Happy new year to all! We are entering 2022 with many rumblings of privacy law reform in Canada. This article will provide a review of where we are and what we can expect this year with respect to private sector privacy laws.
Federal Privacy Law Reform
Re-introduction of an updated version of Bill C-11, the government’s proposed Digital Charter Implementation Act, 2020 is expected in the very near future. Before it died on the order paper when the federal government called an early election, the Consumer Privacy Protection Act (CPPA) was clearly an attempt to modernize PIPEDA by replacing it with a law that would maintain Canada’s adequacy status, which allows the free flow of European resident data to Canada for processing. Canada’s adequacy status is reviewed every four years by the European Commission with the next scheduled review to occur later this year against the stricter standard of the EU General Data Protection Regulation (GDPR) compared to its predecessor, the EU Data Protection Directive of 1995.
The federal government’s objective of supporting innovation (which generally requires significant personal data sets) but at the same time enhancing individuals’ control over their information resulted in expanded exceptions to the consent requirement in Bill C-11. This included new allowed uses of de-identified data for “socially beneficial activities” and for “business activities” where an organization does not have a direct relationship with an individual and where obtaining their consent would be impractical. This could water down privacy and inadvertently allow extensive profiling, without a requirement to proactively notify individuals and provide a right to object, as is seen in the GDPR for automated processing of individuals’ personal data.
Commentaries regarding the Bill either supported it overall or voiced some strong criticisms. Most significantly, in its May 2021 Submission to the Parliamentary ETHI Committee, the Office of the Privacy Commissioner (OPC) delivered a severe critique with over 60 recommendations, arguing that the Bill in its form at the time would represent a step back overall for privacy protection in Canada. In the OPC’s view, the increased flexibility for organizations to use data without consent would not come with additional accountability.
The Minister of Innovation, Science and Industry, Minister Champagne, re-iterated the government’s commitment to introduce an updated version of the CPPA this year, perhaps as early as in the first quarter, indicating that feedback from commentators is being considered and potentially will be reflected in a revised Bill. Thereafter, Canada’s Prime Minister released his ministerial mandate letters on December 16, 2021, outlining the government’s priorities and providing direction to each member of Cabinet. Minister Champagne received strict marching orders: “Introduce legislation to advance the Digital Charter, strengthen privacy protections for consumers and provide a clear set of rules that ensure fair competition in the online marketplace”.
Quebec’s Bill 64
Bill 64, updating Quebec’s private sector privacy law, An Act Respecting the Protection of Personal Information in the Private Sector was passed on September 21st, 2021. Provisions in the Bill, inspired by the EU’s stringent GDPR framework will come into force using a phased approach, with most of the changes in effect in the Fall of 2023. This year, organizations with Quebec operations certainly need to work towards compliance. In addition to new rights for Quebecers and requirements for clear and informed consent, obligations include:
- Organizations will have to establish and implement a privacy framework comprising policies and practices to demonstrate compliance and the protection of personal information;
- Organizations will be required to conduct a privacy impact assessment of each project of acquisition, development, and redesign of an information system or electronic service delivery involving personal information, and to implement privacy by design measures; and
- Cross-border communication of personal information will need to be preceded by an informal assessment of privacy protection, taking into consideration a number of factors, namely: (i) the sensitivity of the information; (ii) the purposes for which it is to be used; (iii) the protection measures (including contractual) that would apply to it; and (iv) the legal framework applicable in the jurisdiction to which the information would be communicated, including the data protection principles applicable in the jurisdiction. This requirement would apply to the processing of personal information outside of Québec, including storage and hosting of data.
Significant monetary penalties and enforcement measures in the reformed Quebec law will include penal offences of $25 million or 4% of worldwide turnover; administrative monetary penalties of $10 million or 2% of worldwide turnover; and private rights of action that could result in class action lawsuits with significant damage awards.
B.C. and Alberta PIPA
The B.C. legislature appointed a Special Committee in February 2020 to review the B.C. Personal Information Protection Act (PIPA), B.C.’s private sector privacy law. Following an extensive public consultation, the Committee issued its Report, Modernizing British Columbia’s Private Sector Privacy Law, on December 6, 2021. The report recommended supporting privacy as a basic right, better addressing new technologies, strengthening the Commissioner’s enforcement powers, including administrative monetary penalties sufficient to deter non-compliance, as well as mandatory breach notification and reporting. The Committee addressed special protections for sensitive categories of information, including information relating to children and youth, biometrics, political views, religion and sexual orientation; and recommended that PIPA be amended to require stricter data handling practices and express consent for such sensitive data. We should see the government respond to the Committee’s report this year.
Meanwhile in Alberta, in response to a November 2020 letter from the Alberta Information and Privacy Commissioner proposing changes to update the Alberta’s Personal Information Protection Act (PIPA), Service Alberta undertook a consultation on the law. Commissioner Clayton advanced her view that the Alberta PIPA needs updating to adapt to new technologies and consumer expectations regarding their privacy rights, particularly in light of other reform initiatives across the country and the high standard set by the GDPR. No report on the Alberta consultation has been released as of yet, but this can also be expected in 2022.
Ontario – Is a Private Sector Privacy Law Waiting in the Wings?
Lastly, in Ontario’s case, with no existing private sector privacy law in place, the adoption of an entirely new stand-alone law was under discussion last year as outlined in the government’s white paper, Modernizing Privacy in Ontario, published in June 2021.
Ontario’s proposed law would clearly define de-identified and anonymized data, update consent rules to assist innovators and respond to the modern data economy, introduce safeguards for automated processing, provide protections for children and overall, frame privacy as a fundamental right. There is also an intention to extend privacy protection to private sector employees, currently not covered by any privacy law, and ensure privacy rules also apply to the not-for-profit and charitable sectors.
Given Ontario has called an election for October 2022, the window for introducing a private sector privacy law in Ontario prior to the election has likely closed. Also, given that the Ontario whitepaper substantially references Bill C-11 with plans to improve upon this now defunct federal bill, Ontario will likely wait till the federal government introduces a new version of PIPEDA’s replacement before re-considering their position.
We are certainly in a state of flux with respect to private sector privacy laws in Canada, and it is important for privacy and compliance officers to keep on top of an expected flurry of changes to privacy laws over the coming years. Many organizations operating across Canada are rightfully concerned about how Quebec’s privacy framework doesn’t align with other jurisdictions, resulting in complexity for organizations and confusion for consumers. It is too early to tell how long it will take before the rest of the country catches up, but there is clearly the need for consistency and modernization of privacy statutes that are approaching or over 20 years old, in an era of rapid digital transformation.
For guidance on Canadian privacy laws or to obtain assistance with your compliance initiatives, contact PRIVATECH.