The digital economy has changed the way we live and the way organizations carry on business. It has also raised unique privacy challenges that were not imaginable when Canada's private-sector privacy laws were originally drafted. Organizations are increasingly collecting and compiling considerable amounts of personal information, including sensitive personal information, and using it for a wide range of purposes, including data analytics and artificial intelligence (AI), to better serve their customers.
Legislators across Canada and the rest of the world are attempting to modernize legislation to keep up with these advances. The European Union bolstered its privacy laws in 2018, enacting the General Data Protection Regulation (GDPR). Legislatures in other jurisdictions followed, including in California, Japan, Korea and Brazil. In Canada, the federal government and several provincial governments have signalled their intention to modernize their privacy legislation.
- In May 2019, the federal government recommended revisions to Canada's federal private-sector privacy statute, the Personal Information Protection and Electronic Documents Act (PIPEDA), as part of Canada's Digital Charter.
- In August 2020, the Ontario government launched a consultation on privacy law reform, with a view to implementing a provincial act regulating privacy in the private sector (and possibly other sectors like non-profits and charities). Currently Ontario only has privacy laws that regulate the public and health sectors, though private-sector organizations in Ontario remain subject to PIPEDA.
- In June 2020, the Quebec National Assembly tabled a bill (Bill 64) to modernize its privacy legislation. If Bill 64 is enacted as currently drafted, it would create a private-sector privacy statute in that province that is substantially similar to the GDPR. The Quebec National Assembly had also tabled, in December 2019, another bill (Bill 53) to enact legislation specifically aimed at governing the commercial and management practices of credit assessment agents. Bill 53 was enacted on October 28, 2020, and will come into force on February 1, 2021.
- In February 2020, the B.C. government began its statutory review of the Personal Information Protection Act (B.C. PIPA). In connection with that review, the Information and Privacy Commissioner for British Columbia (B.C. IPC), along with other stakeholders, has put forth recommendations for reform of that statute.
Although each government's proposal is unique, there are some common themes:
1. Mandatory Breach Reporting
While mandatory breach reporting in the private sector is in place in Canada at the federal level and in Alberta, it is not currently required under the private-sector privacy statutes in B.C. or Quebec. The proposed privacy law reforms in B.C. and Quebec would see mandatory breach reporting in those provinces, similar to what is in place federally and in Alberta. Breach reports allow governments to keep track of breach trends and cyber threats. Mandatory breach reporting is also often thought to incentivize organizations to invest in technology that protects data collected.
2. Enforcement Powers
Privacy commissioners in Canada do not have strong enforcement powers. In Europe, fines for non-compliance with the GDPR are potentially significant, up to ?20-million or four per cent of a company's total global turnover. Canada's privacy commissioners are all pushing for stronger enforcement powers, including the ability to directly levy administrative monetary penalties, issue binding orders, and initiate investigations. If Quebec's Bill 64 is enacted in its current form, it would include potential penalties in amounts like those provided for under the GDPR.
3. Third-Party Service Providers
Organizations are increasingly outsourcing data processing activities to third-party service providers, including to those outside of Canada. While some Canadian privacy statutes make it clear that the transferring organization remains responsible for the transferred personal information, they are not very clear on what the transferring organization must do to ensure that the data is appropriately handled and safeguarded. Quebec's Bill 64 would require organizations to enter into written services agreements with service providers, citing specific measures that the third-party provider must take to protect personal information. If the service provider is located outside of Quebec, a privacy assessment must be carried out and specific contractual protections must be in place. The B.C. IPC would like to see the B.C. PIPA amended to impose similar obligations, though less prescriptive than what is proposed under Quebec's Bill 64 and with no suggestion that cross-border data transfers will be specifically regulated. It is likely that similar changes will be made to PIPEDA and included in any new privacy statute in Ontario.
Canada's privacy commissioners have made it clear that relying on long, legalistic and open-ended privacy notices is not an effective way to obtain "meaningful consent" under Canadian privacy laws. However, as this practice continues, Canadian governments are looking at ways to ensure that meaningful consent and transparency is obtained.
Quebec's Bill 64 would require organizations to use clear and plain language when describing the purposes for collection, use and disclosure. Further, the privacy consent notice would need to be separate from other legal terms, and privacy default settings would need to be set to offer the greatest level of protection. Opt-in consent for secondary processing of personal information, such as marketing, would be required. Similar proposals are being considered in B.C., Ontario and at the federal level.
5. Individual Control
Privacy commissioners in Ontario, Quebec, B.C., and at the
federal level are pushing for amendments that would give
individuals more control over their personal information. GDPR
offers several examples of these rights, including the right to
object to automated decision making; request that an organization
delete personal information (the right to erasure or the right to
be forgotten); and request data in a readable, transferable form
(right of data portability).
Quebec's Bill 64 would see similar rights granted to individuals as the GDPR. While the B.C. IPC supports a right of data portability, and a right to be notified of, and be provided with information relating to, automated decision-making processes, the B.C. IPC has not gone so far as to support a right of erasure as, in the B.C. IPC's view, such a right would be difficult to apply in practice.
For permission to reprint articles, please contact the Blakes Marketing Department.
© 2020 Blake, Cassels & Graydon LLP.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.