proposed national privacy bill, which is also referred to as Digital Charter Implementation Act, 2020, will give Canadians more control and transparency when companies handle their personal information, and therefore expected to increasingly protect their personal information. This bill is said to reshape Canada’s privacy framework. In the wake of the “Schrems II” judgment in the EU, and with the U.S. examining its own federal privacy legislation, international data flows have been challenged, inspiring the introduction of further legislation in that regard.
This new bill was introduced by Minister of Information Science and Economic Development, Navdeep Bains, who brought up an important point on the need for interoperability with both EU and U.S. legislation.
The President of the Canadian Internet Registration Authority, Byron Holland, applauded the bill and said, “Companies that handle massive troves of personal data must be held accountable for protecting that data, be transparent about how they use it, and face real consequences should they break the trust of their users.” Minister of Information Science and Economic Development, Navdeep Bains said, “As Canadians increasingly rely on technology we need a system where they know how their data is used and where they have control over how it is handled. … For Canada to succeed, and for our companies to be able to innovate in this new reality, we need a system founded on trust with clear rules and enforcement.” He also brought up an important point on the need for interoperability with both EU and U.S. legislation, and adequacy to be achieved through this legislation.
The new national privacy bill in Canada, if passed, could mean several significant changes, including the possibility for hefty fines, for companies found to be in violation.
If the bill passes, there could be fines of up to five per cent of global revenue or $25 million CAD, whichever is higher, for companies found to be in violation. Bill C-11 also includes the Personal Information and Privacy Protection Tribunal Act as well as the Consumer Privacy Protection Act. This bill would also give the federal privacy commissioner the power to make orders, including the ability to force an organization to comply and to order a company to stop collecting data or using personal information.
The Digital Charter Implementation Act focuses on key principles, including algorithmic transparency, data mobility, de-identified information, withdrawal of consent and disposal of personal information.
This new Digital Charter Implementation Act focuses on key principles, including algorithmic transparency, data mobility, de-identified information,and finally, withdrawal of consent and disposal of personal information. In this fact sheet, the in-depth clarifying questions surrounding DCIA 2020 are answered, including insight on how this new legislation may promote a strong Canadian digital environment,
How do the key principles of DCIA 2020 compare to current GDPR regulation?
There has been much talk of the interoperability of DCIA and the GDPR, however it is interesting to note how they compare with regard to basic principles. The following table compares the two regulations based on the key principles of the Digital Charter Implementation Act.
|New rules on consent would ensure that individuals have sufficient information in plain-language allowing them to make meaningful decisions about the use of their personal information.
|According to the GDPR, a data subject’s consent must be freely given, specific, informed and unambiguous. The individual must indicate by a clear affirmative action, their agreement to the processing of their personal data.
|The proposed bill would allow people the right to direct the transfer of their personal information from one organization to another. For example, people would have a power to direct their bank to share their personal information with another financial institution.
|The right to data portability allows individuals to obtain, reuse, move, copy or transfer their personal data for their own purposes across different services without affecting its usability. This right, however, only applies to information an individual has provided to a controller.
|Disposal of personal information and withdrawal of consent
|The new DCIA legislation would allow data subjects to request that organizations discard their personal information and, in most cases, allow them to withdraw consent for the use of their personal information.
|The GDPR gives people a specific right to withdraw their consent at any time. It must also be as easy to withdraw consent as it was to give it, meaning, the process of withdrawing consent should be an easily accessible one-step process.
|Businesses will need to be transparent about how they use automated decision-making systems like algorithms and artificial intelligence, to make significant predictions, recommendations or decisions about individuals. Individuals would also have the right to request that businesses explain how the automated decision making process of a system led to a prediction, recommendation or decision and explain how the information was obtained.
|The GDPR grants the data subject the right not to be subject to a decision, which produces legal effects concerning him or her or similarly significantly affects him or her, based solely on automated processing, including profiling. In certain specific situations identified as legitimate exceptions according to Article 22 of the GDPR, this type of processing is valid, although additional measures are required “…the data controller shall implement suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision”.
|The legislation will clarify that personal information, with direct identifiers such as names removed, must be protected and that it can be used without an individual’s consent only under certain circumstances.
|Article 6(4)(e) permits the processing of pseudonymized data for uses beyond the purpose for which the data was originally collected, subject to certain conditions.