A bill that has received broad party support for years is still moving forward at a snails pace. It’s only advanced by a single stage.
Over the last several years, there have been a multitude of privacy related scandals. Numerous data breaches, Cambridge Analytica, and various other privacy related scandals has really punctuated the idea that laws needed to be re-shaped to better respond to when an incident has occurred and how best to deal with such an occurrence.
At least in Europe, progress had been made. In 2018, the General Data Protection Regulation (or GDPR), had come into force. While reaction to this law was divided at the time, it ultimately became known for setting a gold standard for how privacy laws should be enforced. Whether that is through mandated disclosure of when a breach had occurred, slapping companies with proportionate fines when they were found to be negligent, or setting the standard for which personal information can be transmitted or stored, the GDPR, in many ways, set a standard for other countries to follow.
Now, this isn’t to say that the GDPR is perfect by any means. One of the sore spots within the system created thanks to the GDPR is the idea that different DPCs (Data Protection Commissions) might enforce the law in different manners. Some might prosecute large companies to the fullest extent of the law while others might be more inclined to treat large companies with kid gloves and only lay the minimal fines allowable. The Irish DPC, at leas in years past, has taken considerable flack for just this sort of thing.
Still, despite the flaws within the GDPR, it is still miles ahead of where Canada is. In Canada, where some politicians and academics mistakenly believe is at the forefront of the protection of personal information, the system is much more reliant on a sort of honour system. At the federal level, Canada has PIPEDA (Personal Information Protection and Electronic Documents Act). This came into force in the year 2000 where the concern was that a filing cabinet might be accessed improperly, rather than several million records could be stolen.
Indeed, this is a 23 year old law and the thinking behind it is just as dated as it sounds. On the one hand, while it is great that Canada has privacy commissioners at the federal and provincial level, the powers of said privacy commissioners is very limited.
When a company breaks privacy laws, the legal ramifications is that one or multiple privacy commissioners would send a strongly worded letter. No, that is not an exaggeration. The commissioners don’t have the power to fine anyone or send anyone to prison by any stretch of the imagination. A company could be on the receiving end of a strongly worded letter in a bid to publicly shame them. To paraphrase the late Robin Williams, it’s a system of “stop, or I’ll say stop again.”
While some companies might be embarrassed enough to apologize for their actions and might even go far enough to actually enact changes, not every company out there really cares about public perception of how they handle people’s personal information. In situations like that, another strongly worded letter or two much ensue and the matter just disappears because the Commissioner or Commissioners have used every tool in the tool chest at that point.
When it comes to monetary damages, the victims of the breach have to use their own money, time, and other resources to take said company to court. If the victims don’t do so, then the company in question has basically no repercussions beyond a public official wagging their finger at them.
In 2019, the problems of this same system came to ahead when the Cambridge Analytica scandal took place. Various privacy commissioners investigated Facebook to determine if the personal information of Canadian’s had been misused. The results was that, yes, Facebook misused people’s personal information.
So, they did what they always did and sent Facebook a strongly worded letter. In response, Facebook basically disagreed with the findings and left it at that. The Commissioners were, understandably, not pleased with this and sent another strongly worded letter to Facebook. Facebook’s response amounted to, “Yeah, we broke your laws, you got a problem with that?”
This led to the extreme case where the commissioners, after exhausting their legal tools on hand, stepped out of their roles as Commissioners and sued Facebook as private citizens.
If there was one thing that was made abundantly clear about the case, Canadian laws needed changing and they needed changing badly. The system has clearly failed and will continue to fail until critical changes are made in the system.
During the 2019 election, it seemed as though that Canadians were destined to get what was so painfully obviously needed: privacy reform. Political parties, and their supporters, of all stripes unanimously agreed that privacy reform was needed. There was no one questioning the merits of such a law and Canadians seemingly agreed that better protections are what is needed. So, you would think that such reforms would be a slam dunk to pass. The problem was, the government dragged their feet on such reforms and it ultimately died on the orderpaper.
When the 2021 election rolled around, Canadians across the political spectrum all agreed that privacy reform was needed. Once again, political parties of all stripes all agreed that privacy reform was needed. Once again, no one was really opposed to the idea that something needed to change. To add further fuel to the need of privacy reform, the infamous Newfoundland hack also further cemented the need to such reforms.
History, sadly, continues to repeat itself. The Canadian government, once again, dragged its feet on even tabling the legislation. After significant questions were directed at the government, Industry Minister, François-Philippe Champagne, faked enthusiasm for such reform by claiming that it was his “top priority“. This was followed up by, you guessed it, more foot dragging.
In June of 2022, the Minister finally got around to tabling privacy reform as Bill C-27. The bill itself was largely unchanged save for a few grammatical adjustments that legally meant little. For experts, the question was, at the time, what the heck was the Minister doing all of this time? After all, some had speculated that the reason for such a long period of time for the delay was that there might have been a fundamental difference between the previous reform bill and the current one. That never turned up, though.
If you can guess by now, what ensued was much more foot dragging. This despite the petition from Open Media demanding that the legislation be moved forward. 2022 would see little to no progress on the legislation.
In February of this year, I had written an article, joking that the Minister had misplaced the legislation. A month later, the government, once again, said that they are, totally, this time for reals, no joking, moving forward with privacy reform. This was followed up by the legislation moving one measly step forward. It signified that the legislation’s trajectory had gone from a complete dead stop to a snails pace.
To make matters even more infuriating, the Canadian government did table a privacy reform law and put it into the budget bill. The reform that was passed essentially ensured that political parties can do pretty much whatever they want with people’s personal information for political purposes when it comes to elections. It signalled to Canadians that the government will always look after the people that really matters to them: themselves. As for everyone else, those dirty serfs can make do with less.
So, now that we are at the end of another year, the question is, has privacy reform really moved much further these days? The answer, ultimately, not by much. If you look at the Bill C-27 page on the Canadian parliament website, you’ll notice that it has only advanced to the committee study at the House of Commons. It still hasn’t even reached the Canadian senate at this point.
Now, looking at how long it has taken to reach each individual step, and assuming that it will be sent to committee for study at the Canadian senate, how long will it take to become law at this rate? We figure that it might become law sometime in the year of 2030. Given that the next election is to take place no later than the year 2025, that means that, chances are, history will repeat itself, yet again, and this bill will die on the orderpaper and we’ll be heading into a third election asking why the government hasn’t gotten off of it’s lazy butt and got serious with privacy reform.
The sad reality in all of this is that a lot of people are going to end up getting the raw end of the deal. If a business loses their personal information, the only form of recourse is hoping that a private law firm files a lawsuit. Otherwise, they are on their own. That means that they could easily be open to various forms of fraud and abuse and there’s nothing really helping them. This is a tragedy that Canadians will continue to pay the price as the Canadian government thinks they are better off navel gazing their way through this debate. It’s a very tragic state of affairs to say the least.