During the past 6 years it has been beyond frustrating to watch little to nothing happen with our Canadian privacy laws, despite the constant and very public cry of our leading privacy experts such as Daniel Therrien, our Privacy Commissioner.
Technology has certainly not stood still. PIPEDA was passed 20+ years ago (with little to no enforcement capabilities by the Office of the Privacy Commissioner, or anyone else for that matter). The Apps, browsers and websites who constantly capture our personal data and use it in ways beyond our imagination, selling it to third parties for their use as well, is staggering yet commonplace.
So much so, the EU implemented the General Data Protection Regulations (GDPR) in May of 2018 and are aggressively trying to protect EU citizens rights across the board. And California has passed 2 laws (CPPA and CPRA) in the last 4 years in an attempt to do the same for California citizens whose privacy rights are being constantly abused. Just about every region in the world are developing their data protection laws, even China! Meanwhile back in Canada; crickets.
Well, not complete crickets. In May of 2019, the then Minster of Innovation, Science and Economic Development, Navdeep Bains with photo opportunities and a little fanfare within the privacy community introduced Canada’s Digital Charter. These 10 principles were meant to guide us while “building trust in a digital world”.
In November 2020, almost a year and a half later, ISED introduced Bill C-11, billed as “An Act to enact the Consumer Privacy Protection Act and the Personal Information and Data Protection Tribunal Act and to make consequential and related amendments to other Acts”. and “proposals to modernize the Personal Information Protection and Electronic Documents Act (PIPEDA). They called it a “balanced approach”, but let’s unpack that statement.
On the one hand, collectively, business has been doing whatever they please with individuals personal data for about 20 years now. With an eye to what technology allowed them to do and very few asking “should we do that”, we (the collective business community lead by social media platforms) developed some very questionable practices around what we used that Personal Information for. We all accepted these practices as part of the “digital world”.
Meanwhile in the other camp, the individual lost any sense of control or trust that organizations would respect their privacy. We signed up for “free” services galore on the internet. It turns out “free” may have been very expensive indeed.
So now we have these two polar “camps” – business who think they own the data and can do whatever they want and Canadian citizens who just want their right to privacy to be protected.
First, let’s be clear, Bill C-11 is not a “balanced approach”. In fact the thumb is on the scale, heavily in favour of business. With the 33 exceptions to requiring consent (Sec 18 – 51) businesses like Facebook and Google can just keep on doing what they are doing!
And the Data Protection Tribunal made up of up to 6 individuals, only one requiring a privacy background, to judge the investigations of the Office of the Privacy Commissioner’s investigations (the real privacy experts) and decide if a fine should be assessed! As the Privacy Commissioner stated in his submission to the ETHI Committee in May 2021, this could delay enforcement of individual’s privacy rights by up to 7 years!
But the law includes a private right of action. Surely that will ensure “strong enforcement”, one of the 10 principles of Canada’s Digital Charter?
Well, turns out it is actually a “limited” PRA. A company must be fined by the Tribunal before a class action lawsuit can be brought against it. That company has the right of appeal of the OPC finding/investigation (could take years), the ruling of the Tribunal (could take a few more years). And if that’s not enough, participants must prove any damages they are claiming, which any lawyer will tell you is an extremely high legal bar to meet. So while there is technically a private right of action included in the law, in the real world it could hardly ever be used to enforce that law.
I guess that’s what happens when the department of the Government responsible for economic development and the promotion of business in Canada also has the responsibility to develop laws protecting individual privacy rights. That is truly a conflict of interest rather than a “balanced approach”.
Maybe that’s a good place to start. Maybe we should separate “Church” and “State”.
Consent is required except for the 33 exceptions, which makes consent a non-issue. “Strong enforcement” is nowhere in sight. And this government continues to leave Canadian citizen’s privacy unprotected during this perilous time online. To be clear, 29 countries agreed on the 99 articles and 173 recitals contained in the GDPR and we cannot get 1 small country to table privacy and data protection laws that begins to protect Canadian’s privacy rights at home let alone around the world.
As Chairman of the Response Marketing Association, we will commit our resources to help protect Canadian’s privacy rights and ensure that all marketers who are members, operate to ethical standards and industry best practices that are in the best interest of the consumer in Canada.
To that end we call on all involved to step up and introduce a law that does the primary job: protect Canadians privacy rights.
Business will simply have to change their bad habits or suffer the consequences.