Politics

Ottawa considering 'significant and meaningful' compensation for privacy breach victims

Canadians who fall victim to privacy breaches could soon be eligible for some sort of compensation. The mandate letters for two federal cabinet ministers task them with working on a new set of of online rights - and also hint at a formal ‘right to be forgotten’ law.

Innovation minister's mandate letter also hints at ability to 'erase basic personal data from a platform'

Liberal MP Navdeep Bains is one of two Trudeau cabinet ministers tasked with reforming the law on online privacy. (Justin Tang/The Canadian Press)

Canadians who fall victim to privacy breaches could soon be eligible for some sort of compensation as the Liberal government works on introducing a new set of online rights.

Mandate letters for Innovation, Science and Industry Minister Navdeep Bains and Heritage Minister Steven Guilbeault say they've been asked by Prime Minister Justin Trudeau to work on a "digital charter" that would include legislation to give Canadians "appropriate compensation" when their personal data is breached.

It's not clear when the legislation will be introduced, or what a compensation package would even look like, but Bains said it will include punitive fines for those found guilty of breaching personal data.

"It will be significant and meaningful to make it very clear that privacy is important. Compensation, of course, is one aspect of it," said Bains, adding that the government also wants "to demonstrate to businesses very clearly that there are going to be significant penalties for non-compliance with the law. That's really my primary goal."

Statistics Canada says that about 57 per cent of Canadians online reported experiencing a cyber security incident in 2018.

Ryan Berger, a privacy lawyer with Lawson Lundell in Vancouver, said legislating compensation could get private companies to start taking privacy more seriously.

"It will incentivize organizations ... to take steps to protect that information and ensure that, for instance, health information is encrypted," he said.

"So right now, there aren't the sorts of financial implications for them if they fail to do that."

Just last month, the medical services company Lifelabs reported that information related to about 15 million customers, mainly in B.C. and Ontario, may have been accessed during a massive data breach.

A few months earlier, the Desjardins Group, a Quebec-based financial institution, confirmed an employee with "ill intention" collected information on 4.2 million clients and shared it with others.

Both breaches have triggered class action lawsuits.

A group of digital locks are pictured, which are green. In the middle, an unlocked lock that is red is shown.
Two federal departments have been asked to work on a new set of online rights and a plan to compensate Canadians when their personal data is breached. (Shutterstock)

"This is becoming a real challenge for courts and businesses to manage," said Teresa Scassa, Canada Research Chair in Information Law and Policy.

"So one of the questions when I see 'with appropriate compensation' — I wonder, are they thinking of something other than class-action lawsuits? Are big companies going to be asked to have reserve funds to pay out compensation? Is there going to be a fixed chart of compensation?"

Scassa said government lawmakers also could be looking at establishing a "private right of action" which would allow Canadians to seek compensation in small claims court instead of in federal court.

Right-to-be-forgotten law coming

The NDP's ethics critic, Charlie Angus, said the government should give the power to levy fines to the privacy commissioner.

"He needs the tools," he said.

The mandate letters' instructions — nearly identical in both letters — also hint at the introduction of a so-called "right to be forgotten" or "right to erasure" law by calling for the "ability to withdraw, remove and erase basic personal data from a platform."

The European Union passed a law back in 2014 allowing citizens to ask Google to remove problematic web hits that pop up when their name is searched, after a Spanish lawyer fought to remove old material about his past debt problems.

Under the EU's law, "inadequate, irrelevant or excessive" web hits aren't deleted, but in most cases the internet giant hides them from their search results — a process known as de-listing or de-indexing.

Bains said his department is studying privacy laws in Europe and California to find a model for a possible Canadian law.

Angus said it's something the parliamentary ethics committee needs to dive into, weighing personal requests against the public's right to know.

"Just because you did something bad, doesn't mean you should get the right," he said.

However, Scassa said she's troubled by the language used in the Canadian mandate letters — especially where they limit the right to be forgotten to "basic personal data" on "platforms."

"I find it a little bit odd that they've framed the right of erasure in what I think are pretty narrow terms compared to what the emerging standard seems to be internationally," she said.

"There's a certain lack of clarity here that I think is, well, maybe deliberate, but in some ways I think maybe it's a bit of a muddled message too."

Privacy Commissioner Daniel Therrien has argued an existing law, the Personal Information Protection and Electronic Documents Act, allows for a right to de-indexing on request on web pages that contain inaccurate, incomplete or outdated information.

Legislation soon?

In October of 2018, his office filed a notice of application with the Federal Court to clarify whether Google's search engine is subject to federal privacy law. That court proceeding is ongoing.

"Given this uncertainty, we view any legislative measures which would bestow online rights equated with a right to be forgotten as a positive measure that could be taken by government," said Office of the Privacy Commissioner spokesperson Vito Pilieci.

"We are aware that the prime minister has issued mandate letters to his minister's outlining the priorities for this government. We look forward to consulting on any plans that government may have for modernizing federal privacy law."

An Angus Reid Institute survey last year found 51 per cent of Canadian adults were in favour of a right to be forgotten online, and a right to have search results changed. Only 23 per cent said erasing negative information "means erasing history and facts."

Privacy Commissioner Daniel Therrien has argued the Personal Information Protection and Electronic Documents Act already allows Canadians to ask for de-indexing on web pages that contain inaccurate, incomplete or outdated information. (Adrian Wyld/The Canadian Press)

While there's no timeline for new legislation, Bains said he hopes to start working with members across the aisle soon.

"I want to hit the ground running. This is a priority for me and our government. We want to move forward to start to see aspects of the digital charter reflected in legislation and new policies and programs as well," he said. "The goal is to work with opposition members sooner rather than later in presenting this legislation in a timely manner."

Those are conversations Angus said he's willing to have.

"We need to have real, clear rules on data," he said. "I bought a phone, not an electronic prisoners' device."

With files from the CBC's Thomas Daigle

Add some “good” to your morning and evening.

Your weekly guide to what you need to know about federal politics and the minority Liberal government. Get the latest news and sharp analysis delivered to your inbox every Sunday morning.

...

The next issue of Minority Report will soon be in your inbox.

Discover all CBC newsletters in the Subscription Centre.opens new window

This site is protected by reCAPTCHA and the Google Privacy Policy and Google Terms of Service apply.