The new Mandate Letter issued to the Minister of Innovation, Science and Industry (“Letter”) includes a number of initiatives and stated priorities for the Government of Canada. These signal changes that we can anticipate to Canada’s privacy laws and how they will be enforced. Overall, individual rights will be strengthened and organizations will have more significant compliance obligations.
The Government has announced its desire to continue to advance the promise of a new Digital Charter, which was in process with the previous government. The Letter indicates some noted changes we can expect under the Digital Charter:
- Enhanced powers for the federal Privacy Commissioner. While the Letter is not specific, we can expect a shift from the current “ombudsperson” model to a more traditional regulatory model.
- “New” online rights for individuals including:
- Data portability. This is the right of (and the obligation of an organization to assist) an individual to be able to transport personal data from one service provider to another.
- The ability to withdraw, remove and erase basic personal data from a platform. This would probably require organizations to provide the means for individuals to delete their profile information, such as on social media platforms, or to de-index in search engines.
- The right to know how personal data is being used, including with a national advertising registry and the ability to withdraw consent for the sharing or sale of data. The right to know already exists in Canadian privacy laws, however, it is not well enforced. The mention of an advertising registry suggests that organizations may be permitted to use extensive personal information for advertising, including behavioural or other profiling, but with registration requirements. Reporting to an advertising registry may create a significant burden for Canadian organizations.
- The ability to review and challenge the amount of personal data that a company or government has collected. This indicates an expansion of the existing right to complain about an organization’s practices to a right to initiate some form of proceedings. The adjudication of those complaints may be part of the expanded powers of the federal Privacy Commissioner.
- Proactive data security Canadian privacy laws already require organizations to adopt security safeguards appropriate to the sensitivity of the data being protected. This suggests that there may be more guidance provided with respect to data security, and increased scrutiny on the methods of protection chosen by organizations, particularly in the event of a breach.
- The ability to be informed when personal data is breached, with appropriate compensation. The federal private sector privacy legislation, PIPEDA, already includes mandatory breach provisions, however, a right to compensation does not exist in Canadian privacy law. Considering the commonality of security breaches, the balance of “appropriate compensation” could change the landscape of privacy law in Canada.
A number of the rights noted above exist in Europe’s General Data Protection Regulation (GDPR), and arguably exist to some degree in existing privacy laws in Canada. However, new or enhanced rights indicated in the Letter are not a wholesale adoption of rights established in other jurisdictions.
The Letter demonstrates that the Government has considered particular areas in which it wishes to focus, and its policy approach: namely, organizations will bear the responsibility to enable these rights. This is further indicated by the promise of new regulations for large digital companies regarding data protection and engendering competition in the digital marketplace, with oversight by a new Data Commissioner.
Ryan Berger is a leading privacy and employment lawyer, with a primary focus on providing strategic advice to businesses and employers.
Ryan leads the firm’s Privacy Group and routinely advises public and private sector ...
Cory Sully is an associate in our Labour, Employment and Human Rights Group and Privacy and Data Management Group in Vancouver. She advises and represents clients in all areas of workplace law. Cory provides practical and strategic ...
Lawson Lundell's Privacy and Data Management Blog provides updates on the most recent issues emerging in the legal and business communities. We cover a range of issues, legal developments, and new technology as they impact privacy and data management. We will focus on how organizations can protect, manage and innovate with information considering the various risks, regulatory and governance requirements.