Privacy experts across the country will be focusing their attention on Parliament this morning when the federal government introduces long-promised updated privacy legislation.
It may give the Office of the Privacy Commissioner long asked for powers to levy fines and make mandatory orders. The government has already promised to enhance the commissioner’s powers in an unspecified way in its Digital Charter policy. It may fulfill government promises in the Digital Charter to give consumers more privacy rights.
The changes may also deal with possible challenges to Canada’s existing privacy law by the European Union’s General Data Protection Regulation (GDPR) that have been hanging over the country since 2018 when the regulation was implemented. Canadian firms will be forbidden from processing the data of Europeans if privacy law here isn’t similar to the GDPR.
What gives rise to this speculation is that last week the office of Industry Minister Navdeep Bains briefly said he will table a new Consumer Privacy Protection Act, legislation to create a new Personal Information and Data Protection Tribunal, plus show changes to other legislation.
The new Consumer Privacy Protection Act (CPPA) may replace the Personal Information Protection and Electronic Documents Act (PIPEDA), which must be followed by federally-regulated firms as well as by private sector firms in provinces and territories that don’t have their own privacy law. That includes Manitoba, New Brunswick, Newfoundland and Labrador, Northwest Territories, Nova Scotia, Nunavut, Ontario and Prince Edward Island.
UPDATE: The legislation wasn’t introduced Monday. Bains’ office said he will hold a media availability briefing on the government’s implementation of the Digital Charter on Tuesday morning.
The snippet of information from Bains’ office suggests “a wholesale review approach to where our privacy legislation is,” according to Imran Ahmad, a partner in the Toronto law firm of Blakes, Cassels and Graydon that focuses on privacy and cybersecurity law.
“It seems timely that it would come at this moment,” he said, noting the EU review that’s expected shortly and the three provinces seeking new legislation. But the announcement came slightly sooner than expected.
“It came as a bit of a surprise … I spoke to several [legal] practitioners and while everyone expected it was coming at some point, coming this quickly was a bit of a surprise.”
Giving more power to the privacy commissioner would equate to a wholesale review. PIPEDA takes an ombudsman approach to overseeing data privacy: The commissioner has no power to levy fines, or force organizations to obey compliance orders. Unless a firm consents, the commissioner has to ask the Federal Court to enforce its orders. For example, earlier this year the commissioner asked the Federal Court to enforce its declaration that Facebook violated PIPEDA in the Cambridge Analytica scandal.
It would also mean giving some legal rights to consumers. PIPEDA says firms have obligations to protect personal data. But federal privacy commissioner Daniel Therrien has been calling for a privacy law that has a rights-based approach. The Charter of Rights wouldn’t have to be amended. Instead, the preamble of the privacy law (PIPEDA or CPPA) and a purpose statement would make it clear the law takes a rights-based approach.
“It is more than time for Canada to catch up to other countries and follow the lead of provincial governments that have recently launched promising new initiatives,” Therrien wrote in his annual report to Parliament in October. “All Canadians deserve strong privacy protections.”
Privacy rights would give consumers the right to sue businesses. Those cases could be heard by the tribunal. But some businesses are worried about an expansion of the right to sue. A research paper for the privacy commissioner suggests that right could be tempered by giving firms 30 days to redress an alleged violation before the right is triggered, or requiring plaintiffs to pay business’ legal fees for frivolous claims.
At an online law conference on Friday, Therrien said he wasn’t consulted on what the government will be introducing today.
In the spring of 2019 the Liberal government promised changes in a so-called Digital Charter. After he was re-elected with a minority in the fall, Prime Minister Justin Trudeau gave Bains a mandate letter telling him to prepare putting the principles of the Digital Charter into law, including:
- Enhancing the powers of the Privacy Commissioner.
- Establishing a new set of online rights of consumers including data portability (allowing consumers to shift personal data from one company to another).
- Giving consumers the ability to know how their personal data is being used (including the ability to withdraw consent for the sharing or sale of personal data).
- Giving consumers the ability to review and challenge the amount of personal data a company or Ottawa has collected.
The letter also tells Bains to work with the Minister of Canadian Heritage to create new regulations for large digital companies to better protect people’s personal data through a new federal Data Commissioner.
Also, potentially forcing Canada’s hand is the GDPR. Countries whose firms process personal data of EU residents must have privacy laws that are similar to the Union. PIPEDA had what is called adequacy status relative to EU privacy laws before the GDPR came into effect May 24, 2018. The EU has yet to rule on PIPEDA’s adequacy to the GDPR but will have to at some point in the near future. It wouldn’t be surprising if Canadian officials have been quietly talking to their EU counterparts on what, if any, concerns they have. It would be practical for Canada to pass a new law before the EU complains publicly.
Meanwhile, Quebec has introduced Bill 64, which brings its privacy law close to the GDPR. Ontario has started consultations on passing a new private-sector privacy law that might be stronger than PIPEDA, while British Columbia has started a review on improving its private sector privacy law.