Companies that misuse Canadians’ personal data could face fines reaching tens of millions of dollars under an overhaul of the nation’s privacy law proposed last week. But privacy experts and industry groups say the blueprint could also come with a silver lining for international businesses.
The similarities between the Canadian government’s legislation and the European Union’s General Data Protection Regulation mean companies that already do business in Europe may be able to tweak existing compliance programs if and when the new legislation becomes law, they say.
“It’s quite similar to what our peers in Europe have,” Sonia Carreno, president of the Interactive Advertising Bureau of Canada, said at a virtual workshop Monday sponsored by the trade group.
Last week, Prime Minister Justin Trudeau’s government introduced the Digital Charter Implementation Act, which would establish the Consumer Privacy Protection Act. The CPPA is intended to update an existing law that has governed Canada’s private sector since 2001.
Minister of Innovation, Science, and Industry Navdeep Bains’s proposal would generally require companies to obtain consent to collect user data and allow consumers to request their information be corrected, disposed of or transferred to a different firm.
Fines for violations, such as collecting or disclosing data for purposes deemed inappropriate, could in some instances reach 25 million Canadian dollars ($19 million), or 5% of global revenues, whichever is higher. EU penalties, by comparison, similarly can reach the higher of two sums: €20 million ($24 million), or 4% of a company’s international revenue.
While the Office of the Privacy Commissioner of Canada would investigate cases and recommend penalties, a new tribunal made up of three to six members would determine final assessments. Individuals could sue companies only if authorities first found a violation, said Ignacio Cofone, a privacy law professor at McGill University in Montreal.
“This weird private right of action means that a company may face private liability besides enormous fines,” said Mr. Cofone, who advised the Office of the Privacy Commissioner as it sought input on privacy reform this year. “Then, for the widely dispersed, but small breaches that the commissioner may not investigate, there’s no enforcement.”
Nonetheless, the proposal would still allow for more aggressive enforcement than Canada’s current law, privacy experts say. The office would also be able to audit companies’ practices and publicize the findings in annual reports to Parliament.
The Canadian proposal comes at a turbulent moment for trans-Atlantic privacy law. California voters approved a new set of consumer protections just months after the state attorney general had finalized rules for its predecessor. Thousands of companies are also wrestling with a July ruling by the European Court of Justice that invalidated a key legal mechanism used to transfer data between the U.S. and the EU.
The European Commission had previously deemed Canadian privacy protections adequate for such transfers of consumer data from the bloc. But a commission spokeswoman said that status is currently under review, declining to comment further.
A spokesman for Mr. Bains said the government “is making sure that the new law aligns with other leading jurisdictions” such as the EU. He offered no comment on whether maintaining Canada’s adequacy status under GDPR was a motivating factor in introducing the legislation now.
But such a reversal appears unlikely, particularly given a 2017 trade deal struck between Canada and the bloc, said Michael Geist, a law professor at the University of Ottawa.
“That would be a big step if a country were to lose adequacy,” he said.
As the legislation moves through Parliament in the coming months, some data-heavy industries such as advertising already are beginning to sketch out possible approaches to it.
The CPPA would allow any organization to submit a “code of practice” to the government, laying out their plans for compliance. Companies or trade groups could build frameworks for entire industries, Adam Kardash, a partner at the law firm Osler, Hoskin & Harcourt LLP, said at Monday’s Interactive Advertising Bureau event.
“We’ll establish the code that works for us,” Mr. Kardash said, pointing to a similar policy the trade group crafted in Europe. “It will be a lot of work. There will be compliance costs.”
Despite multinationals grappling with GDPR in recent years, some U.S. businesses are less aware of existing Canadian privacy rules, in part because of relatively weak enforcement, said Kirsten Thompson, a Toronto-based partner at the law firm Dentons.
“Now we’ve gone that much further,” Ms. Thompson said, calling the Canadian proposal “GDPR-lite.” “So it might be a particular surprise.”
Write to David Uberti at [email protected]