Canada’s Privacy Bill Inadequate to Fix Entrenched Issues, Critics Say
Canada's Privacy Commissioner Daniel Therrien, seen here in 2019, is among those who've voiced concern that Canada's privacy laws could leave consumer and business data vulnerable. Photo: Chris Wattie / Reuters
Canada’s existing privacy laws leave consumers and businesses exposed to misuses of data, mainly due to outdated rules and lack of enforcement ability for regulators, privacy commissioners and experts say, and a proposed new bill does not necessarily solve these issues.
Prime Minister Justin Trudeau’s Liberal government introduced Bill C-11 in November 2020, intended to modernize the oversight of data protection, but critics say it falls short of this goal. The bill has several hoops to pass through before it becomes law.
Canada’s data privacy laws saw a significant update roughly 20 years ago.
Changing technology — such as facial recognition and increased use of artificial intelligence – combined with a lack of enforcement power have “absolutely” left Canadians unprotected from data leaks and misuse, according to Jill Clayton, Alberta’s privacy commissioner.
The dearth of action means that Canada is “seriously starting to fall behind” jurisdictions like Europe, which implemented a landmark set of privacy laws in 2018, Clayton said.
In the United Kingdom, for instance, regulators have more enforcement powers, such as carrying out FBI-style raids, while Canadian regulators are often unable to deliver more than a slap on the wrist.
The lack of enforcement power was highlighted earlier this year, when Daniel Therrien, current federal privacy commissioner, issued a joint report with provincial counterparts into U.S. facial recognition Clearview AI’s actions in Canada.
The commissioners condemned the company’s practice of using Canadians’ photos posted to social media to build a database, but could not force the company to return or delete the data.
Similarly, when sensitive information of 15 million Canadians was leaked at LifeLabs, Canada’s largest provider of specialty medical laboratory testing, commissioners said they were limited in their ability to hand out appropriate punishment.
One outcome of Canada’s outdated privacy law is that industries that handle a lot of data, such as banks, have had to evolve ahead of the legislation due to the increasing gap between modern technologies and existing laws, said Robert Colangelo, senior vice president of the global financial institutions group at DBRS Morningstar.
To strengthen Bill C-11, Therrien’s office submitted 60 recommendations to the government, including a shift in focus towards privacy rights of individuals and away from prioritizing commercial interests.
A spokesman for Innovation, Science and Industry Minister Francois-Philippe Champagne said the bill provides a clear framework of rules that allow “Canadian businesses to innovate while protecting Canadians’ privacy,” and its passage is “a top priority.”
The bill also proposes companies that fail to protect the personal information of Canadians could be fined up to 5% of global revenue. Therrien said in a recent statement said that the penalty is “unjustifiably narrow and protracted.”
David Fraser, a lawyer at McInnes Cooper who advises Fortune-100 companies on technology and privacy laws, acknowledges that Bill C-11 is a compromise, but is concerned the bill would make the privacy commissioner “judge, jury and executioner.”
“There’s something in there to disappoint everybody,” Fraser said.
(Reporting by Moira Warburton in Toronto l Editing by Nick Zieminski)