This Data Privacy Day, we reflect on a busy year of consultations and proposals to reform Canadian data privacy laws. In 2020, governments across Canada tabled legislative amendments and signalled their intention to strengthen the enforcement of privacy obligations, simplify the consent process for private sector businesses, clarify the role of third-party service providers and provide individuals with more control over their personal information.
Highlights of these efforts include:
In February, the Legislative Assembly of British Columbia appointed a special committee to review the Personal Information Protection Act (PIPA) which applies to private sector and non-profit organizations. The committee heard from interested individuals and organizations throughout the year. Recommendations for reform of the legislation included suggestions from the Office of the Information and Privacy Commissioner for British Columbia to introduce mandatory breach notification obligations and amend PIPA to clarify an organization’s responsibility for personal information they transfer to third parties for processing. A report of the Special Committee’s findings is expected to be released February 2021.
In June, the Quebec National Assembly tabled an Act to modernize legislative provisions as regards the protection of personal information which if passed would amend both private and public sector privacy legislation in the province to implement obligations and rights similar to those imposed by the European Union’s General Data Protection Regulation. Proposed amendments include heftier fines and new administrative monetary penalties, mandatory privacy impact assessments and new obligations on organizations to publish their privacy governance rules. Bill 64 was adopted in principle in October 2020 and will move to a third reading.
After ratification by the federal government in March, the Canada-United States-Mexico Agreement (CUSMA) came into force on July 1, 2020, replacing the North American Free Trade Agreement. CUSMA implemented new rules related to information technology and digital trade. These rules include the establishment of new consumer and privacy protections, requiring each party to adopt or maintain a legal framework that provides for the protection of the personal information of the users of digital trade.
In August, the Ministry of Government and Consumer Services sought advice on the creation of Ontario-specific legislation to govern how organizations in Ontario collect, use, disclose and safeguard personal information. Importantly, an Ontario-specific privacy statute could impose obligations on organizations not currently regulated by privacy legislation, such as organizations that do not engage in commercial activities and provincially regulated employers, in respect of their handing of employee personal information. Ontario has not indicated when its response to the consultation will be ready.
In November, then-Minister Navdeep Bains tabled the highly anticipated Digital Charter Implementation Act, 2020, which if passed would repeal the parts of the Personal Information Protection and Electronic Documents Act (PIPEDA) that regulate the processing of personal information, and enact a new Consumer Privacy Protection Act (CPPA). Many of PIPEDA’s obligations would be maintained under the new legislation, including the existing consent regime, though new exceptions from the consent requirement have been proposed. However, several new and enhanced obligations would be established, including rules governing how and when de-identified information may be created, used and shared, and new rights of data portability and disposal for individuals. The bill would also enact the Personal Information and Data Protection Tribunal Act, establishing a new administrative tribunal to hear appeals of certain decisions made by the Privacy Commissioner of Canada. This Tribunal could impose monetary penalties of up to C$10-million or three per cent of the organization’s total global revenues for the prior financial year. The CPPA also provides for substantial fines for various offences — up to C$25-million or five per cent of the organization’s total global revenues — for the prior financial year. Bill C-11 is expected to be sent to the Committee on Access to Information, Privacy and Ethics before receiving a third reading later this year.
The Government of Canada also announced a review of the Privacy Act, which governs how federal government institutions collect, use, disclose, retain and dispose of personal information. The discussion paper associated with the consultation suggests the government is seeking to expand the ways personal information can be shared between federal institutions and to create new transparency obligations for automated decision-making systems. The consultation is open until February 14, 2021.
While it may take several months for these efforts at legislative reform to take shape, organizations operating in Canada should expect and begin to prepare for new and enhanced privacy and data protection obligations.
For further information, please contact:
Wendy Mee 416-863-3161
Ellie Marshall 416-863-3053
or any other member of our Privacy & Data Protection group.
Blakes and Blakes Business Class communications are intended for informational purposes only and do not constitute legal advice or an opinion on any issue. We would be pleased to provide additional details or advice about specific situations if desired.
For permission to republish this content, please contact the Blakes Client Relations & Marketing Department at [email protected].
© 2023 Blake, Cassels & Graydon LLP