Commissioner: Reform bill “a step back overall” for privacy
GATINEAU, QC, May 11, 2021 – A bill aimed at modernizing Canada’s outdated private sector privacy law would be “a step back overall” from the current law and needs significant changes if confidence in the digital economy is to be restored, the federal Privacy Commissioner says.
At the request of the House of Commons Standing Committee on Access to Information, Privacy and Ethics (ETHI), Commissioner Daniel Therrien has shared his submission on Bill C-11, the federal government’s proposed new private sector privacy law. In the submission, he notes, the bill is frequently misaligned and less protective than the laws of other jurisdictions.
“The bill would give consumers less control and organizations more flexibility in monetizing personal data, without increasing their accountability,” Commissioner Therrien says. “Furthermore, the penalty scheme is unjustifiably narrow and protracted.”
The Commissioner also noted the Office of the Privacy Commissioner of Canada (OPC) would be subject to several constraints when it needs more flexible tools to achieve its mandate in a difficult and rapidly changing environment.
“Privacy is not an impediment to innovation. On the contrary, legislation that effectively protects privacy can contribute to economic growth by providing consumers the confidence that their rights will be respected,” he says. “Many countries with strong privacy laws are also leaders in innovation.”
The submission sets out some 60 recommendations aimed at ensuring the Bill enhances privacy protections for Canadians while enabling responsible innovation for businesses. The Commissioner’s concerns include:
Instead of giving consumers greater control over the collection, use and disclosure of their personal information, Bill C-11 offers less control. It omits the requirement under existing law that individuals understand the consequences of what they are consenting to for it to be considered meaningful, and it allows the purposes for which organizations seek consent to be expressed in vague, if not obscure, language.
- New flexibility without increased accountability
In the digital economy, organizations need some degree of flexibility to use personal information, sometimes without consent, in order to maximize the potential of the digital revolution for socio-economic development. But with greater flexibility for companies should come greater accountability.
Unfortunately, Bill C-11 weakens existing accountability provisions in the law by defining accountability in a manner akin to self-regulation.
Organizations should be required to apply the principles of Privacy by Design and undertake privacy impact assessments for new higher risk activities. The law should also subject organizations to proactive audits by the OPC to ensure they are acting responsibly.
- Responsible innovation
Bill C-11 seeks to provide greater flexibility to organizations through new exceptions to consent. However, certain exceptions are too broad or ill-defined to promote responsible innovation. The preferred approach would be to adopt an exception to consent based on legitimate business interests, within a rights-based approach.
- A rights-based foundation
Bill C-11 prioritizes commercial interests over the privacy rights of individuals. While it is possible to protect privacy while giving businesses greater flexibility to innovate responsibly, when there is a conflict, privacy rights should prevail.
To that end, the Bill should be amended to adopt a rights-based framework that would entrench privacy as a human right and as an essential element for the exercise of other fundamental rights. The OPC submission recommends doing this in a way that would strengthen the constitutional foundation of the law as properly within the jurisdiction of Parliament.
- Access to quick and effective remedies
Bill C-11 gives the OPC order-making power and the ability to recommend very high monetary penalties. However, both are subject to severe limitations and conditions, including the addition of an administrative appeal between the OPC and the courts that would deny consumers quick and effective remedies.
Only a narrow list of violations could lead to the imposition of administrative penalties. The list does not include obligations related to the form or validity of consent or the numerous exceptions to consent. It also does not include violations of the accountability provisions.
In the case of failure to comply with these obligations, only criminal sanctions would apply and only after a process that could take approximately seven years. A process that would take a maximum of two years is recommended.
In the submission, Commissioner Therrien notes the paradox of new technologies that open the door to important benefits while posing a threat to our private lives.
“As a society, we must project our values into the laws that regulate the digital space. Our citizens expect nothing less from their public institutions. It is on this condition that confidence in the digital economy, damaged by numerous scandals, will return,” he says.
Letter to the Chair of the Standing Committee on Access to Information, Privacy and Ethics
Chart: Jurisdictional Comparison – Privacy Protections
Complaint timelines: C-11 vs OPC recommendations
Bill C-11’s Treatment of Cross-Border Transfers of Personal Information
Privacy in a pandemic: 2019-2020 Annual Report to Parliament on the Privacy Act and the Personal Information Protection and Electronic Documents Act
Privacy Law Reform: A Pathway to Respecting Rights and Restoring Trust in Government and the Digital Economy (2018-2019 Annual Report to Parliament on the Privacy Act and the Personal Information Protection and Electronic Documents Act)
For more information
Office of the Privacy Commissioner of Canada
Report a problem or mistake on this page
- Date modified: