Posted yesterday at 7:00 am
At 147 pages long, Bill C-27’s 46-word title alone is dizzying. “An Act to implement the Consumer Privacy Protection Act”, in essence, takes over the requirements of the first Bill C-11 introduced in November 2020. At that time, we will impose penalties of up to 25 million or 5% of the revenue, whichever is higher. With clear privacy policies, we still find the concept of “valid consent” to be able to transfer one’s data from one organization to another, destroy these when no longer needed, and set up a special tribunal.
Good to hear
But the new law goes beyond November 2020, says Chantal Bernier, who served as assistant and then acting commissioner at the Privacy Commission of Canada from 2008 to 2014. She is now Legal Counsel for Cybersecurity and Privacy at Dentons.
“I was immediately struck by the government’s willingness to reconcile competing interests, protecting personal information on the one hand, and promoting a digital economy based on this information on the other. »
She noted from the preamble that protecting citizens’ right to privacy is “essential to their autonomy and dignity and to the full enjoyment of fundamental rights and freedoms in Canada.” “It gives it quasi-constitutional significance. »
The other part, she apologized, “may sound technical, but it’s critical”. In essence, the law distinguishes between “personalised”, protected and “anonymous” data, which is not linked to an individual, but is usable.
“For companies, it makes all the difference in their ability to do research,” she said.
Finally some teeth
“The break is over. “Like M.e Bernier, Eloise Gratton, a lawyer specializing in privacy protection at BLG, uses this expression to describe an important measure that is not in the headlines. Essentially, companies that process personal data are obliged to appoint a controller and develop “codes of practice” and “certification programs” to protect it. The difference is that the Privacy Commissioner now has the power to investigate, recommend and sanction.
Many small firms have not yet complied with such requirements, Me Gratton. “I think it will motivate companies to invest in information security and protection of personal information. »
Another important aspect of the new law is its desire to prevent the “reckless” use of artificial intelligence (AI), for example, which is not designed with discriminatory bias. The Artificial Intelligence and Data Commissioner has the power to conduct audits in companies on the subject.
“I see it with a very good eye, Me Bernard. We already have examples, especially in the hiring of employees with biased practices. However, many aspects remain to be defined in this area, particularly in defining what constitutes prejudice and how to establish the severity of prejudice.
Powers and Responsibilities
The fact is undeniable, these new requirements increase the administrative burden for businesses. Me But Gratton believes this is inevitable. “This is a burden commensurate with the power of organizations to manage personal information, including risks of intrusion into privacy. “She laughed at the occasion, Spider-Man’s motto:” As this power increases, it increases the responsibilities. »
Eloise Gratton, she recalled, said this federal bill would come after three other provincial laws adopted in Alberta, British Columbia and, most notably, Quebec. “With the federal government, it’s just a continuation. […] It is already clear that there is an evolution among companies in the way privacy policies are written: we prepare them in layers, with summaries, and if the person wants more information, there is access. »