This month when I deliver in-depth privacy training to prepare individuals for their IAPP CIPP/C exam I may have to pivot quickly to ensure participants are receiving the very latest on privacy laws in Canada! Highly-anticipated legislation to modernize Canada’s private sector privacy law is expected to be introduced in the current session of Parliament. Harmonization across provincial and international data protection regimes has become a major focal point. Ideally, regulators should be able to encourage compliance and enforce privacy laws in a manner that is consistent across the country; entities governed by such laws should not experience inconsistent statutory requirements that are burdensome; and individuals should be able to clearly understand the protections in place and data rights they can expect.
Certainly the EU’s General Data Protection Regulation (GDPR) set a higher standard for privacy laws since it came into force in May 2018. And clearly reform initiatives in Canada and elsewhere in the world have been inspired by the GDPR, aiming to set a higher bar for data-handling requirements and financial penalties for non-compliance.
Privacy lawyers will be looking for consistency on many topics, but here’s a quick highlight of two important areas:
- The definition of ‘personal information’. Privacy laws have broadly applied to any information that identifies an individual. But ubiquitous technologies, IoT devices and artificial intelligence are challenging the boundaries of ‘identifiable’. De-identified information is generally not subject to privacy laws, but should privacy laws consider whether personal information is de-identified enough, making it truly anonymous? The federal government’s first attempt to revamp PIPEDA with the draft Consumer Privacy Protection Act (CPPA) under the now defunct Bill C-11 did exactly that by contemplating re-identification such that certain privacy requirements should continue to apply. Many data experts argue the possibility of re-identification, is never eliminated, but certainly some data sets should be subject to less rigorous protections to support innovation and research. Consistency in the parameters outlined for de-identification in the privacy laws is critical for innovators.
- Consent – when it’s needed and what it looks like. Under the GDPR consent is one of six main legal grounds for the lawful processing of personal data. However in Canada, the CPPA was drafted, and Quebec’s Bill 64 was passed, with consent being central to the collection, use and disclosure of personal information by organizations. Under the GDPR, the basic requirements for the effectiveness of a valid legal consent are defined in Article 7 and specified further in recital 32 of the GDPR. Consent must be freely given, specific, informed and unambiguous. Quebec’s law has moved towards similar requirements. Across the country, inconsistency with respect to transparency requirements, consent practices, exceptions to consent and the right to withdraw consent, will result in confusion and will practically mean organizations operating across Canada will need to meet the highest standard regardless.
Obtaining express consent is often extremely onerous and may not always be appropriate in a digital world, as individuals are expected to understand and make decisions on data flows. A proposed amendment to Ontario’s Personal Health Information Protection Act (PHIPA) provides a great example of the need to modernize consent rules. Ontario Health Teams (OHTs) were created in 2019 as a vehicle for coordinating health care in a geographic region. Groups of health care providers in a region can apply to the Ontario government to assist such groups in collaborating. However, PHIPA does not allow OHTs to share patient data for purposes like program planning, system improvement, error management and quality improvement without obtaining patients’ consent. On March 29, 2022, Bill 106, Schedule 4 received first reading and if passed, will provide regulation-making power to ease consent requirements and address this issue.
The application of privacy laws to political parties and charities, two types of entities where privacy laws apply inconsistently across the country should also be scrutinized by the federal and provincial governments to enhance privacy protection coverage for Canadians.
We can expect Canada’s privacy legal framework to evolve in the coming years and its typical to see jurisdictions attempting to be somewhat more enhanced than their neighbors. In the U.S., this is starting to become problematic. California took the lead with a comprehensive privacy law and we are now seeing other states introducing laws with their own spin which could result in a nightmare of data protection law obligations for companies to address if operating in multiple states. With jurisdictions working together, lets hope that in Canada, a good degree of alignment that serves organizations, individuals and privacy regulators at the provincial and national levels is achieved.
There are only a few spots left in the CIPP/C training April 20-22! Registration closes in one week on April 13th. CLICK HERE to find out more or to register.