In the next two years, it is likely organizations across Canada will become subject to more detailed and more stringent privacy laws. When the change comes, many businesses – having benefitted from a relatively lax form of regulation – will be unprepared. The public sector, too, is mostly subject to laws shaped into their current form prior to the new millennium.
This article explains why we know that change is coming, what the new law will likely resemble and sets out what organizations without developed privacy management programs should be doing now. Building an adequate program will take time, and for many now is the time to start.
Why do we know change is coming?
Canada is under significant pressure to keep pace with the standard of privacy protection embedded in European law, because doing so supports Canada's continued participation and competitiveness in global digital trade.
Today, Canada anchors participation in global digital trade in its aging federal commercial privacy statute – the Personal Information Protection and Electronic Documents Act (PIPEDA). The federal government has promised a substantial PIPEDA amendment, but Québec has now pre-empted the federal government by introducing a bill to bring in Canada's first European-style privacy statute. Québec will set the pace for change federally and in British Columbia, and now Ontario has announced its commitment to enacting new, robust commercial privacy legislation.
The pressure originates in Europe
Europe has been the global leader in privacy protection since the mid-1990s, a position it currently can claim based on its enactment of the General Data Protection Regulation (GDPR), which came into effect in 2018. The GDPR is a detailed and stringent privacy statute backed by immense potential penalties for non compliance – maximum fines of up to €20 million or four per cent of annual global turnover (whichever is greater).
Although the GDPR is EU legislation, the EU has used it to continue its long-pursued policy of protecting the privacy rights of individuals in the EU, even in certain situations in which their data is processed outside of the EU. In this regard, the EU set out to make the GDPR a global standard. The GDPR applies to organizations who operate outside of the EU when they engage in certain processing activities in relation to persons in the EU. It also imposes special requirements for transferring personal data outside of the European Economic Area (EEA) to any countries that do not ensure an adequate level of protection.
Canada has enjoyed limited “adequacy status” since a European Commission declaration made in 2001, a status that applies only to data transferred to recipients bound by PIPEDA. PIPEDA's status has not been reviewed since, though the Article 29 Data Protection Working Group assessed Québec privacy law in 2014 and recommended that certain improvements be made.
The GDPR requires the European Commission to review Canada's status every four years, leaving a real concern as to whether PIPEDA's perceived frailties will withstand scrutiny. A pair of Court of Justice of the European Union decisions known as “Schrems I” and “Schrems II” invalidated mechanisms for transferring personal data from the EEA to the United States due to the inadequacy of protections from government access, heightening this concern. The Schrems decisions suggest that, when the time comes, Canada will face a new and broader form of scrutiny than it faced in 2001 and 2014.
See our article for a fulsome discussion of the most recent Schrems decision.
PIPEDA reform is lumbering
The federal government has only made one significant amendment to PIPEDA since it came into force in the early 2000s. PIPEDA remains a principles-based form of privacy regulation in which consent and data minimization are core principles. PIPEDA enforcement lies with the Privacy Commissioner of Canada, who is an ombudsman, with no power to order compliance or administer penalties.
In February 2018, the House of Commons Standing Committee on Access to Information, Privacy and Ethics released Towards Privacy by Design: Review of the Personal Information Protection and Electronic Documents Act. The Report was the product of the Committee's yearlong consultation, and the Committee made 19 recommendations to government on how it ought to approach PIPEDA reform.
The government's response to the Committee came in two parts. First, in June 2018, government responded formally to the Report. It committed to studying reform and said, the Government of Canada shares the Committee's view that changes are required to our privacy regime to ensure that rules for the use of personal information in a commercial context are clear and enforceable and will support the level of privacy protection that Canadians expect.
Next, in May 2019, the federal government issued a discussion paper entitled Strengthening Privacy for the Digital Age. The paper established a general direction that included strengthened enforcement mechanisms, but was non-committal.
Québec's pre-emptive move
One year after the federal government issued its discussion paper and stressed the complexity of privacy law reform, Québec introduced Bill 64, An Act to modernize legislative provisions as regards the protection of personal information. Please see our comprehensive summary of the Bill, which would incorporate numerous features of the GDPR into Québec privacy law if passed, including:
- breach reporting requirements;
- requirements for outsourcing and transfers outside of Québec, including an adequacy system;
- new individual rights, including a right to data portability, right to be forgotten and right to object to automatic processing;
- a robust accountability framework featuring a defined privacy officer role, an obligation to establish, implement and publish governance policies and practices, an obligation to conduct privacy impact assessments (PIAs) and privacy by design requirements.
Along with these substantive changes, Québec has also proposed a major enforcement change. If passed, the Bill will give the Commission d'accès à l'information (CAI) powers to impose administrative monetary penalties of up to C$10 million or, if greater, an amount corresponding to two per cent of worldwide turnover in the preceding year. The Bill will also enable fines to be imposed by prosecution, with the maximum fine amount set at C$25 million or, if greater, the amount corresponding to four per cent of worldwide turnover for the preceding fiscal year. Finally, if passed, the Bill will bring in a new private right of action.
Ontario and British Columbia are likely to follow
Right after Québec introduced Bill 64, Ontario announced its own significant reform initiative, declaring “we are committed to creating a unique, made-in-Ontario solution to today's privacy challenges.” Ontario is now consulting with the public based on a policy paper that raises questions about statutory features common to the GDPR and Bill 64. For example:
- the potential recognition of data erasure and portability rights, new rights associated closely with online and other digital service provisions;
- advanced tools to enable privacy-protective data use (de-identification provisions and “data trusts”); and
- the power to issue “severe” fines for non-compliance.
For more on the Ontario initiative, see our detailed summary.
British Columbia is also on track for significant privacy reform. The six-year statutory review of the British Columbia Personal Information Protection Act is currently underway. In June, the Information and Privacy Commissioner for British Columbia filed a briefing paper calling for significant reform. Not surprisingly, the Commissioner views the GDPR as the model for British Columbia reform:
The new General Data Protection Regulation (GDPR) in the EU and its influence globally cannot be ignored. It has become a gold standard and a model for many jurisdictions around the world. In particular, the GDPR confers such privacy rights as the right to erasure (right to be forgotten), the right to data portability, and the right to object to data processing activities. Issues around individual privacy rights will have to be examined by the Committee.
The Commissioner is lobbying for new legislative features such as breach reporting, stronger audit powers and a power to administer “substantial” administrative monetary penalties.
Is the public sector next?
Although the focus of the above-described reform initiatives is on consumer privacy, changes to consumer privacy legislation will likely have a cascading effect. Aside from pressure arising out of the looming EU adequacy decision, it will be hard for provincial governments to maintain a privacy standard for public bodies that is clearly inferior to a new private sector standard.
Not surprisingly, then, in fall 2019 the federal, provincial and territorial information and privacy commissioners issued a joint resolution calling for private and public sector privacy reform. The federal government has committed to reform the federal public sector privacy statute, the Privacy Act.
What will the new law likely resemble?
Although Canada will not necessarily adopt all features of the GDPR, it is clearly the model for reform. The need to maintain adequacy status is one reason for this, but policymakers will also favour reasonable legislative uniformity because it reduces the burden of compliance on businesses that operate across multiple jurisdictions.
However, organizations without developed privacy management programs should start preparing, not wait for or focus on the details of the coming reform. Canadian privacy legislation will continue to impose accountability requirements, continue to require authorization to collect, use and disclose personal information and continue to impose a safeguarding requirement. There will be some new rights and obligations and some new clarifications, but what is new is unlikely to change the body of rules in any fundamental manner.
What will change – radically even – is enforcement. Both new and old rules are likely to be enforced by new and strict enforcement regimes – regimes that include mandatory breach notification, order-making powers and the possibility of large penalties for non-compliance. Governments will create these new enforcement mechanisms to motivate organizations to take a new and more serious approach to privacy protection. This move towards strong privacy enforcement is very predictable, and is the most compelling reason to plan for change today.
What should organizations do now?
Now is the time for all organizations to consider whether they have an adequate privacy management program. Such programs are a means for organizations to take a co-ordinated approach to privacy and data protection. They impose accountabilities and controls via policies and procedures. They are both a framework for achieving due diligence and a documented means of demonstrating due diligence to regulators, the courts and the public.
Canadian privacy laws require organizations to have and maintain a privacy management program, though the statutory requirements are non-specific, and the effectiveness of privacy management programs can vary widely.
Effective programs have senior management support, promote broad accountability for privacy protection and encourage a disciplined and proactive approach to privacy management across the organization. Ineffective programs function without adequate support and suffer from a lack of impact. When programs are ineffective, organizational privacy practices tend to be fragmented and responsive.
Here are the six basic steps organizations should take now:
- Appoint a lead. Appoint an individual with sufficient privacy knowledge and authority who can “champion” the project.
- Develop a mandate. Work with senior management to develop a mandate and obtain resources. Approach this task broadly: consider business objectives, compliance objectives and objective related to enterprise risk.
- Assess the current state.
- Map the organization's personal information holdings: What is held? Where? How and when is information shared? What are the consequences of misuse, loss or theft?
- Build a policy and practices inventory. What works? What does not? Is there duplication?
- Identify gaps against statutory requirements and project objectives. Rank the gaps by their significance.
- Develop policies and practices. Aim to create concise, meaningful policy and guidance targeted at compliance requirements and foreseeable risks. Core policies in a privacy management program should address matters such as access and correction requests, retention and secure destruction, outsourcing and vendor management, privacy incident response and privacy complaint resolution.
- Implement. Implement the program with a view to managing organizational change. Communicate, train and employ other tactics to foster understanding and motivate new behaviors.
- Plan for change. Plan for regular monitoring and periodic revision. Set a date for the next formal program review that is reasonable in light of the pace at which the business operation is likely to change.
There are numerous sources of authoritative guidance for organizations to use in working through this process. We have included a list of some good resources below.
Change is coming to Canadian privacy law and all the public expectations associated with it. An organization can view this a risk to be anticipated and managed or a strategic opportunity to be seized upon. Although there is much to be said for the latter view, both are valid, and the time to act is now.
Reach out to our Cybersecurity, Privacy and Data Protection group, or any of the contacts below, to discuss how your organization can prepare for these changes to Canada privacy law.
Privacy Management Program Resources
- Accountable Privacy Management in BC's Public Sector (Office of the Information & Privacy Commissioner for British Columbia, June 2013)
- Getting Accountability Right with a Privacy Management Program (Office of the Information & Privacy Commissioner for British Columbia, Office of the Information & Privacy Commissioner of Alberta and Office of the Privacy Commissioner of Canada, April 2012)
- NIST Privacy Framework: A tool to help organizations improve individuals' privacy through enterprise risk management, Version 1.0 (The National Institute of Standards and Technology, January 2020).
- Privacy Risk Management Building privacy protection into a Risk Management Framework to ensure that privacy risks are managed, by default (Information and Privacy Commissioner Ontario, April 2010).
- Step-By-Step Guidance for Public Bodies and Custodians on How to Implement an Effective and Accountable Privacy Management Program (Newfoundland Office of the Information and Privacy Commissioner, March 2018)
- Ten Steps to Implement PIPA (Service Alberta, May 2010)
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.