Companies could face hefty fines under new Canadian privacy law

The federal government is promising to levy potentially millions of dollars of fines against private companies that violate Canadians’ privacy.

Innovation Minister Navdeep Bains introduced the Digital Charter Implementation Act today, one of the largest shakeups to Canada’s private sector laws in decades. 

If the bill passes, companies would face fines of up to five per cent of revenue or $25 million, whichever is greater, for the most serious offences. Bains called it the strongest fines among G7 nations’ privacy laws.

It would also give the federal privacy commissioner order-making powers, something Privacy Commissioner Daniel Therrien has long asked for, including the ability to force an organization to comply and the ability to order a company to stop collecting data or using personal information.

The legislation also pledges to ensure that Canadians have the ability to demand that their information be destroyed.

Minister Bains took questions from reporters Tuesday morning, just minutes after the bill was introduced. More details are expected during a technical briefing for reporters later in the day. 

The bill puts into action the commitments outlined in the minister’s mandate letter, essentially his marching orders from Prime Minister Justin Trudeau, which tasked him with drafting a “digital charter” that would include legislation to give Canadians “appropriate compensation” when their personal data is breached.

Innovation, Science and Industry Minister Navdeep Bains says the proposed fine legislation would be the toughest in the G7. (Adrian Wyld/The Canadian Press)

Canada already has two privacy laws on the books: the Privacy Act covers government agencies and federally regulated industries, while the Personal Information Protection and Electronic Documents Act applies to private-sector organizations.

Statistics Canada said that about 57 per cent of Canadians online reported experiencing a cyber-security incident in 2018.