Opinion

Digital privacy law is being updated for the first time in decades, and it's imperative we get it right

As work, school and shopping increasingly move online, Canadians need to ensure the federal government's new Bill C-11 is framed to give proper digital privacy protection, write Vass Bednar and Mark Surman.

Canadians need to ensure Bill C-11 is framed to give proper digital privacy protection

Canadian legislators in the House of Commons recently introduced Bill C-11 to enact the Consumer Privacy Protection Act. Bill C-11 embodies the principles of Canada's Digital Charter, which envisions the internet as a tool for both innovation and the public good. (Jenny Kane/Associated Press)

This column is an opinion by Vass Bednar and Mark Surman. Bednar is the executive director of McMaster University's Master of Public Policy in Digital Society Program, and writes the newsletter Regs to Riches about startups and public policy. Surman is executive director of the Mozilla Foundation, the global nonprofit that makes the Firefox browser and advocates for issues like online privacy. For more information about CBC's Opinion section, please see the FAQ.

Over the past year, Canadians — just like much of the world — have increasingly lived their lives online. The pandemic pushed us to use the internet in new ways: digital doctor visits, first dates and family dinners over Zoom, grocery shopping via apps.

The pandemic has not only magnified the value of the internet, but also what's wrong with it. Newsfeeds that spread misinformation. Digital ads that track and target us. Algorithms that make opaque decisions about our credit ratings or our dating lives. Smart speakers that listen to — and store — our every word. 

In short: the internet is indispensable — and imperfect.

At this fraught moment in our digital society, Canada has a major opportunity to address much of what's wrong online. Several weeks ago, Canadian legislators in the House of Commons introduced Bill C-11 to enact the Consumer Privacy Protection Act.

Bill C-11 embodies the principles of Canada's Digital Charter, which envisions the internet as a tool for both innovation and the public good. And it hints at an internet where individual Canadians, not big tech platforms, are in full control of their data. 

Of course, Bill C-11 is just that — a bill, not yet a law. It holds a great deal of promise, but it needs serious improvements if it is to live up to the vision outlined in the Digital Charter. 

Canada is at an inflection point. We can improve this law so that it truly protects and empowers Canadians, giving us control over our relationship with Big Tech, gig economy companies and retailers who constantly track us online. Or, we can pass a law that makes a show of protecting privacy, but leaves many of the worst problems with the internet — limited consumer agency, no accountability for Big Tech —  unsolved and unchecked. 

For C-11 to succeed, we need movement on three fronts.

Bill C-11 includes privacy-protection measures such as the right to opt out of having personal data collected by third parties. (Rick Bowmer/Associated Press)

First, we need to make sure the new rights the bill offers Canadians are clear and actionable.

What the bill includes so far is quite promising, things like the right to an explanation of why an artificial intelligence (AI) made a decision about me, or the right to opt out of having my data collected in the first place.

These things may sound abstract, but could have huge benefits in our everyday lives. Imagine if you could press a button to understand why Amazon or an airline is giving you a different price today than it did yesterday (an AI did that!). Or if you could join a points program at a store and understand why you received certain promotions but not others.

For instance, grocery or retail points programs often tailor rewards to match the foods and products that members of the program purchase most often, meaning that different people receive different discounts based on the data that has been collected. While this might seem more efficient, it also creates inequality as people that do not use a program's app cannot access the same modest discounts on everyday essentials available to a member. Simply having better explanations available for why someone is receiving a discount offer, similar to Facebook's "Why am I seeing this ad?" feature, could be helpful.

The rights in C-11 have the potential to drive changes like these. Yet, as we have seen with similar laws in Europe, real change is hard to come by.

Clear lines in the law and public education about digital rights will be essential if Canadians are going to use and benefit from them.

The new digital privacy protection legislation is vague about how enforcement will work. (Kite_rin/Shutterstock)

The second front crucial to the bill's success? Strong enforcement and accountability.

This is another place where Bill C-11 is at once promising and worrying. While Bill C-11 provides new order-making powers to the Privacy Commissioner and allows fines up to $25 million or 5 per cent of a firm's gross revenue, it's vague about how all of this will work.

Looking again to Europe and laws such as the General Data Protection Regulation (GDPR), we see that they only work if entities like the Privacy Commissioner are incredibly well resourced. And as a report from browser developer Brave demonstrated, European governments have not equipped their national authorities to enforce the GDPR.

Canadian lawmakers must learn from this example and lay out a plan to invest  accordingly. And they must resist the temptation to shift the enforcement burden to consumers — it is time to relieve us of reviewing the Terms and Conditions of every single app.

Unlike legislation in some other jurisdictions around the world, Canada's digital consumer privacy law lacks a mechanism for collective representation when there is an issue that affects a group of people. (Shutterstock/Dan74)

The third front where we need progress is collective rights and intermediaries — giving Canadians the option to demand more from Big Tech collectively rather than on their own.

Just like pollution, abuse of data affects individuals and the collective. When we're on Facebook or YouTube, your data is mixed with my data. In order to get better treatment from online services, we need a way to push for our rights together, not just as individuals. Otherwise, the burden on individuals to manage their digital privacy will remain absurdly high.

Imagine if your Amazon shopping history and habits lived not on Amazon, but in something like a co-op or credit union that you belonged to. You could decide how much of that data Amazon gets to see — and how much you want to hold back.

California's consumer privacy law includes a mechanism for this kind of collective representation. And, in a recent proposal by the EU Commission, Europe is considering something similar.

However, Bill C-11 completely ignores this topic, much to the detriment of Canadians. We've seen how structures like cooperatives have helped to solve power imbalances throughout Canadian history, and our legislators should take inspiration from them as we continue to re-imagine appropriate data governance. 

Canada's new online privacy legislation is encouraging, but there is much more work to be done to ensure that our digital society works for all of us. There's plenty of data out there on the best practices related to privacy and data management, and our new framework should leverage all of it.

Canada has the ability to put its people in charge of their own data. Bill C-11 is an opportunity to manifest the principles of the Digital Charter in a way that has an impact on millions of Canadians — and sets an example that ripples beyond our borders.