Five months ago, the federal government introduced its attempt to reform digital privacy in Canada through Bill C-11. The Bill gives greater enforcement powers to the Office of the Privacy Commissioner of Canada (the office in charge of protecting your personal privacy), and introduces hefty fines to companies that breach its guidelines about the collection, use, and disclosure of personal information. Despite this, Bill C-11 is in limbo. Privacy groups argue that this is a huge moment for privacy in Canada that we can only get right if we make some changes to the proposed bill, but there hasn’t been much movement. We sat down with Bryan Short, a campaigner at Canadian advocacy group OpenMedia to talk about Bill C-11’s potential, its drawbacks, and why Canadians should care about this.

TunnelBear: What are the goals of Bill C-11?

Bryan Short: That depends on who you ask! For the federal government, they’re looking to update some laws that everyone agrees have grown out of date. It’s been more than two decades since the old laws were put into place, and a lot has changed since then.

Back then, the Internet was in its infancy, no one could have predicted the internet’s centrality to all our lives. As such, the old laws didn’t have teeth. They left the Privacy Commissioner without much enforcement power. Despite countless examples of the real world harms that were being caused by privacy violations, companies that broke the law were not subject to any fines or penalties. In that way, there was very little to encourage compliance and help safeguard the personal information of Canadians.

A few years ago, the European Union introduced the GDPR and that was a game changer globally. Those laws make privacy a human right and introduce stiff penalties for organizations that violate them. As well, those laws require that other countries, like Canada, offer similar privacy protections. This “encouraged” the Canadian government to update its laws, too.

Unfortunately, Bill C-11 doesn’t make privacy a human right, but it does introduce stiff penalties for breaching privacy laws— although, as I’ll come to explain, those are far from perfect.

You've critiqued the way that "implied consent" and "business exemptions" are written in the proposed Bill, can you explain why these issues matter?

Yes! Strong privacy laws need to get the issue of consent right. Our belief is, in order for an organization to use your personal information, they should first be required to ask for your permission.

In drafting this bill, the federal government consulted with business groups. And as it turns out, business groups want less rules about how they get permission to use our personal information.

Businesses can extract a lot of money from using our personal information. The more they know about us, the more they can use this information to make predictions about our behaviour and even influence our actions.

Right now, because of the age of the old laws, a lot is left up to interpretation. You have to remember that more than twenty years ago it was hard to imagine how important the internet would become — especially during a pandemic, where people are ordering more things online and using the Internet for work and school.

So these businesses have lobbied for new exceptions to consent in Bill C-11 that allow them to take our sensitive personal information and use it to extract profit. These exceptions will provide a secure legal platform for the further growth of the third-party data broker economy, which is a shadowy network of companies that buy, sell, and trade our personal information.

Updating these laws is extremely important, but we need to do it the right way

What good privacy laws do — like the ones introduced in the EU — is give people greater control over their own personal information, which makes it more difficult for businesses to exploit it for profit.

Can you give me an example of how a privacy breach might be handled if the changes you're suggesting to Bill C-11 are not implemented?

We’ve looked at Bill C-11 and noticed that the fines it would introduce don’t apply to a considerable amount of very high profile privacy violations that have occurred in Canada over the last few years. (And we wrote a blog about it!)

These violations are all about companies that have taken our personal information without permission and used it in ways that turned out to be very harmful. For example, companies that targeted political campaigns with information they had stolen, companies that secretly installed hidden cameras in malls, companies that gave personal information to another company that then leaked it, and companies that stole pictures from social media websites and sold them to law enforcement around the world.

We looked at each of these cases — where Canadian officials had determined that the companies had broken our privacy laws — and were shocked to learn that no fines would be available under Bill C-11.

We came to the conclusion that even the highest fines in the world are completely meaningless if they’re almost never going to be applied.

Despite its flaws, do you worry about the lack of movement on this Bill? Is there potential Canada might miss this opportunity?

We’re very concerned about the lack of motion on Bill C-11. As of writing, it has been discussed only once in Parliament and that was months ago.

Updating these laws is extremely important, but we need to do it the right way. That requires conversation and action — two things that we’re not seeing.

Given that data minimization is one way VPN protects their users, how does Bill C-11 affect users of VPNs?

People who use VPNs already have privacy protections at the top of their minds. All of us at OpenMedia use TunnelBear to protect our data when we’re working online. They’re a great choice for anyone working from home or who is otherwise concerned with internet security and privacy. And they help to protect from the third-party data collection I talked about above.

VPNs are an important step that an individual can take to protect themselves, whereas updated privacy laws are a step that the government can take to protect all Canadians. But, like I keep saying, these updates need to be done the right way or else they might make privacy worse in Canada.

Is the Canadian government headed in the right direction with Bill C-11? Where do you hope we go from here?

In spirit, I think that the Canadian government is heading in the right direction. But they need to act fast and make a few essential changes to the legislation in order to make sure that it actually does what they want it to do.

The finable offences need to be expanded to include basic consent violations and this should include political parties and non-profits (like OpenMedia!) in its scope. Politicians may not want their own parties covered by privacy laws, but that’s an essential part of privacy protections and will help to strengthen our democracy.

I hope that the federal government will soon introduce Bill C-11 to a committee and begin inviting comments and submissions. Many experts from across Canada agree with the recommendations we’re making and will bring these concerns forward — as we will, too.

From there, I hope that Bill C-11 is amended with these changes and it moves swiftly to becoming the new law in Canada that will help protect privacy for generations to come.

Sincerely rawrs,
the TunnelBear Team

TunnelBear is a very simple virtual private network (VPN) that allows users to browse the web privately and securely. It secures browsing from hackers, ISPs, and anyone that is monitoring the network. TunnelBear believes you should have access to an open and uncensored internet, wherever you are.