Earlier this month, the Office of the Privacy Commissioner of Canada ("OPC") released a summary of its key recommendations for a new federal private sector privacy law (the "Key Recommendations"), one that would update or replace the existing Personal Information Protection and Electronic Documents Act ("PIPEDA").1
The federal government most recently attempted to amend PIPEDA by introducing Bill C-11, the Digital Charter Implementation Act, 2020. The bill faced criticism from businesses, privacy advocates and the OPC itself, before ultimately dying on the order paper with the calling of the 2021 federal election.
Since coming into power, the new federal government has not taken any significant steps to advance a similar bill. However, the introduction of a new privacy bill is widely expected in order for Canada's federal privacy law to maintain consistency with the modernization of privacy regimes in other jurisdictions.
The OPC's Key Recommendations touch on the following themes:
- Re-imagining Canada's consent-based framework.
In its Key Recommendations, the OPC recommends the introduction of either (i) new exceptions to PIPEDA's current consent requirement where personal information will be processed for explicit, knowable purposes (such as for product delivery, network security, or search engines), and/or (ii) a flexible "legitimate commercial interests" exception to PIPEDA's current consent requirement, which would be available only when organizations have met certain pre-requisites (such as the completion of a privacy impact assessment and balancing test).
At the same time, the OPC recommends that federal privacy legislation reflect a recommitment to the principles of consent and transparency, by integrating knowledge and understanding into the statutory requirements to obtain valid consent. The OPC's proposal aims to make consent valid only when certain information is provided in an intelligible and easily accessibly format such that it is reasonable to expect that an individual would understand that information.
The OPC also recommends including specific requirements with respect to automated decision-making, including a right for individuals to obtain an explanation of the automated decisions made about them, and to contest those decisions.3
- Rights-based framework.
The OPC recommends that the federal legislation include a framework that establishes a fundamental right to privacy, while recognizing the legitimate need of organizations to process personal information for appropriate purposes. A similar right to privacy has been enshrined in the Civil Code of Québec4 and the Charter of Fundamental Rights of the European Union.5
The OPC also recommends providing for a right to reputation, by giving individuals the ability to seek the removal of their personal information from search results (i.e., a right to de-indexation) under certain conditions. A similar right has already been enacted in Québec and will come into force in September 2023.6
- Enforcement Powers.
The OPC also once again calls for enhanced enforcement powers, including powers to (i) perform proactive audits to ensure compliance, (ii) make orders, (iii) impose fines, including administrative monetary penalties ("AMPs"), (iv) enter into compliance agreements incorporating AMPs, and (v) register such compliance agreements with the court to aid in enforcement.
Had it passed, Bill C-11 would have allowed for the levying of significant AMPs, however these were limited to only a handful of violations. Bill C-11 also would have created a separate tribunal that could have imposed AMPs. The OPC recommends that federal privacy legislation instead allow for the imposition of AMPs for all violations and that the OPC be empowered to impose AMPs itself, rather than such power being reserved for a separate tribunal.7
The OPC also recommends that a private right of action be instituted for consumers, independent of the OPC investigation process, so that they are not left without a remedy should the OPC choose not to investigate a privacy complaint.
The above are just some of the most prevalent themes within the OPC's recommendations regarding the future of Canada's federal private sector privacy legislation. It remains to be seen how many of these recommendations will be adopted, in whole or in part, by lawmakers. We will continue to monitor and provide updates about any further developments in this respect, including any bills that are tabled to amend or replace PIPEDA.
1 Office of the Privacy Commissioner, Key recommendations for a new federal private sector privacy law, May 4, 2022, available online [Key Recommendations].
2 OPC Bill C-11 Submission, s.v. "exceptions to consent".
3 Key Recommendations, s.v. "Enable responsible innovation".
4 Civil Code of Québec, CQLR c CCQ-1991, s 3.
5 Charter of Fundamental Rights of the European Union, 2012/C 326/02, article 7 and 8.
6 Act respecting the protection of personal information in the private sector, CQLR c P-39.1, section 28.1 (as modified by Bill 64, an Act to modernize legislative provisions as regards the protection of personal information, SQ 2021, c 25).
7 OPC Bill C-11 Submission, s.v. "Access to quick and effective remedies and the role of the OPC".
The foregoing provides only an overview and does not constitute legal advice. Readers are cautioned against making any decisions based on this material alone. Rather, specific legal advice should be obtained.
© McMillan LLP 2021