[BreachExchange] Canada promises big fines for companies that breach new privacy law

[Destry Winant]

https://www.reuters.com/article/canada-digital/canada-promises-big-fines-for-companies-that-breach-new-privacy-law-idUSL1N2I31HO

OTTAWA, Nov 17 (Reuters) - Companies that fail to protect the personal
information of Canadians could be fined up to 5% of global revenue
under the terms of a proposed new privacy law, Innovation Minister
Navdeep Bains said on Tuesday.

Bains said the Digital Charter Implementation Act - designed to update
regulations that are 20 years old - was needed at a time when the
coronavirus epidemic was increasing Canadians’ reliance on digital
technology.

The draft law, which must be adopted by Parliament, says Canadians who
feel their data has been improperly gathered or shared can turn to the
country’s Privacy Commissioner and demand the information be deleted.

The commissioner can order a halt to the collection and use of an
individual’s information. Companies that do not comply could be fined
up to 5% of their global revenue for serious contraventions.

“We’re talking about potentially billions of dollars,” Bains told a
news conference.

The law also means businesses would have to be transparent about how
they use automated decision-making systems like algorithms and
artificial intelligence to make significant recommendations about
individuals.

Canada suffered two major data breaches last year. Some 15 million
customers of laboratory testing firm LifeLabs had sensitive
information exposed while unauthorized use of internal data by an
employee affected all 4.2 million members of the Desjardins Group
financial cooperative.

Canada is following in the footsteps of the European Union, which in
2018 introduced the General Data Protection Regulation to give
citizens new rights over how their data were held and promised stiff
fines for companies that did not comply.

The U.S. state of California this year introduced a new digital
privacy law, marking a significant step towards giving people the
right to request their data be deleted from e-commerce websites and
social media. (Reporting by David Ljunggren; Editing by Bernadette
Baum)