Privacy Law Reform and Greater Corporate Accountability Towards Protection of Personal Information
On November 17, 2020, the proposed Digital Charter Implementation Act, 2020, (the “Act”) was introduced. If passed, it will introduce massive changes to the way in which personal information is used, collected, and stored.
The proposed framework seeks to accomplish these goals by strengthening the powers of the Privacy Commissioner to impose harsher penalties for violations of privacy rights and by creating incentives for companies to comply with privacy legislation, specifically regulating the way in which personal information is collected through meaningful consent.
The new framework envisioned by the Act empowers the Privacy Commissioner with order-making powers to recommend that fines be imposed, which can account for up to 5% of global revenues (at the ultimate determination of a new administrative tribunal, the Personal Information and Data Protection Tribunal) or to request that companies delete information improperly obtained or withheld. These fines are the strongest among G7 countries for privacy laws.
The purpose of this legislation is not necessarily to impose harsher penalties, but rather, to use these mechanisms among others as a way to incentivize corporations to work with the Privacy Commissioner to develop policies that are compliant with and demonstrates a respect for privacy rights.
For individuals, the Act means that corporations collecting personal information will be required to obtain meaningful consent; in other words, individuals must have plain-language information about the proposed collection, use, and disclosure of personal information. The Act also proposes that individuals will have greater control over their personal information whether it is to withdraw consent for use of their information or it is to direct the transfer of their personal information from one organization to another. What is clear is that this new legislation aims to give individuals greater decision-making power over how their information is used, stored, collected – before and after the information has been disclosed.
If passed, corporations should review their privacy policies with a fine-toothed comb to ensure that this level of transparency and flexibility is available to individuals when relying on the use of personal information.