A Brief Look at Canada’s Digital Rights Landscape
Recently, as a Daughters of the Vote delegate for the 2021 program, I had the opportunity to speak briefly about Canada’s need to develop and implement a Digital Rights Agenda, starting with Bill C-11, the Digital Charter Implementation Act. In this article, I would like to explore more about digital rights, the situation in Canada, the status of Bill C-11, and how this affects Canadians.
Digital rights refer to a broad rights concept that includes the right to internet access, freedom of expression, privacy, and association online, as well as the right to access, use, create, and publish digital media. Some consider digital rights to be an online extension of the Universal Declaration of Human Rights. Aspects of digital rights include:
- safeguarding privacy and protection in the collection and usage of data
- upholding strong encryption
- maintaining balance between security and surveillance
- censorship and combating the spread of misinformation
- identifying bias and discriminatory algorithms
- ensuring access to affordable and reliable Internet
- upholding fairness and transparency in the use of data
- establishing digital literacy among the populace
In recent years, the issues arising from digital rights abuses have become more pressing. Technological advances increase exponentially, but updates in regulation rarely catch up to the fast pace of technological progress. This allows these technologies to create and expand inequalities in society that continue to harm minorities and vulnerable communities. For example, the use of algorithmic decision systems to triage immigration and refugee claims by the Immigration, Refugees and Citizenship Canada can cause unfairness due to a lack of clear due process. Canada’s national security apparatus has recently been given extended powers to collect people’s personal information in bulk. Without strong encryption and protection of data, there may be malicious hacking or widespread data breaches, such as the recent Facebook breach where millions of people’s personal data, including email addresses and telephones, were stolen and published on a hacker’s forum. Another issue is the spread of misinformation, which we have seen throughout various events such as the US elections and current COVID-19 pandemic. Digital authoritarianism, which includes enforcing censorship, creating disinformation, and inciting hate using social media, is on the rise in shaky democracies and autocratic countries. All of these issues undermine people’s rights and endanger the foundations of democracy, which is why there is an increasingly urgent need to develop and implement a digital rights agenda.
Canada’s first Digital Charter was released in May 2019, setting out ten principles to guide the country’s future development in the digital sphere. Following this, Bill C-11, the Digital Charter Implementation Act (DCIA), was tabled by the Canadian federal government in November 2020. This bill introduced two new acts, the Consumer Privacy Protection Act (CPPA) and the Personal Information and Data Protection Tribunal Act, which will create a new tribunal with fining powers for privacy violations.
Currently in Canada, there are two federal laws that govern privacy matters: the Privacy Act for the federal public sector, and the Personal Information and Protection of Electronic Documents Act (PIPEDA) for the private sector. These two legislations help set the national standard for privacy. Provincial rules may apply instead if they are “deemed substantially similar to the PIPEDA”, which British Columbia and Quebec have done. This means that if a business is operating solely in BC or Quebec, then they will need to adhere to that province’s privacy legislation.
The CPPA will replace part one of the PIPEDA and its part two will be turned into stand-alone legislation, the Electronic Documents Act. The Office of the Privacy Commissioner of Canada will also be given more power, such as to issue orders to organizations and to recommend financial penalties. These are some of the following changes that have been proposed under the CPPA:
- increased algorithmic transparency requirements that apply to automated decision-making systems
- requirement for organizations to provide clear and plain language about the use of their personal information and to disclose collected information in a timely manner
- the right to withdraw prior consent and request disposal of collected personal information
- the right to data portability
- requirement for companies to maintain a clear and well-documented privacy management program
- the ability for organizations to develop a code of practice or certification program to complement or enhance compliance to data protection regulations
- the right of action for individuals
- de-identified information to fall under the jurisdiction of the CPPA
Businesses and organizations would undoubtedly have to spend costs to set up data protection infrastructure to comply with the new legislation. However, these costs may be unavoidable as other countries, such as the EU, strengthen their own data protection rules and ask the same of their trading partners. To stay competitive in an increasingly global world, Canadian businesses and organizations should be proactive in keeping up with international trends.
Many analyses have pointed out that Bill C-11 is the result of the Canadian government’s ambitions to align closer with the European Union’s General Data Protection Regulation (GDPR), which is now considered a global standard for data protection. The CPPA moves away from the PIPEDA’s best practices and instead sets up a list of required obligations. But, similar to the PIPEDA, there still exists certain exemptions that waive consent requirements, such as for research purposes or if it is reasonable to assume that information would be collected. It would be up to the Privacy Commissioner and the proposed new Tribunal to make fair determinations on qualifying the exemptions. Some commentators are still worried that the new regulations introduced by the DCIA are not strong enough to pass the adequacy assessment under the GDPR.
Since government institutes do not fall under the ambit of the CPPA, as they are governed separately under the Privacy Act, the concerns with increased government surveillance would still be unmitigated under the DCIA. Care must be taken to ensure commercial vendors who provide data to government institutes would not be exempt under the exceptions provided for in the CPPA.
In 2020, it was reported that the three major federal political parties were being investigated by the Competition Bureau of Canada for their unregulated harvesting and use of Canadians’ personal information. At present, federal political parties are considered exempt from the Privacy Act and PIPEDA, and would continue to be under the proposed CPPA. This is a disappointing and legitimate criticism of the inadequacy of the Bill given the reports.
However, the Competition Bureau also announced that they intend to invest in new tools for enforcement and training suited for the digital age in order to promote competition in Canada’s digital economy. It would be interesting to see the increased role of the Competition Bureau and the nexus with this proposed legislation.
At the time of writing, Bill C-11 is undergoing the progress of second reading in parliament. It is anticipated that there may be additional changes to the proposed bill. Whilst the Digital Charter Implementation Act is a first step to implementing the Digital Charter, it should not be the only step. There are still multiple issues that Canada needs to address in order to strengthen its digital rights landscape. For example, affordable and reliable access to the internet is still not a guarantee for people especially living in rural Canada. Other issues include targeting platform accountability on hateful and extremist content, preventing bias in algorithmic decisions, protection from extreme surveillance from the government (e.g. digital strip searches), and increasing data security to prevent hacking or data breaches.
These issues are being tackled globally as well, with many experts inside and outside of Canada collaborating on them. Canada can contribute to setting the global standard, but it requires the political will of the Canadian government. Canada has taken the first step in modernizing its privacy regulatory regime, but there is still more work to be done in fortifying the digital rights landscape so that this country can uphold its human rights obligations as well as stay competitive internationally.
