With the turbulence surrounding the COVID-19 pandemic and the 2020 United States election, Canada’s proposed new privacy law, the “Digital Charter Implementation Act” may have gone under the radar of many Canadian organizations. This proposed law includes fines up to $25 million or 5% of global revenue (whichever is greater) for the most significant offences.
To date, Canada already has active two privacy laws. The Privacy Act pertains to government agencies and federally regulated industries, whilst the Personal Information Protection and Electronic Documents Act, or ‘PIPEDA’, applies to private-sector organizations.
On November 17, 2020, Innovation Minister Navdeep Bains presented the Digital Charter Implementation Act (DCIA) — Through the proposed Digital Charter Implementation Act, the Government of Canada intends to establish a new privacy law for the private sector, the Consumer Privacy Protection Act (CPPA), repealing Part 1 of the Personal Information Protection and Electronic Documents Act (PIPEDA). The Digital Charter Implementation Act, Bill C-11, represents one of the greatest reforms in Canada’s privacy law in years, significantly increasing protections for Canadian’s personal information – including drastically expanding the penalties for violation of federal private sector privacy law.
“The COVID-19 pandemic has accelerated the digital transformation which is changing how Canadians work, access information, access services, and connect with their loved ones. This transformation is making concerns about privacy, and how companies handle Canadians’ data, more important than ever. As Canadians increasingly rely on technology we need a system where they know how their data is used and where they have control over how it is handled. For Canada to succeed, and for our companies to be able to innovate in this new reality, we need a system founded on trust with clear rules and enforcement. This legislation represents an important step towards achieving this goal.”
The Honourable Navdeep Bains, Minister of Innovation, Science, and Industry
Laying the Groundwork
According to Bains, the fines suggested are to enforce a level of accountability. The consequential fines under the proposed legislation would deliver some of the strongest fines among the G7 nations’ privacy laws. The legislation would provide for administrative monetary penalties of up to 3% of global revenue or $10 million for non-compliant organizations.
However, for the most serious offences, the federal government has the ability to serve offending business organizations with fines of up to 5% of global revenue or $25 Million, whichever is greater. The severity of the proposed fines seeks to provide Canadians with greater control and transparency over the ways by which an organization can handle their personal data; a testament to Canada’s commitment to citizens’ rights to privacy. Provided the legislation passes, organizations will be required to obtain consent from their customers in plain language, in other words, not jargon-laden legal documentation, before using their personal data. In addition, the rules governing the practice of removing direct identifiers (such as a name) from personal information will clarify that this personal information must be protected and that it can be used only under certain, defined circumstances without an individual’s direct consent. Certainly, this is a step in the right direction. To provide a brief summary of the main contents of the legislation, below are the take-homes as outlined on the Government of Canada website:
This legislation takes a number of important steps to ensure that Canadians will be protected by a modern and responsive law and that innovative business will benefit from clear rules, even as technology continues to evolve, including: increasing control and transparency when Canadians’ personal information is handled by companies;giving Canadians the freedom to move their information from one organization to another in a secure manner;ensuring that Canadians have the ability to demand that their information be destroyed;providing the Privacy Commissioner with broad order-making powers, including the ability to force an organization to comply and the ability to order a company to stop collecting data or using personal information; andensuring the strongest fines among G7 privacy laws—with fines of up to 5% of revenue or $25 million, whichever is greater, for the most serious offences.
Government of Canada Website, November 17, 2020
Ultimately, the proposed Digital Charter Implementation Act, 2020 lays the groundwork of trust and transparency among citizens, companies and government, as well as ensures that innovators and business organizations benefit from a modernized framework with clearly defined rules.
Social Media Implications
While social media platforms such a Facebook and Instagram are already subject to the same laws as other organizations operating in the Canadian marketplace, the CPPA would safeguard that Canadians have the ability to demand that their information on these platforms be permanently deleted. When consent is withdrawn, Canadians can demand that their information be destroyed. To reinforce this effort, the Privacy Commissioner will have the broad “order-making powers” to order a social media company to comply, including the ability to order it to stop collecting data or using personal information.
What Does This Mean for Canadian Organizations?
Assuming the proposed Digital Charter Implementation Act is passed, organizations across the country have it in their best interest to prepare themselves. Whereas, the Personal Information Protection and Electronic Documents Act, or ‘PIPEDA’, threatened a maximum fine of $100,000, the newly proposed legislation’s penalties have the potential to impose significantly greater monetary damages.
To stay protected, there are a number of measures that your organization can implement, including a comprehensive review of existing security safeguards that your organization currently has in place. In addition to this, we highly recommend that the vast majority of organizations bring penetration testing into their arsenal.
For information on Choosing a Penetration Testing Company, or to learn more about the services that would best suit your organization, please review our website and contact us for in-depth information on how to prepare your organization.
10 January - Blog
Your Guide to Objective-Based Penetration Testing
14 December - Blog
2022 in Review and Our Predictions for 2023: Cyber-Threat Landscape
05 December - Blog
Choosing a Penetration Testing Company: Methodology & Certifications