Innovation Minister Navdeep Bains announced long-awaited changes to Canada’s consumer privacy law Tuesday, giving users new rights over the information they share with businesses and companies more flexibility to use the data they collect.

Bill C-11 caps more than two years of policy development. A new Consumer Privacy Protection Act will give consumers new rights to move their personal information between service providers and get companies to remove their data, and requires firms to be more transparent about their use of algorithms and AI. It also gives businesses more flexibility with how they use data. 

The new rules will encourage firms to “focus on meaningful compliance around consent, and that will generate responsible innovation,” Innovation Minister Navdeep Bains said in an interview with The Logic. “That’s good for Canada being a respected jurisdiction and a world leader when it comes to privacy, which will lead us to continue to generate more data-related solutions [and] seize the potential of AI.” 

Here’s what you need to know.

What’s in it for consumers: Users will be able to ask companies to transfer personal information one company has collected from them to other firms. Companies will also have to disclose whether and how they’re using algorithms and AI to make decisions, and give anyone affected by those calls an explanation of how their systems arrived at a particular conclusion. Firms will also have to provide plain-language information about their privacy practices, so consumers can provide “meaningful consent” to companies that collect and use their data. And users will be able to withdraw that approval and ask an organization to delete what it’s gathered. Both the EU’s General Data Protection Regulation (GDPR) and the Quebec government’s proposed updates to the provincial privacy law, introduced via Bill 64 in June, give residents similar rights to move and remove their information.  

Ottawa’s proposed approach “very clearly situates privacy law at the balance between data as a fuel for competitiveness, and the protection of individual rights over their personal information,” said Carol Piovesan, partner and co-founder at Toronto-based INQ Data Law. 

What’s in it for businesses: Companies won’t have to follow the consent rules if they’re collecting or using information for standard business activities like providing the consumer a product or service they’re buying, doing due diligence to minimize risks or trying to keep their systems secure. Organizations can also put data towards their R&D effort, provided they remove any identifying details first. The Business Council of Canada (BCC)—a lobby group representing the CEOs of some of the country’s biggest firms including RBC, BCE and Loblaw—called for such exceptions. 

Piovesan said the current Personal Information Protection and Electronic Documents Act’s (PIPEDA) consent-based regime creates challenges for both consumers and companies in the modern digital context. “It is impossible for individuals to navigate the five million pages of privacy policy and terms of use before accessing an app—that’s not meaningful consent,” she said. The legislation’s exceptions shift the responsibility onto the companies that exercise them, who must produce, document and retain an analysis showing why they need the information and qualify for the carve-out.

The federal privacy commissioner will also preemptively approve “codes of practice and certification systems” interpreting how the new laws will apply in specific sectors or to particular business models, allowing startups and small firms to follow a more detailed set of guidelines. The BCC also recommended a bigger role for voluntary, industry-developed standards and a code of conduct, including requiring the regulator and courts to consider compliance with such norms as evidence of good behaviour when they investigate breaches. 

The stick: The federal privacy commissioner will get new powers to order firms to change their privacy practices, stop collecting or using data, and to issue fines of up to $25 million or five per cent of global revenues for serious violations. The bill also sets up a new Personal Information and Data Protection Tribunal, a three- to six-member group that will hear appeals of the regulator’s decisions and sign off on monetary penalties. The federal antitrust system has a similar appellate setup. Current privacy commissioner Daniel Therrien has long called for the power to proactively investigate organizations’ privacy practices, issue binding orders and levy larger fines. The regulator’s enforcement abilities are currently limited; he’s taking Facebook to court to enforce changes to the way it shares user data with third-party apps.  Other jurisdictions have increased their privacy regulators’ punitive powers. Quebec’s Bill 64 would let the provincial Commission d’accès à l’information fine organizations up to $25 million, or four per cent of global revenues, if they break the new data rules. 

The tribunal process will be “faster than the federal court and less costly as well,” Bains said. “And so that is hugely beneficial to small- and medium-sized businesses and particularly innovative companies.” Piovesan noted that the tribunal also adds extra oversight and accountability on big decisions and fines, whereas Therrien had requested the expanded powers for his office alone.

The open (banking) question: Canadian fintechs have called for data-portability rights, so they can access consumers’ banking information to provide them with financial services. This month, Ottawa’s open banking advisory committee will resume consultations following delays over the summer which the finance department attributed to the pandemic. In January, the panel recommended giving consumers more control over their financial transaction data, and were tasked with studying information security in their second phase. On Tuesday, Bains noted that the finance department is responsible for the Bank Act, and open banking is “a separate standalone process that they will pursue.” But his legislation creates a basis for industries “including the financial sector which need to look at making sure that they provide communities with greater control around portability,” he said, adding that “will create a lot of innovative outcomes.” 

“The legislation recognizes that data has value,” Andrew Graham, CEO of Toronto-based fintech firm Borrowell, said in an interview with The Logic, calling the new information-movement right “foundational for open banking.” Financial services provide “a great early test case” for the measure, showing whether Ottawa’s approach will allow “consumers to really benefit through data portability.” He cited the early adoption of Borrowell’s bill tracking and payment features, launched in December, which uses banking information to predict cash flow. The company has signed up thousands of users for the tools, but Graham said the experience “would be made much easier and better with open banking.”

Canadian Bankers Association spokesperson Mathieu Labrèche said the industry group and its members are reviewing the legislation and its potential impacts on the government’s “consultation on consumer-directed finance,” the federal advisory panel’s prefered term for open banking. “Banks in Canada will continue to place a high degree of emphasis on protecting the privacy and personal information of their customers at every turn,” he said. 

What everybody else is doing: Under the GDPR, the EU has to sign off that a country’s data and privacy protections are adequate before organizations can transfer data there from anywhere in the continental group. PIPEDA  is covered, but a review is due by 2022. Several expert witnesses testifying before the House of Commons privacy committee between February 2017 and 2018 on the subject said the law needed to be amended to match up with the GDPR. In January, Bains told The Logic he wanted to ensure “interoperability” with rules in places like California and the EU, to “help our businesses to succeed in [those] jurisdictions and avoid a patchwork.”

What’s next: The new rights to move and remove data would “impose some very technical requirements,” said Daniel Michaluk, a Toronto-based partner at BLG. For example, the GDPR’s data-portability rules requires that consumers be provided information in “a structured, commonly used and machine-readable format.” Ottawa will spell out its own standards via subsequent rules, which could be a lengthy process. Michaluk cited the mandatory breach-reporting requirements, which took effect in November 2018, saying they “ultimately came out through regulation in a rather mild and acceptable form, after lots of delay.” Bains said businesses will have a 12- to 18-month period before the provisions take effect to prepare for compliance.

What’s not in the legislation: Regulations specifically targeting “large digital companies,” or a new data commissioner to enforce them. Bains’s mandate letter instructed him to create both. On Tuesday, he said he’s still working on those provisions alongside Heritage Minister Steven Guilbeault—who introduced his own legislation last week to get more Canadian content funding from foreign streaming services—and Justice Minister David Lametti. The bill also doesn’t explicitly mention data trusts, third party-managed collections of information other organizations can access for R&D or public-interest projects. Innovation, Science and Economic Development Canada’s proposals for updating PIPEDA, published in May 2019, considered such models. Tuesday’s legislation “will create this opportunity for Canadian companies to come together to build these types of data trusts, including government,” Bains said. “There’s enormous potential in this area.”

The business reaction: In a statement to The Logic, BCC CEO Goldy Hyder said the legislation “sets out clear rules to protect consumers, promote innovation, and strengthen Canadians’ confidence in the emerging digital economy.” The Council of Canadian Innovators (CCI), a lobby group of scale-up CEOs, has been calling for a national data strategy for at least two years. Its members “expect government to work with technology companies to understand their compliance obligations and new standards established with this legislation,” executive director Benjamin Bergen said in a statement Tuesday, noting that “clearer rules will give Canadian businesses confidence as they plan and grow.”

The digital rights reaction: John Lawford, executive director of the Public Interest Advisory Centre, an advocacy non-profit, called the privacy commissioner’s new powers and the establishment of the tribunal “shiny new toys.” The legislation weakens privacy by removing “a consumer’s right to protect his or her personal information that is used for any ‘business activity’ if it is ‘de-identified’ or used for what the government deems is a ‘socially beneficial purpose,’” he said in a statement. Jim Balsillie, founder of the Centre for Digital Rights—a non-profit that in September 2019 filed complaints about political parties’ privacy practices—said the legislation should recognize privacy as “a fundamental human right;” Therrien has made similar calls. The bill “falls far short on its proposals to ensure responsible innovation,” said Balsillie, who’s also the chair of CCI and former co-CEO of Research in Motion (now Blackberry). In a statement to The Logic, he cited the AI provisions, which he said should specifically include rights to contest automated decisions and give the privacy commissioner the right to audit and inspect firms’ practices.

This story is developing and will be updated. What else should we know about it? Email the reporter at [email protected]