It looks like Canada’s privacy laws might be getting a face-lift.
In announcing the principles behind the development of a new “Digital Charter”, the federal government has committed to reforming Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA). Further consultation and the development of legislative language is yet to come, however, the government has indicated a reformation will include the following:
- Re-writing the text of PIPEDA
- Greater control for individuals regarding how personal information is collected and used
- Stronger enforcement powers for the federal Privacy Commissioner
- Rules requiring plain language information about the handling of personal information including when automated decision making is used
- Establishing how and when de-identified information can be used
- Modernizing Canada's anti-spam legislation (CASL) and reviewing enhanced e-protection measures.
Short term impact on OPC consultation regarding disclosures for cross-border processing
In light of the announcement, the federal Privacy Commissioner has suspended his office’s consultation regarding cross-border disclosures for the purposes of processing personal information. The expectation is that the Digital Charter reformation will address cross-border data transfer issues. Therefore, the Privacy Commissioner has said that he expects to re-cast the consultation to deal with both the existing law and proposed Digital Charter.
In the meantime, the OPC does not expect to impose any change in its long-standing approach to treat the provision of personal information to a subcontractor for processing as a use, rather than a disclosure, which requires separate consent. The Privacy Commissioner noted, however, that he could not make any commitments regarding its interpretation and application of the law in the event complaints are received in the meantime.
What is in the future?
We anticipate the government’s consultations and review will impact the way Canada’s laws define and protect privacy rights, including issues of consent, enforcement, online reputation, transparency, and data mobility. Artificial intelligence and automated decision making will also probably be addressed.
PIPEDA has not been updated in any meaningful way since the early 2000s and amendments are needed to ensure that it reflects current data and privacy issues.
Undoubtedly, there will be ramifications for provincial privacy laws, such as the B.C. Personal Information Protection Act, and even health information legislation, which currently are typically founded on the principles underlying the current PIPEDA.
Finally, “in-Canada-only” data localization requirements may be dead. Both the Digital Charter announcement and the draft USMCA (formerly NAFTA) seek to prevent governments from requiring data localization, like we see in BC’s Freedom of Information and Protection of Privacy Act.
Currently, the Digital Charter is only a policy document, and not law. It sets out the principles that the federal government intends to use as a guide in policy making, including the reforming of existing privacy laws. However, as there are only a few weeks remaining in the current parliamentary session before the summer break, and an election scheduled for the fall, it is unlikely that we will see any new legislation proposed earlier than late 2019.
Ryan Berger is a partner in the Privacy Group and Labour, Employment and Human Rights Group in Vancouver. He has practiced commercial and employment litigation for 19 years, with a growing emphasis on data, privacy and business ...
Cory Sully is an associate in our Labour, Employment and Human Rights Group and Privacy and Data Management Group in Vancouver. She advises and represents clients in all areas of workplace law. Cory provides practical and strategic ...
Lawson Lundell's Privacy and Data Management Blog provides updates on the most recent issues emerging in the legal and business communities. We cover a range of issues, legal developments, and new technology as they impact privacy and data management. We will focus on how organizations can protect, manage and innovate with information considering the various risks, regulatory and governance requirements.