A new report from the C.D. Howe Institute, Getting Personal: The Promise and Potential Missteps of Canada’s New Privacy Legislation, looks in depth at Bill C-27 amendments and legislative updates to federal privacy rules which apply in commercial settings.
Specifically, the paper looks at parts one and two of the bill, the Consumer Privacy Protection Act (CPPA) and the Data Protection Tribunal Act. They say an update to Canada’s federal privacy legislation is much needed but adds that legislators should be wary of proposed amendments that could increase costs and uncertainty around the implementation of the new law – with no discernible improvement in the protection of Canadians’ privacy.
“Effective rules regarding how personal data are handled are foundational,” the paper states. “However, in pursuing these goals (both the goal of privacy for individuals but also the goal of benefitting from the continuing transformation of the economy), governments should seek to preserve and even enhance the substantial benefits that Canadians can expect from the digitalization of the economy.”
They add that PIPEDA (the Personal Information Protection and Electronic Documents Act), is seen as a group of rules that are falling far out of step with other international and even domestic jurisdictions. “The CPPA will essentially supersede PIPEDA as it applies to the collection, use and disclosure of personal information in the course of commercial activities,” they write. “Key changes in the CPPA compared to PIPEDA include more specific requirements for determining what constitutes valid consent, including the need to communicate in plain language.”
They add that the new legislation introduces definitions and requirements for the anonymization and de-identification of data that did not exist in PIPEEDA. The law also imparts greater enforcement powers to Canada’s privacy commissioner, including the ability to issue orders and recommend monetary penalties.
In looking at the balance between preserving the privacy of personal information and policies that support a data-based economy, they say governments should not set rules that are so unwieldy that they become costly for businesses to navigate or make it difficult to expand in the digital space.
The paper concludes by making four recommendations including that governments and companies make wide-ranging efforts to help Canadians understand the benefits and risks of sharing or not sharing their personal data. It suggests the federal government leverage its trade and commerce power to seek harmonized privacy laws across the country. Third, it recommends legislators and governments allow a longer phase-in process for small businesses not dealing with sensitive information. Finally, they recommend the establishment of a privacy council of relevant federal and provincial regulators, consumers, businesses and those in research which pledge a duty of care with respect to privacy.