Companies could face hefty fines under new Canadian privacy law

If the bill passes, companies would face fines of up to five per cent of revenue or $25 million — whichever is greater — for the most serious offences. Bains said the legislation provides for the heaviest fines among the G7 nations’ privacy laws.

The legislation also would give the federal privacy commissioner order-making powers — something Privacy Commissioner Daniel Therrien has long asked for — including the ability to force an organization to comply and to order a company to stop collecting data or using personal information.

Bains said the commissioner also would be able to recommend fines to a new Personal Information and Data Protection Tribunal, which would levy administrative monetary penalties and hear appeals of orders issued under the new law.

According to the wording of a government press release, the legislation also would give Canadians the option of demanding that their personal online information be “destroyed”.

Bains took questions from reporters this morning minutes after the bill was introduced. More details are expected during a technical briefing for journalists later in the day. 

The Canadian Internet Registration Authority, the not-for-profit agency that manages the .ca internet domain, praised the new bill.

WATCH | Bains explains how fines would be laid if companies contravene the new privacy legislation 

Innovation Minister Navdeep Bains tabled new privacy legislation today in the Commons. 1:25

“Trust is critical to the digital economy, and central to a well-functioning internet. Canadians must be able to trust that their personal data will be protected and not abused,” said president Byron Holland in a statement.

“Companies that handle massive troves of personal data must be held accountable for protecting that data, be transparent about how they use it, and face real consequences should they break the trust of their users.”

The bill puts into action the commitments outlined in the minister’s mandate letter — essentially his marching orders from Prime Minister Justin Trudeau — which tasked Bains with drafting a “digital charter” that would include legislation to give Canadians “appropriate compensation” when their personal data is breached.

Conservative MP James Cumming, the party’s innovation, science and industry critic, said that if the Liberals truly cared about Canadians privacy rights they’d ban the Chinese telecom giant Huawei from operating in Canada.

“While other countries have taken decisive action to stand up for the privacy of their citizens and banned Huawei, the Trudeau Liberals have failed to make a decision and stand up for the privacy of Canadians. There is no excuse for this delay by the Trudeau government,” he wrote in a statement.

“When it comes to Liberal legislation, the devil is always in the details. Conservatives will review the legislation to ensure that it protects privacy without imposing burdensome regulations on small businesses who are struggling to keep their doors open during the second wave of the pandemic.”

Canada already has two privacy laws. The Privacy Act covers government agencies and federally regulated industries, while the Personal Information Protection and Electronic Documents Act applies to private-sector organizations.

Statistics Canada said that about 57 per cent of Canadians online reported experiencing a cyber-security incident in 2018.

WATCH | Bains on Privacy Commissioner’s powers

Industry Minister Navdeep Bains explains the new powers of investigation that the Privacy Commissioner will have under the new Consumer Privacy Protection Act. 0:43