In the next two years, it is likely organizations across Canada will become subject to more detailed and more stringent privacy laws. When the change comes, many businesses – having benefitted from a relatively lax form of regulation – will be unprepared. The public sector, too, is mostly subject to laws shaped into their current form prior to the new millennium.
This article explains why we know that change is coming, what the new privacy law will likely resemble and sets out what organizations without developed privacy management programs should be doing now. Building an adequate program will take time, and for many now is the time to start.
Why do we know change is coming?
Canada is under significant pressure to keep pace with the standard of privacy protection embedded in European law, because doing so supports Canada’s continued participation and competitiveness in global digital trade.
Today, Canada anchors participation in global digital trade in its aging federal commercial privacy statute – the Personal Information Protection and Electronic Documents Act (PIPEDA). The federal government has promised a substantial PIPEDA amendment, but Québec has now pre-empted the federal government by introducing a bill to bring in Canada’s first European-style privacy statute. Québec will set the pace for change federally and in British Columbia, and now Ontario has announced its commitment to enacting new, robust commercial privacy legislation.
The pressure originates in Europe
Europe has been the global leader in privacy protection since the mid-1990s, a position it currently can claim based on its enactment of the General Data Protection Regulation (GDPR), which came into effect in 2018. The GDPR is a detailed and stringent privacy statute backed by immense potential penalties for non compliance – maximum fines of up to €20 million or four per cent of annual global turnover (whichever is greater).
Although the GDPR is EU legislation, the EU has used it to continue its long-pursued policy of protecting the privacy rights of individuals in the EU, even in certain situations in which their data is processed outside of the EU. In this regard, the EU set out to make the GDPR a global standard. The GDPR applies to organizations who operate outside of the EU when they engage in certain processing activities in relation to persons in the EU. It also imposes special requirements for transferring personal data outside of the European Economic Area (EEA) to any countries that do not ensure an adequate level of protection.
Canada has enjoyed limited “adequacy status” since a European Commission declaration made in 2001, a status that applies only to data transferred to recipients bound by PIPEDA. PIPEDA’s status has not been reviewed since, though the Article 29 Data Protection Working Group assessed Québec privacy law in 2014 and recommended that certain improvements be made.
The GDPR requires the European Commission to review Canada’s status every four years, leaving a real concern as to whether PIPEDA’s perceived frailties will withstand scrutiny. A pair of Court of Justice of the European Union decisions known as “Schrems I” and “Schrems II” invalidated mechanisms for transferring personal data from the EEA to the United States due to the inadequacy of protections from government access, heightening this concern. The Schrems decisions suggest that, when the time comes, Canada will face a new and broader form of scrutiny than it faced in 2001 and 2014.
See our article for a fulsome discussion of the most recent Schrems decision.
PIPEDA reform is lumbering
The federal government has only made one significant amendment to PIPEDA since it came into force in the early 2000s. PIPEDA remains a principles-based form of privacy regulation in which consent and data minimization are core principles. PIPEDA enforcement lies with the Privacy Commissioner of Canada, who is an ombudsman, with no power to order compliance or administer penalties.
In February 2018, the House of Commons Standing Committee on Access to Information, Privacy and Ethics released Towards Privacy by Design: Review of the Personal Information Protection and Electronic Documents Act. The Report was the product of the Committee’s yearlong consultation, and the Committee made 19 recommendations to government on how it ought to approach PIPEDA reform.
The government’s response to the Committee came in two parts. First, in June 2018, government responded formally to the Report. It committed to studying reform and said, the Government of Canada shares the Committee’s view that changes are required to our privacy regime to ensure that rules for the use of personal information in a commercial context are clear and enforceable and will support the level of privacy protection that Canadians expect.
Next, in May 2019, the federal government issued a discussion paper entitled Strengthening Privacy for the Digital Age. The paper established a general direction that included strengthened enforcement mechanisms, but was non-committal.
Québec’s pre-emptive move
One year after the federal government issued its discussion paper and stressed the complexity of privacy law reform, Québec introduced Bill 64, An Act to modernize legislative provisions as regards the protection of personal information. Please see our comprehensive summary of the Bill, which would incorporate numerous features of the GDPR into Québec privacy law if passed, including:
- breach reporting requirements;
- requirements for outsourcing and transfers outside of Québec, including an adequacy system;
- new individual rights, including a right to data portability, right to be forgotten and right to object to automatic processing;
- a robust accountability framework featuring a defined privacy officer role, an obligation to establish, implement and publish governance policies and practices, an obligation to conduct privacy impact assessments (PIAs) and privacy by design requirements.
Along with these substantive changes, Québec has also proposed a major enforcement change. If passed, the Bill will give the Commission d’accès à l’information (CAI) powers to impose administrative monetary penalties of up to C$10 million or, if greater, an amount corresponding to two per cent of worldwide turnover in the preceding year. The Bill will also enable fines to be imposed by prosecution, with the maximum fine amount set at C$25 million or, if greater, the amount corresponding to four per cent of worldwide turnover for the preceding fiscal year. Finally, if passed, the Bill will bring in a new private right of action.
Ontario and British Columbia are likely to follow
Right after Québec introduced Bill 64, Ontario announced…