Bulletin

The Times They Are A Changin’ Canadian Privacy Law in the Private Sector

Auteurs : Gillian R. Stacey, Elliot A. Greenstone et Pascale Nguyen

Traduction en cours.

When privacy laws for the private sector were in their infancy in Canada, more than 20 years ago, there was no Internet of Things, Facebook was FaceMash and limited to the Harvard campus, and Google was a toddler. In 2020 there are on average 4 billion Google searches a day, Facebook has more than 2 billion active users, and, according to Industry Canada, by 2025 there will be 85 billion devices connected in the Internet of Things. Technology and the Internet now permeate how Canadians work, shop and play. In the course of those activities, Canadians generate a tsunami of data. By some measures, more than 90% of all existing data was created in the last two years, and an economy based on the buying and selling of that data now powers the Internet. The corollary of massive collection of data is massive data breaches, often through hacking but often resulting from poor data security practices. Individuals are now more aware of their privacy and acutely aware of the loss of it.

In 2019 the federal government published its Digital Charter, seeking to find a balance between technology as a driver of economic growth in Canada and the protection of individuals. The Digital Charter presages some important changes to the federal Personal Information Protection and Electronic Documents Act (PIPEDA), following in the footsteps of the European Union General Data Protection Regulation (GDPR), which came into force in 2018. The Digital Charter is intended as a framework for other Canadian jurisdictions, so that Canadians and businesses do not become subject to overlapping, inconsistent or even conflicting privacy laws in Canada. How far the provinces will stray from the federal framework remains to be seen, but Ontario and Québec already appear to be setting a higher bar for privacy in their respective provinces.

In Québec, the Act respecting the protection of personal information in the private sector was adopted more than 25 years ago and was due for an overhaul to meet modern circumstances. As a result, Bill 64, An Act to modernize legislative provisions as regards the protection of personal information (Bill 64), was introduced in the Québec National Assembly on June 12, 2020, in order to better respond to the challenges of transparency and protection of personal information.

Ontario, unlike the provinces of Québec, Alberta and British Columbia, has no private sector privacy statute of general application. Except for those in the health sector, private sector organizations in Ontario are subject to PIPEDA, whose scope is limited to personal information collected in the course of commercial activities. The Ontario government launched a public consultation process on August 13, 2020, for its private sector privacy reform and published a discussion paper to guide the consultation. The Ontario discussion paper outlines a series of privacy issues that the government is exploring for an Ontario private sector privacy law.

Bill 64 and the Ontario discussion paper propose changes to (or implementation of new) the legislation that follow both the effects and influence of the GDPR and are not in principle inconsistent with the framework proposed in the Digital Charter.

Both Bill 64 and the Ontario discussion paper propose, among other things, to

  • enhance transparency obligations by requiring organizations to provide more information to individuals about how their personal information is being used;
  • increase express consent requirements;
  • allow for individuals to access their data in a standard and portable digital format;
  • allow for individuals to request that organizations permanently delete their personal information when it is no longer required to deliver a service;
  • augment oversight, compliance and enforcement powers by allowing and increasing the powers of both Québec’s and Ontario’s enforcement agencies to issue orders and fines for non-compliance with the law; and
  • enable certain types of data-sharing, while protecting privacy.

Ontario and Québec also go further than the Digital Charter framework. Both Bill 64 and Ontario’s discussion paper contemplate expanding the scope of legislation to include trade unions, charities and political parties – entities not usually within the scope of PIPEDA except with respect to their commercial activities. Under Bill 64, there will be significant limitation on cross-border data transfers, similar to the GDPR’s adequacy regime. Before disclosing personal information outside Québec, an organization must conduct an assessment of the purpose for which it will be used, the safeguards that would apply to the information and the applicable legal regime in the jurisdiction where the information would be disclosed, including its degree of equivalence to the privacy principles applicable in Québec. The information may be disclosed only if the assessment shows that the information would benefit from equivalent protection in Québec. In addition, the disclosure must be the subject of a written agreement containing terms and conditions to mitigate the risks identified during the assessment. While the provision may appear simple on the surface, it poses certain practical and potentially costly issues, notably by requiring businesses to act as privacy regulators and to retain the services of foreign legal experts to assess the equivalence of foreign privacy laws.

Ontario suggests the possibility of enshrining, as part of privacy law, the right to be free from automated decision-making – decision-making by artificial intelligence algorithms without human intervention – in certain circumstances. If these provincial variations of the federal framework as outlined in the Digital Charter come into law, compliance will be a more difficult task for businesses.

Looking to the Future

The public consultation process in Ontario will remain open until October 1, 2020, during which time the Ontario government hopes to receive comments from affected businesses and the general public through written submissions and an online survey; however, it may be years before an Ontario private sector privacy statute enters into force.

On the other hand, Bill 64 has been referred to the consultation stage, which provides stakeholders with an opportunity to make representations regarding the bill. If passed, according to the transitional and final provisions of Bill 64, the amendments to the Act respecting the protection of personal information in the private sector will not come into force until one year after the date that Bill 64 receives royal assent, with certain exceptions. Accordingly, most of the provisions of Bill 64 are not expected to come into force before 2022.

Times have changed, and governments are moving to change privacy legislation to catch up with those changes. In light of the developments and shifting landscape of Canadian privacy law, organizations should examine their current privacy practices and start “future proofing” their practices and technology now.

Personnes-ressources

Connexe

Executive Decisions: Compensation Trends In and Outside of Times of Crisis

5 oct. 2020 - Traduction en cours. The reasonableness of executive compensation arrangements has long been a contentious issue. The COVID-19 pandemic has accelerated pre-existing trends and introduced new challenges, including increased concerns about the widening pay gap between executives and...

Navigating Financial Distress: Key Considerations for Directors

5 oct. 2020 - Traduction en cours. The emergence of COVID-19 fundamentally reshaped our economy and the way we do business in a matter of weeks. These changes are likely to continue as the pandemic runs its course. The stresses and uncertainty brought on by the pandemic have led to unprecedented...