Canada is in the processes of updating its data protection and privacy laws in what is likely to be the biggest change to the country’s data protection and privacy laws in almost 20 years.
The proposed changes would significantly broaden the scope of privacy law and give far greater enforcement powers and resources to the regulator, the Privacy Commissioner of Canada (OPC). They would also bring Canada’s data protection and privacy regulations more in line with those of major trading partners, including the EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).
Digital Economy
As they stand, Canada’s existing data protection and privacy laws are no longer fit for purpose. Our regulator currently lacks resources and enforcement teeth while underlying regulations are outdated - the Personal Information Protection and Electronic Documents Act (PIPEDA) was implemented in 2000 while the Privacy Act came into force in 1983. In 2018, PIPEDA was amended to introduce a data breach notification and reporting regime, but these changes did not expand data privacy rights.
However, the Canadian government recognizes the need for data protection regulation to keep pace with rapid changes in technology and consumer behaviour, as well as regulatory developments in the US and Europe. Digitalization and data are driving growth and innovation, with advancements in areas like artificial intelligence and quantum computing expected to bring significant economic and social benefits in years to come. Keen to develop a competitive modern digital economy, Canada is acutely aware of the need to protect the data and privacy of consumers along the way, while ensuring responsible corporate behaviour.
Modern Charter
A major overhaul of PIPEDA and the Privacy Act is therefore now on the cards. The Canadian government started the ball rolling in May 2019 when the Innovation, Science and Economic Development Canada launched its landmark Digital Charter1 and accompanying discussion paper, Strengthening Privacy for the Digital Age,2 which included proposals by to modernize PIPEDA. Three months later, the Department for Justice announced it is to review the Privacy Act and opened a consultation.3
Among other issues, the Charter specifically addresses data privacy, including the rights of individuals to control and consent to how their data is used, as well as portability and transparency. The Charter also calls for “strong enforcement” and “real accountability” through “meaningful penalties” for violations of privacy laws and regulations. In December 2019, the newly re-elected Liberal government led by Justin Trudeau, committed to advance the Digital Charter, enhancing the powers for the regulator and establishing a new set of privacy rights.
Enhanced Privacy
The proposals set out in the Digital Charter and discussion paper would see a shift to rights-based and principles-based privacy legislation. The changes outlined by the government would introduce substantially enhanced privacy rights for individuals, including:
- Knowledge of how data is being used
- Right to have data erased or amended
- Ability to transfer or share data
- Ability to challenge decisions made by algorithms
Higher Stakes
The proposals would also substantially raise the stakes for breaches of data protection and privacy laws, with higher penalties, greater regulatory enforcement, and potentially civil litigation. Currently, the OPC is only mandated to conduct investigations and make recommendations, and is unable to bring prosecutions.
In its December 2019 annual report,4 the OPC called for reform to Canada's federal privacy laws, as well as increased authority and resource to regulate privacy matters. The regulator has already ramped-up enforcement on data privacy under existing laws: In February 2020, the OPC launched a legal action against a large US technology company for alleged privacy law infringements, while later in the same month the regulator launched an investigation into facial recognition technology.
Under the modernization proposals, the OPC would expand its oversight of data privacy and gain greater powers of investigation that would enable it to order actions and statutory damages. Under current statutes, the OPC can levy maximum fines of C$100,000 per offence, but the government has indicated its desire to increase penalties for breaches of data protection and privacy. Detailed proposals have yet to be published, however, it is likely that more stringent and better-resourced enforcement will be matched by higher fines and penalties.
Class Actions
The proposals are also likely to have implications for civil litigation. A class action mechanism is already available in Canada and a number of collective actions have been launched for cyber security and privacy incidents, although many have been rejected by the courts.
At present, there is no clear pathway for plaintiffs to recover damages for breaches of privacy or loss of data. However, the proposed changes to PIPEDA and the Privacy Act are likely to further empower courts to address contraventions of data protection and privacy law. The proposals could also make it simpler for individuals to seek damages in court, while courts would have greater discretion to award damages.
Response
The modernization of Canada’s data protection and privacy laws is still a work in progress, and the process of drafting legislation and implementation will likely be measured in years, not months. The current minority government will also require cooperation between political parties to pass legislation.
Notwithstanding the absence of final legislation, there are actions organizations can take at present. The experience of the GDPR offers some insights and an examination of how to achieve compliance with the same would be a good start for mid-size to large corporations. For the small to medium enterprises, the Canadian Centre for Cyber Security released a guide, entitled Baseline Cyber Security Controls for Small and Medium Organizations, and offers a framework to help improve resiliency.
Robust security measures, risk governance, management and reporting, as well as incident response plans, will help put an organization in good stead when it comes to addressing a cyber event, as well as responding to regulatory actions and defending litigation. Given the changes to data protection and privacy laws around the globe, it is prudent for organizations to continually seek to understand, measure, and manage the changing regulatory and liability landscape.
[1] https://www.ic.gc.ca/eic/site/062.nsf/eng/h_00108.html
[2] https://www.ic.gc.ca/eic/site/062.nsf/eng/h_00107.html
[3] https://www.justice.gc.ca/eng/csj-sjc/pa-lprp/modern.html
[4] https://www.priv.gc.ca/en/opc-news/news-and-announcements/2019/nr-c_191210/
