The Government of Canada is proposing extensive changes to the country’s privacy and data security laws and swelling the enforcement powers of the Office of the Privacy Commissioner.
On May 21, Minister of Innovation, Science and Economic Development Navdeep Bains announced his government has produced a digital charter, an initiative intended to train workers for the digital economy, grow Canadian businesses through the adoption of digital and data-driven technologies and amend privacy and data security laws to enhance public trust in the digital economy and public and private institutions.
For Canada’s laws governing privacy and data security, the government proposes enhancing consent requirements for data collection and use in some cases, making exceptions to that consent in others, giving the OPC more enforcement power and allowing people more control over their personal data after it is collected.
If legislative action is taken, the proposed changes to Canada’s Personal Information Protection and Electronic Documents Act would mean the most substantial change to the law since its inception, says McCarthy Tétrault LLP technology lawyer Michael Scherman.
“It sounds like not only are they substantively making changes, they're also planning on almost rewriting the entire law,” he says. “They're at least contemplating that possibility.”
The digital charter does not have the force of law, but the government states it is intended to inform all policy decisions and legislation going forward, says Scherman.
A 2018 survey by Nanos Research and The Globe and Mail found that 84 per cent of Canadians polled are worried about how social media companies use their personal information and 74 per cent of Canadians surveyed in 2016 by the OPC said they have less privacy protection than they did a decade before.
“It does seem like substantial changes are in the near future,” says Scherman, but he adds that there is an upcoming federal election that could upset the government’s plans.
The federal government began the National Digital and Data Consultations in June 2018, revealing that 20 years after PIPEDA was enacted, as the digital landscape has evolved in unpredictable ways, the law has not stood the test of time, according to a document on the digital charter from Innovation, Science and Economic Development Canada. The consultations found Canadians want more transparency in how their data is being collected and used and more control over their personal data once it’s collected, a sentiment that was echoed in “several parliamentary reports” and recommended by the House Standing Committee on Access to Information, Privacy and Ethics, said the document.
The consultations also found that Canadian companies, particularly small and medium-sized businesses, were having trouble complying with the complexity of the current data protection and privacy rules.
The digital charter proposes requiring data collectors provide plain-language explanations about the intended use of the personal data, third parties with which it will be shared and the charter also recommends prohibiting the bundling of consent into a contract. The charter also proposes alleviating “consent fatigue” by making exceptions to consent for the use of some personal information (de-identified data) in certain circumstances by businesses.
“Generally, businesses would appreciate this, it would give them more certainty as to what is required, what the standard is to de-identified data and then what uses they can make of de-identified after, whereas right now it's more of a grey area,” he says.
The charter proposes data mobility rights, whereby an individual has the right to ask that their personal information be moved from one organization to another.
“It seems like we're going to be entering into a period of change for privacy law in Canada. Change obviously leaves a lot of uncertainty for clients,” says Scherman, adding that it would be “prudent” to look at international privacy laws such as the European Union’s General Data Protection Regulation to get a sense of what businesses will likely be obligated to comply with soon.
The digital charter states that the OPC’s current enforcement powers under PIPEDA do not sufficiently incentivize compliance. Currently, the OPC’s powers include compelling evidence, examining documents, interviewing witnesses, making oaths and “entering premises,” the charter states. The OPC begins an investigation when a member of the public complains or when there are reasonable grounds for suspicion and they can take the matter to the Federal Court, but only when it wasn’t the OPC that initiated the investigation. The charter proposes giving the OPC more discretion and flexibility with investigations and audits, increased co-operation with other law enforcement agencies, order-making power for cessation or records preservation orders and “substantially increasing the range of fines” for non-compliance with PIPEDA, among other changes.
Under PIPEDA, the OPC has notoriously weak enforcement powers compared to other jurisdictions, says Scherman.
“It definitely seems like their intention is to head down that path and give the privacy commissioner greater authority to enforce the law, including broader order-making powers, increased ability to levy fines, etc. And I think that would be in line with how other laws around the world are definitely progressing,” he says.
The digital charter also includes plans to review the Privacy Act, which governs personal information held by federal public institutions and became law in 1983. According to the charter’s section on the Privacy Act, which linked to the Department of Justice’s website, the government plans on making a Privacy Act technologically neutral, providing the OPC with “a more proactive and educational role” and better taking the data protection principles governing foreign jurisdictions into account.