Changes to Canada’s Privacy Laws Looming: Balancing Innovation and Privacy

Cristina Onosé | Director, Government Relations @ CMA

This article summarizes key recommendations from government bodies that are considering changes to Canada’s legislative and regulatory privacy framework. Our next blog will focus on the views of Canadian consumers on privacy and data governance.

Major announcements this week called for immediately developing a national data strategy and amending Canada’s private-sector privacy law. The Canadian government announced that it plans to develop a data strategy to address current consumer privacy concerns by finding the right balance between supporting innovation and protecting privacy interests. A parliamentary committee also called for amendments to privacy law, such as providing consumers with more transparency and giving the Privacy Commissioner additional enforcement powers. A bill was also introduced in the House of Commons calling for fines of up to $30 million for privacy-related violations.

Changes to Canada’s privacy law for the private sector, the Personal Informational Protection and Electronic Documents Act (PIPEDA), have taken place as recent as June 2015. The Digital Privacy Act amended the law to include an enhanced model for valid consent, mandatory breach notification requirements, and enhanced powers for the Privacy Commissioner among other updates. Many amendments came into force immediately, while those relating to breaches of security safeguards (data breaches) come into force on November 1, 2018.

Finding the Right Balance Between Innovation and Privacy

The government is right: we need to find the right balance between supporting innovation and protecting privacy interests while promoting trust in the data economy. Having a national conversation among governments, industry and consumers is the right approach. It is important that the Canadian economy continues to thrive – with the help of innovative and responsible business models – in a climate that protects consumer rights.

The Canadian Marketing Association, in collaboration with its Privacy and Data Advisory Committee, has been active in responding to consumer concerns about data privacy and the need for increased transparency on how their data is being collected, used and shared. We have pro-actively created self-regulatory measures on privacy. We have also consulted with the Office of the Privacy Commissioner on numerous privacy issues to ensure consumers’ concerns are being addressed.

Canada’s Data Strategy

On June 19, the Minister of Innovation, Science, and Economic Development Navdeep Bains announced that the federal government will be launching a series of consultations to establish a national data strategy. The key pillars of the consultations include:

  • Unleashing innovation: how can Canadian businesses remain competitive in a digital age, how can they adapt their traditional approaches, and how can they increase their ability to identify, adopt and implement digital and data-driven technologies?
  • The future of work: how could new technologies impact the way we work, the jobs of tomorrow and the employment landscape?  
  • Trust and privacy: what is the right balance between supporting innovation and protecting privacy interests while promoting trust when it comes to data?

The consultations will take the form of several roundtable discussions that will be held over the next few months in cities across Canada. Businesses, educational institutions, and private citizens are invited to participate.

CMA supports this initiative of the Canadian government and looks forward to participating in the consultations. The ETHI committee has strictly contemplated changes required to PIPEDA. It would be reasonable to assume that the national data plan will expand the conversation to go beyond private sector privacy considerations on maintaining trust in the data economy among consumers. This could include the need to amend Canada’s Privacy Act which governs the public sector – particularly if maintaining Canada’s adequacy status with the EU is a priority.

Government Response to ETHI’s Report on PIPEDA

Following a series of hearings in late 2017, the Standing Committee on Access to Information, Privacy and Ethics ("ETHI" or “Committee”) presented a report identifying key proposed changes to PIPEDA in February 2018. The report recommended that the review of PIPEDA by the Government of Canada be guided by the concept of “privacy by design,” which is the idea that privacy considerations should be taken into account at all stages of the development of a product.

The Committee put forward several recommendations with a clearly stated goal of ensuring that Canada maintains its adequacy status with the European Union (EU) in the context of the coming into force of the GDPR in May. The government response acknowledges the need for a more thorough review of the Committee’s recommendations without endorsing any specific amendments.

Key issues addressed by the government:

  1. Consent should remain part of PIPEDA. This is in agreement with both the Committee and the privacy Commissioner who believe that consent provides individuals with control over how their personal information is shared and thereby provides a means to protect one’s privacy.
  2. Principles-based Approach to PIPEDA has been a source of the Act’s strength and resilience and the government is committed to maintaining this.
  3. Online Reputation - Given the potential far-reaching impacts of a right to erasure and right to de-indexing, including freedom of speech and the public record, and given that PIPEDA only applies to commercial contexts involving personal information, the government wants to assess whether PIPEDA is the most appropriate statutory instrument for addressing these issues.
  4. Commissioner Powers - To assess the optional model for compliance and enforcement, the government wants to assess the viability of all options to strengthen the compliance and enforcement regime of PIPEDA. It intends to undertake further study of the full range of options for ensuring compliance with PIPEDA.
  5. GDPR - In recognition of the importance of interoperability of privacy regimes, the EU has adopted the concept of “essential equivalence” in the GDPR to examine the adequacy of non-member regimes, rather than one-to-one mapping. Therefore, it is not clear that PIPEDA’s requirements must reflect each of the GDPR’s rights and protections to maintain its adequacy standing. Certain concepts merit attention for enhancing privacy protection and supporting innovation.

ETHI Report on Digital Privacy

ETHI released a report on June 19, 2018 entitled Addressing Digital Vulnerabilities and Potential Threats to Canada’s Democratic Electoral Process. The report follows their hearings into the Facebook/ Cambridge Analytica developments earlier this year.

This (second) ETHI report builds on their first by proposing a series of recommendations in asking the government for additional amendments to PIPEDA, further qualifying the exact powers that the Commissioner should receive and calling for more transparency in online advertising (both commercial and political). It appears that this may be an interim report, meaning that the Committee may resume with more hearings in the fall and subsequently publish a ‘final’ report.

Key recommendations include:

  1. GDPR - Immediately begin implementing measures in order to ensure that data protections similar to the General Data Protection Regulation are put in place for Canadians, including the recommendations contained in the report tabled in February 2018.
  2. Data Ownership - Establish rules and guidelines regarding data ownership and data sovereignty with the objective of putting a stop to the non-consented collection and use of citizens’ personal information. These rules and guidelines should address the challenges presented by cloud computing.
  3. Political Parties - Take measures to ensure that privacy legislation applies to political activities in Canada either by amending existing legislation or by enacting new legislation.
  4. Transparency - Enact transparency requirements regarding how organizations and political actors, particularly through social media and other online platforms, collect and use data to target political and other advertising based on techniques such as psychographic profiling. Such requirements could include, but are not limited to:
    • The identification of who paid for the ad, including verifying the authenticity of the person running the ad;
    • The identification of the target audience, and why the target audience received the ad; and
    • Mandatory registration regarding political advertising outside of Canada.
  5. Enforcement – The Committee further qualifies the recommendations outlined in their first report with the following:
    •  give the Privacy Commissioner enforcement powers, including the power to make orders and impose fines for non-compliance.
    • give the Privacy Commissioner broad audit powers, including the ability to choose which complaints to investigate.
    • give the Privacy Commissioner additional enforcement powers, including the power to issue urgent notices to organizations to produce relevant documents within a shortened time period, and the power to seize documents in the course of an investigation, without notice.
    • allow the Privacy Commissioner to share certain relevant information in the context of investigations with the Competition Bureau, other Canadian regulators and regulators at the international level, where appropriate.

Also this week, ETHI committee vice-chair Nathaniel Erskine-Smith introduced Bill C-413. The bill is solely focused on giving the Privacy Commissioner of Canada more powers, including the ability to issue fines of up to $30 million to organizations found to be 'knowingly or recklessly' violating PIPEDA. The bill will be addressed when the House returns in the fall.

Tell Us What You Think
  1. If you haven't left a comment here before, you may need to be approved by CMA before your comment will appear. Until then, it won't appear on the entry.
    Thanks for waiting. View CMA's Blogging Policy.

Tags: Compliance, Privacy