Protecting Canadians’ Privacy in the Digital Era

While the Canadian Charter of Rights and Freedom does not explicitly mention the word “privacy,” the Supreme Court of Canada, along with the provincial and territorial governments, still view privacy as a human right on which other rights are contingent. However, in the last decade, states and businesses have gained unprecedented access to people’s private information and used it to track and even manipulate people’s behavior. Although Canada has federal privacy laws, they have not been updated in at least 20 years. Thus, like many other countries, Canadians and policy makers have insisted on adapting the privacy laws to fit the changing times. Specifically, the Canadian government will modernize Canada’s Privacy Act and Personal Information Protection and Electronic Documents Act (PIPEDA) to better protect consumers’ privacy and their digital information. 

The Privacy Act and PIPEDA are Canada’s two major pieces of national privacy legislation. Passed in 1983, the Privacy Act protects Canadians’ personal information held by the federal government. According to the Privacy Act, the government can only collect an individual’s personal information or any recorded information about an identifiable individual if it directly relates to the performance of a government program/activity. Moreover, the government must make all possible attempts to guarantee that the personal information it uses is accurate, updated, and complete. Furthermore, when the government uses a person’s information, it must be for the purpose they collected it for unless the person gives their consent. On the other hand, PIPEDA, passed in 2000, focuses on how businesses handle people’s information. Similar to the Privacy Act, PIPEDA ensures an individual’s personal information is accurate and used for the purpose consented for. In addition, it forces companies to protect the information they collect and only keep it until its agreed purpose is fulfilled. 

However, PIPEDA heavily relies on the idea that companies will act in good faith while using one’s personal information. Not only do large social media companies such as Facebook and Instagram have unparalleled access to people’s personal information, but they have also been reported on numerous occasions for personal data abuse and misuse. Perhaps even more troubling, about ⅓ of global citizens don’t understand how governments or businesses utilize their personal information. Hence, many citizens distrust institutions to use their information correctly or ethically. Even though laws entitle people to know what their information is being used for, the purpose is often hidden in length terms and conditions--leading people to frequently have no idea what they consented to.

Canadians aren’t the only ones raising concerns over the lack of privacy in the digital age: multiple other countries are implementing new legislation to adapt to the changing times. The European Union introduced the General Data Protection Regulation (GDPR) in 2018--one of the strongest data protection policies to date. The GDPR gives consumers the right to have their data be erased from a company’s system as well as the right to be free from profiling and other automated decision-making. The GDPR can protect EU residents even if the processing takes place outside the EU, since it’s applicable to any company collecting or using citizens’ personal data. If companies do not comply, they will be forced to pay “up to 4% of annual global turnover of the preceding financial year or €20 Million, whichever is greater”. Due to the GDPR, tech giants are forced to be more transparent and regulated with the way they use EU residents’ data and personal information.

Canada aims to increase the transparency and regulation of personal data use by the government and businesses alike. First, Ottawa wants to modernize the Privacy Act by redefining the right to privacy in its broadest sense. The added amendments would clarify that privacy itself is a human right that can be protected by the Supreme Court and would make the Act easier to enforce--increasing its weight Complementary to the Supreme Court. In addition, the Privacy Commissioner of Canada would take on a proactive and informative role with more expansive tools to oversee compliance. In line with the Privacy Act, PIPEDA would also be bolstered by the Digital Charter Information Act (DCIA) and the Consumer Privacy Protection Act (CPPA). The DCIA would apply modernized consent rules, allowing citizens to read a consent form in plain language and make informed decisions regarding the personal information they want to share. Moreover, like the GDPR, individuals would now be allowed to withdraw consent and request that their personal information be disposed of. Combined with the CPPA, businesses would be forced to be more transparent about how they use algorithms to make significant predictions and recommendations about individuals.

While the DCIA and CPPA were introduced in 2020, Canada aims to fully carry out both of these policies and the modernized Privacy Act in late 2021. After these new privacy acts are applied, Canadians should have a better understanding of what they consent to online, who has their information, and what is done with that information. Although some have voiced fears that the DCIA and CPPA may inhibit innovation, Canadian government officials insist that simplifying consent will help, not hurt companies. By implementing the DCIA and CPPA and modernizing the Privacy Act, Canada hopes to be in line with the European Union and other countries to have better privacy for all of their citizens, no matter where they are.