Privacy & Data Management Blog

The new Mandate Letter issued to the Minister of Innovation, Science and Industry (“Letter”) includes a number of initiatives and stated priorities for the Government of Canada. These signal changes that we can anticipate to Canada’s privacy laws and how they will be enforced. Overall, individual rights will be strengthened and organizations will have more significant compliance obligations.

The Government has announced its desire to continue to advance the promise of a new Digital Charter, which was in process with the previous government. The Letter indicates some noted changes we can expect under the Digital Charter:

• Enhanced powers for the federal Privacy Commissioner. While the Letter is not specific, we can expect a shift from the current “ombudsperson” model to a more traditional regulatory model.
• “New” online rights for individuals including:
  • Data portability. This is the right of (and the obligation of an organization to assist) an individual to be able to transport personal data from one service provider to another.
  • The ability to withdraw, remove and erase basic personal data from a platform. This would probably require organizations to provide the means for individuals to delete their profile information, such as on social media platforms, or to de-index in search engines.
  • The right to know how personal data is being used, including with a national advertising registry and the ability to withdraw consent for the sharing or sale of data. The right to know already exists in Canadian privacy laws, however, it is not well enforced. The mention of an advertising registry suggests that organizations may be permitted to use extensive personal information for advertising, including behavioural or other profiling, but with registration requirements. Reporting to an advertising registry may create a significant burden for Canadian organizations.
  • The ability to review and challenge the amount of personal data that a company or government has collected. This indicates an expansion of the existing right to complain about an organization’s practices to a right to initiate some form of proceedings. The adjudication of those complaints may be part of the expanded powers of the federal Privacy Commissioner.
  • Proactive data security Canadian privacy laws already require organizations to adopt security safeguards appropriate to the sensitivity of the data being protected. This suggests that there may be more guidance provided with respect to data security, and increased scrutiny on the methods of protection chosen by organizations, particularly in the event of a breach.
  • The ability to be informed when personal data is breached, with appropriate compensation. The federal private sector privacy legislation, PIPEDA, already includes mandatory breach provisions, however, a right to compensation does not exist in Canadian privacy law. Considering the commonality of security breaches, the balance of “appropriate compensation” could change the landscape of privacy law in Canada.

A number of the rights noted above exist in Europe’s General Data Protection Regulation (GDPR), and arguably exist to some degree in existing privacy laws in Canada. However, new or enhanced rights indicated in the Letter are not a wholesale adoption of rights established in other jurisdictions.

The Letter demonstrates that the Government has considered particular areas in which it wishes to focus, and its policy approach: namely, organizations will bear the responsibility to enable these rights. This is further indicated by the promise of new regulations for large digital companies regarding data protection and engendering competition in the digital marketplace, with oversight by a new Data Commissioner.