Adam Kardash, Natasha Anzik, Natasha Anzik, CIPP/C
Dec 8, 2020
Over the course of 2020, there was a flurry of legislative reform activity in the Canadian privacy arena. If enacted, proposals at both the federal and provincial level for enforcement regimes and statutory requirements potentially expose companies across Canada to severe financial penalties, enhanced litigation risk and significant compliance costs. Here is how the privacy legislative arena is changing.
Federal private sector privacy law to modernize PIPEDA
On November 17, 2020, the federal government introduced a bill proposing significant changes to the national framework for the protection of personal information in Canada.
The long-awaited and much-anticipated bill, the Digital Charter Implementation Act, 2020 (DCIA), serves to modernize the Personal Information Protection and Electronic Documents Act (PIPEDA) – legislation that was enacted almost 20 years ago. If passed, DCIA would establish a new private sector privacy law in Canada, the Consumer Privacy Protection Act (CPPA), and a new Personal Information and Data Protection Tribunal.
One of the CPPA’s most notable additions to the current PIPEDA framework is the creation of a new enforcement regime. Organizations that fail to comply with the CPPA may be subject to administrative monetary penalties of up to the greater of 5% of the organization’s gross global revenue or C$25 million. Another addition is a statutory private right of action for loss or injury suffered as a result of a contravention of the CPPA. Finally, the CPPA confers order-making powers on the Office of the Privacy Commissioner of Canada.
Organizations will also be faced with increased costs associated with the operational implementation of – and the resources required to ensure – ongoing compliance with the CPPA’s expanded and prescriptive requirements. Key proposed features of the CPPA include
- a requirement for organizations to implement a robust internal privacy management program that must include a full suite of written policies, practices and procedures, designed to ensure compliance with all requirements under the statute
- a strengthening of the consent requirements for personal information processing that will make it necessary for organizations to examine all collections, uses and disclosures of personal information, to improve their consent notices and to develop or enhance consent management practices
- a strengthening of the statutory transparency requirement, which will necessitate a review by organizations of public-facing notices to ensure that they are readily available in “plain language” and include prescribed content requirements
- a requirement for organizations to identify, assess the appropriateness of and maintain a record of the specific purposes for each collection of personal information
- a limitation on the collection of personal information to only what is “necessary” (i.e., not just reasonably required) in the circumstances
Individuals will also be afforded several new rights under the CPPA. Individuals will have the right of “disposal” of personal information, which will require organizations to “permanently and irreversibly” delete the individual’s personal information (subject to certain exceptions). Additionally, the CPPA contains “data mobility” rights which would allow individuals to direct the transfer of their personal information from one organization to another.
Although a minority federal government and the COVID-19 pandemic are raising some uncertainty with respect to the timing of the enactment of the CPPA, the reform of Canada’s federal private sector privacy law remains a high priority of the Liberal government. We anticipate that the bill could very plausibly come into force late in 2021.
Québec’s Bill 64 proposes drastic changes to existing privacy law
The introduction in June of Québec’s Bill 64, An Act to modernize legislative provisions as regards the protection of personal information, proposed sweeping new changes to Québec’s existing privacy regime. If enacted, this bill would introduce potentially severe monetary penalties (including fines of up to “4% of worldwide turnover for the preceding fiscal year” under the offence provisions), statutory damages, a security incident reporting regime, new statutory rights (including the right of an individual to require that an organization “cease disseminating [personal information] or … de-index any hyperlink attached to his name”) and a range of other amendments affecting private sector organizations.
If passed in its current form, Bill 64 would impose the most onerous privacy protection requirements in the world. In many instances, the obligations and other elements of Bill 64 are more stringent and prescriptive than the requirements set out under the European General Data Protection Directive.
The stringent requirements under Bill 64 include obligations relating to accountability, a novel “confidentiality by default” requirement, a broad “deactivation” right for identification, location or profiling functions, transborder data flows, data impact assessments, consent and exceptions to consent, the standard for information security, data retention, transparency, automated decision making and multiple subject matter data rights.
Over the course of a very brief consultation in October, the Québec government received numerous submissions highly critical of Bill 64. A revised version of the proposed legislation is expected early in 2021.
British Columbia’s private sector privacy legislation under review
On February 26, 2020, the British Columbia Legislative Assembly appointed a Special Committee to review its Personal Information Protection Act (PIPA). The Information and Privacy Commissioner proposed a number of changes to PIPAthat are thematically consistent with other proposed reforms. These include a significant enhancement to the enforcement regime (including administrative monetary penalties and order making powers), the creation of a mandatory breach notification requirement and the “modernization” of PIPA’s consent requirements.
Ontario’s move towards a private sector privacy statute
With a view to improving the province’s privacy protection laws, during the summer of 2020 Ontario’s Ministry of Government and Consumer Services launched a privacy consultation. The government’s objective is to create a legislative framework for privacy in the private sector. The public consultation process, which concluded in October, sought to canvas input with respect to several areas. These include the enforcement powers of the Information and Privacy Commissioner (IPC), an “opt-in” consent model, data portability and data deletion rights, data trusts for data sharing and de-identification requirements.
These consultation topics suggest that any forthcoming Ontario private sector legislation would remain relatively consistent with (and build upon) requirements under PIPEDA and other provincial models applicable to the private sector. In particular, consistent with other provincial private sector statutes, it is likely that this new legislation would govern provincially-regulated employment relationships, a previously unregulated area of privacy law in Ontario.
The precise timing for a proposed privacy statute, and how the federal government’s proposed legislative reform will impact the Ontario’s government legislative reform initiative, remains unclear.
Health privacy legislative reform
In the health sector, Alberta’s Bill 46 introduced proposed amendments to the Health Information Act (HIA) and Ontario enacted significant changes to the Personal Health Information Protection Act (PHIPA).
PHIPA’s changes include the provision of new powers for the IPC (such as the power to impose an uncapped administrative penalty), increased penalties for offences, new audit log obligations and the establishment of new prescriptive and permissible collections and disclosures of personal health information.
It is widely expected that the federal and provincial legislative reform activity will continue through 2021. Organizations are well-advised to familiarize themselves with the coming changes and of the progress of reforms in order to have the necessary compliance framework in place when amendments come into force.