Canada’s federal government are planning to charge fines to any company that violates their privacy laws, with fines running up millions of dollars. Navdeep Bains, the Innovation Minister, has introduced the Digital Charter Implementation Act – officially titled “Act to enact the Consumer Privacy Protection Act and the Personal Information and Data Protection Tribunal Act and to make consequential and related amendments to other Acts.” This new act aims to refurbish Canada’s decades-old privacy laws, making them up-to-date with the modern world.
The new act is yet to be passed, but if it is passed then companies may be at risk of being charged fines of up to five per cent of their global revenue or $25 million- whichever number is larger – for those who commit the most serious offences. Bains has stated that the new legislation will provide the largest fines among the G7 nation’s privacy laws.
Cybersecurity and data privacy expert Trevor Morgan, product manager at comforte AG had the following thoughts:
“The introduction of Canada’s proposed Digital Charter Implementation Act continues the trend toward tighter governmental regulation of businesses handling and processing consumers’ private and sensitive data. Steeper fines only add to the incentive for companies to comply with data privacy mandates, joining other negative outcomes such as tarnished brand reputation and loss of trust in the offending business. The move should serve as a strong reminder to businesses located or operating in Canada that data security is paramount to doing business in the country. Each organization should rethink how they protect sensitive data throughout its entire lifecycle, including knowing where this data is within their infrastructure, the level of sensitivity, and the right way to protect sensitive information. Data-centric security measures such as tokenization and format-preserving encryption are far more effective than perimeter-based methods, facilitating data freedom of movement that businesses need in order to use that information effectively while complying with strong data privacy regulations such as this proposed act.”