Canadian Privacy Law Reform Marches Forward

Canadian Privacy Law Reform Marches Forward

Next week I deliver in-depth privacy training to prepare individuals for their IAPP CIPP/C exam and we’ll definitely be discussing federal Bill C-27. The House of Commons debated the bill, also known as the Digital Charter Implementation Act 2022, on March 7th, and some optimistic Liberal Parliamentarians voiced hopes of having the Bill passed into law by the Summer.

The omnibus bill with its proposed Consumer Privacy Protection Act (CPPA), Personal Information and Data Protection Tribunal Act, and Artificial Intelligence and Data Act has taken a backseat since its introduction in June 2022. The media recently reported that on-going worries over data collection by Chinese-owned app TikTok has triggered renewed interest in moving the Bill forward. However given the extent of concerns over the existing version of the Bill, there is clearly work that needs to be done. An excellent article published in January 2023 by BLG outlines many of the issues with Bill C-27.

Following second reading, the Bill moves to the House standing committee on industry, science and technology for the next step of the parliamentary process. At this point we expect to finally hear the Office of the Privacy Commissioner of Canada’s feedback on the bill. Although there are improvements from Bill C-27’s predecessor, Bill C-11, it is unclear who was consulted and clearly these consultations were not thorough enough to iron out the many kinks in the Bill. Fast tracking it at this point could lead to a federal privacy framework that continues to lag behind globally. We certainly don’t want to end up with a PIPEDA replacement that is cumbersome and difficult for businesses to understand. Canada’s Anti-Spam Law (CASL) is a great example of a law that could have been much better drafted so as to result in less confusion and uncertainty for businesses. Six years after the CASL private right of action was delayed due to its complexity and burden on businesses, we have still not seen the government provide further guidance through regulations. Potential exposure to private claims under CASL seems to be delayed indefinitely. The proposed CPPA also contains a private right of action, so its important to get it right.

Gaps in Canada’s Privacy Law Coverage

We will have the same gaps in coverage as we currently have under PIPEDA once Bill C-27 is passed. That is, the CPPA will only apply to commercial activities, meaning charities and political parties, as well as employees of private sector entities operating strictly in provinces without private sector privacy laws, like Ontario, are still carved out. Now is the time to address this. And speaking of the provinces, we have no sign of any heed being paid to the B.C. and Alberta Commissioners with respect to amendments needed to their Personal Information Protection Acts (PIPAs). Under the proposed CPPA, the Governor in Council is given the power to make an order that provincial legislation is substantially similar to the CPPA but clearly other than Quebec’s Law 25, this may be difficult to establish.

When considering transborder data flows, PIPEDA currently enjoys adequacy status under Europe’s GDPR (with respect to commercial enterprises only) but Canada’s framework is expected to be reviewed in the near future. The last report to the European Commission was in 2019 and although these reports on Canada’s privacy framework were expected to be published annually, they seem to have paused when it was felt the private sector law was on its way to reform. With an explosion of privacy laws globally, reassessing Canada’s adequacy has clearly not been of high priority for the EU Commission, and the fact that Canada is on its way to a more robust law will certainly bode well.

In my opinion, Bill C-27 will undergo necessary amendments and likely won’t be passed until Fall 2023 at the earliest, or perhaps Winter. At that point, I would expect there will also be a transition period giving businesses some time to get their act together, including ensuring they have an effective privacy management program in place, something that will be a requirement under the new law.

Contact us for more information on Bill C-27 and what your organization will need to do to prepare. Or, join us for the CIPP/C training next week where we will take a deep dive into Canadian privacy law developments. CIPM training will be offered early May to focus on privacy management programs and data governance.