Skip Navigation

Cybersecurity Among Factors Driving Privacy Law Reform in Canada

Cybersecurity Among Factors Driving Privacy Law Reform in Canada
October 30, 2020

The digital economy has changed the way we live and the way organizations carry on business. It has also raised unique privacy challenges that were not imaginable when Canada’s private-sector privacy laws were originally drafted. Organizations are increasingly collecting and compiling considerable amounts of personal information, including sensitive personal information, and using it for a wide range of purposes, including data analytics and artificial intelligence (AI), to better serve their customers.

Legislators across Canada and the rest of the world are attempting to modernize legislation to keep up with these advances. The European Union bolstered its privacy laws in 2018, enacting the General Data Protection Regulation (GDPR). Legislatures in other jurisdictions followed, including in California, Japan, Korea and Brazil. In Canada, the federal government and several provincial governments have signalled their intention to modernize their privacy legislation.

  • In May 2019, the federal government recommended revisions to Canada’s federal private-sector privacy statute, the Personal Information Protection and Electronic Documents Act (PIPEDA), as part of Canada’s Digital Charter.

  • In August 2020, the Ontario government launched a consultation on privacy law reform, with a view to implementing a provincial act regulating privacy in the private sector (and possibly other sectors like non-profits and charities). Currently Ontario only has privacy laws that regulate the public and health sectors, though private-sector organizations in Ontario remain subject to PIPEDA.  

  • In June 2020, the Quebec National Assembly tabled a bill (Bill 64) to modernize its privacy legislation. If Bill 64 is enacted as currently drafted, it would create a private-sector privacy statute in that province that is substantially similar to the GDPR. The Quebec National Assembly had also tabled, in December 2019, another bill (Bill 53) to enact legislation specifically aimed at governing the commercial and management practices of credit assessment agents. Bill 53 was enacted on October 28, 2020, and will come into force on February 1, 2021.

  • In February 2020, the B.C. government began its statutory review of the Personal Information Protection Act (B.C. PIPA). In connection with that review, the Information and Privacy Commissioner for British Columbia (B.C. IPC), along with other stakeholders, has put forth recommendations for reform of that statute.

Although each government’s proposal is unique, there are some common themes:

1. Mandatory Breach Reporting

While mandatory breach reporting in the private sector is in place in Canada at the federal level and in Alberta, it is not currently required under the private-sector privacy statutes in B.C. or Quebec. The proposed privacy law reforms in B.C. and Quebec would see mandatory breach reporting in those provinces, similar to what is in place federally and in Alberta. Breach reports allow governments to keep track of breach trends and cyber threats.  Mandatory breach reporting is also often thought to incentivize organizations to invest in technology that protects data collected.

2. Enforcement Powers

Privacy commissioners in Canada do not have strong enforcement powers. In Europe, fines for non-compliance with the GDPR are potentially significant, up to €20-million or four per cent of a company’s total global turnover. Canada’s privacy commissioners are all pushing for stronger enforcement powers, including the ability to directly levy administrative monetary penalties, issue binding orders, and initiate investigations. If Quebec’s Bill 64 is enacted in its current form, it would include potential penalties in amounts like those provided for under the GDPR.

3. Third-Party Service Providers

Organizations are increasingly outsourcing data processing activities to third-party service providers, including to those outside of Canada. While some Canadian privacy statutes make it clear that the transferring organization remains responsible for the transferred personal information, they are not very clear on what the transferring organization must do to ensure that the data is appropriately handled and safeguarded. Quebec’s Bill 64 would require organizations to enter into written services agreements with service providers, citing specific measures that the third-party provider must take to protect personal information. If the service provider is located outside of Quebec, a privacy assessment must be carried out and specific contractual protections must be in place. The B.C. IPC would like to see the B.C. PIPA amended to impose similar obligations, though less prescriptive than what is proposed under Quebec’s Bill 64 and with no suggestion that cross-border data transfers will be specifically regulated. It is likely that similar changes will be made to PIPEDA and included in any new privacy statute in Ontario.

4. Consent

Canada’s privacy commissioners have made it clear that relying on long, legalistic and open-ended privacy notices is not an effective way to obtain “meaningful consent” under Canadian privacy laws. However, as this practice continues, Canadian governments are looking at ways to ensure that meaningful consent and transparency is obtained.

Quebec’s Bill 64 would require organizations to use clear and plain language when describing the purposes for collection, use and disclosure. Further, the privacy consent notice would need to be separate from other legal terms, and privacy default settings would need to be set to offer the greatest level of protection. Opt-in consent for secondary processing of personal information, such as marketing, would be required. Similar proposals are being considered in B.C., Ontario and at the federal level.

5. Individual Control

Privacy commissioners in Ontario, Quebec, B.C., and at the federal level are pushing for amendments that would give individuals more control over their personal information. GDPR offers several examples of these rights, including the right to object to automated decision making; request that an organization delete personal information (the right to erasure or the right to be forgotten); and request data in a readable, transferable form (right of data portability).
Quebec’s Bill 64 would see similar rights granted to individuals as the GDPR. While the B.C. IPC supports a right of data portability, and a right to be notified of, and be provided with information relating to, automated decision-making processes, the B.C. IPC has not gone so far as to support a right of erasure as, in the B.C. IPC’s view, such a right would be difficult to apply in practice.

For further information, please contact:

Wendy Mee                                  416-863-3161
Marie-Helene Constantin           514-982-4031
Alexandra Luchenko                   604-631-4166

or any other member of our Cybersecurity or Privacy groups.