• Tech Law McGill

Bill C-11: A Needed Update to Canada’s Online Privacy Laws

This article was written by Mohamed Tliouant, 1L.


“92% of Canadians have expressed some level of concern with respects to their privacy and 81% of those Canadians want clear rules to protect their data.” explained Innovation Minister Navdeep Bains when introducing the new piece of legislation.[1] Indeed, mass surveillance abroad and at home, the numerous high-profile online consumer security breaches and the Cambridge Analytica scandal have raised concerns about the right to online privacy. The bill, officially titled as An Act to enact the Consumer Privacy Protection Act and the Personal Information and Data Protection Tribunal Act and to make consequential and related amendments to other Act, would expend the powers of the Privacy Commissioner of Canada as well as create new obligations on the part of organizations and companies with regards to the personal data collected during their operations.


The bill would create a new tribunal by enacting the Personal Information and Data Protection Tribunal Act. The administrative tribunal would rule over the Privacy Commissioner’s recommendations regarding financial penalties and hear non-penalty-related appeals.[2] Moreover, private individuals would have a cause of action against an organization for damages if it is proven by the Commissioner that the said organization violated the act.[3] The Commissioner would be able to recommend severe financial penalties, the harshest among G7 countries.[4] Under the act, an organization that contravenes the law would be exposed to fines of up to five per cent of global revenue or $25 million, whichever is greater, for the most serious offences.[5]


"The fines are there to provide accountability," explains Bains.[6]


The Commissioner would also have the power to force an organization to comply to an order and stop collecting data on individuals, something that has been long demanded by the Commissioner.[7] Furthermore, by codifying the Ten Data Privacy Principles of the Personal Information Protection and Electronic Documents Act (PIPEDA) into law, the Consumer Privacy Protection Act (CPPA) would require organizations to implement a “privacy management program” that lays out how the organization intends to apply the requirements of the CPPA. Notably, it will detail the measures taken by the company to ensure the protection of personal information and how it deals with complaints and inquiries. Policies and safeguards must be reasonable considering the volume and sensitivity of the data collected. The Commissioner, upon request, would have access to the program. [8]


Consent and Individual rights

Consent is a major challenge in the renewal of online data privacy. Forms to consent must be clear and comprehensible, not jargon-filed and incomprehensible.


“the consent that [Canadians] provide will be presented to them in plain simple language, not a 30-page legal document.”, argued Blair during a press conference. [9]


The CPPA would regulate how organizations may acquire valid consent. Organizations must clearly explain in plain and coherent language[10]:

  • the purposes for the collection, use, or disclosure of personal information;

  • the way in which the personal information is to be collected, used, or disclosed;

  • any reasonably foreseeable consequences of the collection, use or disclosure of the personal information;

  • the specific type of personal information that is to be collected, used or disclosed; and

  • the names or types of third parties to which the organization may disclose personal information.

Additionally, the legislation would guarantee three new individual rights: the right to move personal data, the right to be forgotten and the right to be informed.


The right to move personal data[11]: if two organizations come under the regulation, an individual can request one organization to transfer any personal information it has on him/her to another organization as soon as possible.

The right to be forgotten[12]: if requested by an individual, an organization must dispose of personal information it has collected on the said individual.

The right to be informed[13]: upon request, users would have the right to know what information an organization has on them, how it is used and if it has been disclosed. More importantly, if a prediction, recommendation, or decision has been made about an individual by an automated system, the organization must provide an explanation when requested by the individual and demonstrate how the personal information was used.


The grim shadow of Cambridge Analytica

The scandal of Cambridge Analytica showed how the misuse of personal data can sway the political landscape. This bill is a lost opportunity to regulate the use of private data by political parties and politically invested organizations. As Bill Hearn, a lawyer for the Centre for Digital Rights, puts it: "They're missing a huge opportunity to do what most Canadians want."[14]


In a 2019 complaint to the Commissioner of Competition, the Centre for Digital Rights reported what it labels as the “large-scale misuse of big data and targeted advertising by major Canadian political parties.” Consent and privacy were of little importance during these operations. A complaint was also filed with the federal Privacy Commissioner.[15]


Personal information about voters is essential in persuading undecided and abstaining voters. The danger of unregulated targeted political advertisements as well as targeted misinformation should be taken seriously. We still don’t know how a bill to protect online privacy will apply to political organizations if it will apply at all. John Power, a spokesman for Innovation Minister Bains, explained that the government is reviewing the Privacy Act, which applies to government agencies and federally regulated companies such as banks and air carriers but didn’t comment when asked about its effectiveness.[16]

[1] The Canadian Press, “Bains explains update to Canada's digital privacy law”, (18 November 2020), online (video), Youtube <www.youtube.com> [https://youtu.be/mFaBt9_joEw]. [2] Bill C-11, An Act to enact the Consumer Privacy Protection Act and the Personal Information and Data Protection Tribunal Act and to make consequential and related amendments to other Acts, 2nd Sess, 43rd Parl, 2020, PIDPTA cl 3—5 (first reading 17 November 2020). [3] Ibid, CCPA cl 106. [4] Catharine Tunney, “Companies could face hefty fines under new Canadian privacy law”, CBC, (17 November 2020), online: <www.cbc.ca> [https://www.cbc.ca/news/politics/privacy-bill-bains-fines-1.5804779]. [5] Supra note 2, CCPA cl 125. [6] Supra note 4. [7] Ibid. [8] Éloïse Gratton et al, “Canada’s Consumer Privacy Protection Act: Impact for businesses”, Legislative Comment on Bill C-11, online: BLG <www.blg.com> [https://www.blg.com/en/insights/2020/11/canadas-consumer-privacy-protection-act-impact-for-businesses] [9] Supra note 1. [10] Supra note 2, CCPA cl 15(3). [11] Ibid, CCPA cl 72. [12] Ibid, CCPA cl 55. [13] Ibid, CCPA cl 63. [14] Jim Bronskill, “Ensure federal privacy law applies to political parties, digital rights group says”, Canada’s Nation Observer, (November 19 2020), online: <www.nationalobserver.com> [https://www.nationalobserver.com/2020/11/19/news/federal-privacy-law-digital-rights-political-parties]. [15] Jim Bronskill, “Have federal political parties abused data?”, Canada’s Nation Observer, (January 16 2020), online: <www.nationalobserver.com> [https://www.nationalobserver.com/2020/01/16/news/have-federal-political-parties-abused-data]. [16] Supra note 14.

38 views0 comments