Changes include penalties for non-compliance and the expected revival of bill C-11
When Canada passed its privacy laws in 2000, it could not have foreseen the tremendous pace of technological change in the next 20 years and how that would affect privacy and data access. The proposed digital charter implementation act (DCIA), tabled as bill C-11 in the House of Commons in December 2020, to establish a new privacy law for the private sector, aimed to respond to those seismic changes.
That bill died on the order paper with September’s snap federal election. But Quebec has passed its new privacy legislation, and three other provinces are reviewing — or creating — their legislation.
A lot is going on in legislative reforms of privacy and data regulations, notes Kirsten Thompson, national leader of the Transformative Technologies and Data Strategy Group at Dentons Canada LLP in Toronto.
She does not doubt that the federal government will reintroduce its privacy legislation, though not likely until mid-2022.
“I expect there’ll be some adjustments to it, but I would also expect it to look substantially similar … to bill C-11,” says Thompson, who is also a member of Dentons’ privacy and cybersecurity group.
New private-sector privacy legislation is of necessity aligning with the European Union’s General Data Protection Regulation (GDPR) so that Canada maintains its “adequacy” status. As a “third country,” Canada must offer levels of data protection that are essentially equivalent to those within the E.U.
And what is “highly motivating” to businesses to comply with the new legislation are the tremendously high fines it introduces for non-compliance. “This is a material change in the risk environment for most organizations,” Thompson says. “They need to take a look at what their processes and programs are.”
The federal bill C-11 was meant to reform the Personal Information Protection and Electronic Documents Act (PIPEDA), which came into force in April 2000. PIPEDA governs how private-sector organizations collect, use and disclose personal information in commercial business.
Bill C-11 “generated a lot of criticism, in part because it was such a major change [from PIPEDA] because it was having to adapt to a very fundamentally transformed data environment,” says Teresa Scassa, professor and Canada research chair in information law and policy at the University of Ottawa.
She adds that the “big changes” in the bill that attempted to come to terms with the new digital and data economy were more controversial.
Canada’s privacy commissioner, Daniel Therrien, was a chief critic of the proposed legislation. He penned an open letter to the chairman of the House of Commons’ Standing Committee on Access to Information, Privacy and Ethics, highlighting some of his concerns.
“Although seeking to address most of the privacy issues relevant in a modern digital economy,” Therrien wrote, it “does so in ways that are frequently misaligned and less protective than laws of other jurisdictions.”
Teresa Scassa
The “increased flexibility given to organizations to use personal information without consent do not come with the additional accountability one would expect,” he added, “because administrative penalties will not apply to the most frequent and important violations, those relevant to consent and exceptions to consent.”
With data collection so pervasive — and sometimes even unknown to the consumer — the role of consent in the legislation is a challenge, says Scassa.
“If you continue to put meaningful consent to data collection practices at the heart of the legislation, then you’re doing so in a context where you have to realistically admit that this is not an easy thing to do.” In many cases, she says, data collection is not even negotiable, such as when people use a videoconferencing platform, open a bank account, or simply use the internet.
Many companies have also collected data under terms-and-conditions and privacy policies and now want to use that data for purposes other than those for which they obtained consent, Scassa adds. “And so, there’s a lot of discussion about how the rules can be adapted in data protection laws to give organizations more freedom to use data that they’ve already collected in new and innovative ways. That’s another challenge to consent,” she says.
“These things were controversial under C-11, and I think they’re going to remain controversial. … It’ll be interesting to see what changes the government [might make to] any new bill we see in the winter.”
Bill C-11, like Quebec’s new legislation, also aligned with the GDPR in imposing substantial monetary penalties on companies. Concern over the proposed legislation is twofold, says Wendy Mee, co-chair of the privacy group at Blake, Cassels and Graydon LLP in Toronto.
First, “there shouldn’t be significant consequences for non-compliance if you were trying to get it right and just didn’t, because privacy is complicated.”
Second, “if we are going to have the possibility of significant financial consequences for companies, we have to have appropriate appeal and review procedures,” says Mee. At present, if a privacy commissioner investigates a company for a data breach or other incident and releases a report which is then made public, “there isn’t necessarily an appeal right [for the company on the findings] unless it goes to court, which is very rare.”
Wendy Mee
In September, Quebec’s Act to modernize legislative provisions relating to the protection of personal information, or Bill 64, received royal assent after its adoption by the National Assembly of Quebec a day earlier. The new regulations will come into effect in three stages over three years. Beginning this September, organizations must notify the privacy regulator and individuals of any breaches to compromised personal information that present a “risk of serious injury” to the affected individuals.
Penalties for infractions are among the most stringent in the world. Administrative fines are $50,000 per individual and $10 million for corporations, or two per cent of global turnover from the previous year, whichever is higher. Criminal penalties can be $100,000 for individuals and $25 million, or four per cent of the prior year’s global turnover, for corporations. Drafters modelled these penalties after those in the GDPR.
“It seems there’s a level of universal support to make our privacy legislation more robust, considering what’s happening internationally,” says Mee.
Three other provinces have conducted public consultations as a preamble to updating (or creating) their private-sector privacy laws.
In December, British Columbia’s special committee to review its Personal Information Protection Act released 34 recommendations in its report, which will assist in drafting new legislation.
Alberta finished gathering feedback on privacy protections in October following a public consultation in August. The province will use the input to update its Personal Information Protection Act and its Freedom of Information and Protection of Privacy Act.
And Ontario released a white paper in June that outlined what would be the province’s first private-sector privacy law. Monetary penalties are likewise steep, with proposed maximum penalties of up to $25 million, or five per cent of the organization’s gross global revenues (whichever is higher). Offences include knowingly re-identifying personal information that has been de-identified, seeking retribution against a whistleblower, or obstructing a commissioner in investigating a complaint.
“Ontario’s white paper mapped onto bill C-11 to some extent,” says Scassa. However, “now we won’t see a new [federal] bill until this winter, and there’s a provincial election in the fall.” Ontario may therefore wait to introduce its privacy legislation, while B.C. and Alberta may look to model their laws after what the feds table as early as this winter, she says.
Digital Charter Implementation Act provisions
Modernized consent rules would ensure the availability of plain-language information.
Individuals may direct the transfer of their personal information from one organization to another.
Individuals may ask organizations to dispose of their personal information and withdraw consent for its use.
Businesses must be transparent about how they use automated decision-making systems.
De-identified information may be used without an individual’s consent only under certain circumstances.
Source: Innovation, Science and Economic Development Canada
Canada’s current private-sector privacy legislation