OTTAWA (Reuters) – Companies that fail to protect the personal information of Canadians could be fined up to 5% of global revenue under the terms of a proposed new privacy law, Innovation Minister Navdeep Bains said on Tuesday.
Bains said the Digital Charter Implementation Act – designed to update regulations that are 20 years old – was needed at a time when the coronavirus epidemic was increasing Canadians’ reliance on digital technology.
The draft law, which must be adopted by Parliament, says Canadians who feel their data has been improperly gathered or shared can turn to the country’s Privacy Commissioner and demand the information be deleted.
The commissioner can order a halt to the collection and use of an individual’s information. Companies that do not comply could be fined up to 5% of their global revenue for serious contraventions.
“We’re talking about potentially billions of dollars,” Bains told a news conference.
The law also means businesses would have to be transparent about how they use automated decision-making systems like algorithms and artificial intelligence to make significant recommendations about individuals.
Canada suffered two major data breaches last year. Some 15 million customers of laboratory testing firm LifeLabs had sensitive information exposed while unauthorized use of internal data by an employee affected all 4.2 million members of the Desjardins Group financial cooperative.
Canada is following in the footsteps of the European Union, which in 2018 introduced the General Data Protection Regulation to give citizens new rights over how their data were held and promised stiff fines for companies that did not comply.
The U.S. state of California this year introduced a new digital privacy law, marking a significant step towards giving people the right to request their data be deleted from e-commerce websites and social media.
Reporting by David Ljunggren; Editing by Bernadette Baum