On November 17, the Canadian government introduced Bill C-11, better known as the Digital Charter Implementation Act, which will see the North American country make amendments to its data privacy policies. It has been described by Innovation Minister Navdeep Bains as an “act to enact the Consumer Privacy Protection Act and the Personal Information and Data Protection Tribunal Act and to make consequential and related amendments to other Acts.”
The Digital Charter Implementation Act continues the global trend toward tighter governmental regulation of businesses handling and processing private and sensitive data. Its formation and posed implementation are widely considered to be one of the most dramatic changes to Canadian privacy law in recent times. This increased focus on data security is welcomed by Canadian data subjects, especially at a time when online digital activity has exploded due to the current COVID predicament and the fact that data is becoming more valuable. With the privacy and protection of personal information in the public spotlight, governments and enterprises must take action to address the many challenges that are being presented with the increased movement of personal data on an international stage.
If implemented, the aims and objectives of the act align with other data privacy regulations in the world like GDPR and CCPA. For example, if passed, companies could face fines of up to five per cent of global revenue or $25 million — whichever is greater — for the most serious offences. It is believed that Bill C-11 will therefore provide the heaviest fines amongst the G7 nations. Steeper fines only add to the incentive for companies to comply with data privacy mandates, joining other negative outcomes such as tarnished brand reputation and loss of consumer trust in the affected business.
The Consumer Privacy Protection Act
Another key action taken by the Canadian government would see the arrival of the Consumer Privacy Protection Act (CPPA) which will handle privacy issues within the private sector. The CPPA would give citizens the private right of action, which allows victims of data related incidents to claim damages against organizations that failed to meet CPPA standards. This decision as to whether an enterprise had contravened the CPPA would be undertaken by the newly formed Personal Information and Data Protection Tribunal which would act on behalf of the Privacy Commission. Also, privacy rights will be expanded and give individuals the right to more control over their data – from determining how the information is transferred to requesting that their private data be erased off systems, also known as the “right to be forgotten.”
Data security and privacy is being taken seriously in Canada and any business located or operating in Canada must follow the guidelines set out by the bill. To meet with such requirements, leveraging a data-centric security method, such as tokenization, will be more effective than perimeter-based methods. When facilitating the freedom of data movement effectively, businesses must ensure compliance with strong data privacy regulations such as this proposed act.