New Year, New Laws? Canada Sets its Privacy Law Resolutions 

publication 

January 2020

Privacy Law Bulletin

A number of recent developments suggest that momentum for significant reform to Canadian privacy and data protection laws is building.

In late December 2019, Prime Minister Justin Trudeau sent mandate letters to the Minister of Innovation, Science and Industry, the Minister of Justice and the Minister of Canadian Heritage (the “Ministers”) urging them to work together to implement changes to privacy laws in order to enhance the protection of Canadians’ personal information.[1]

The mandate letters echo some of the Privacy Commissioner of Canada’s recent pleas for major reform to and modernization of Canadian privacy laws.[2]

Mandate letters offer clues about changes to come

The Prime Minister has expressly tasked the Ministers with advancing various tenets of the Digital Charter.  Released by the federal government in May 2019, the Digital Charter is a set of ten principles designed to respond to the continued impact of the digital revolution on Canadians’ lives and the economy.

Though the Digital Charter does not itself have the power of law, Minister of Innovation, Science and Industry Navdeep Bains (“Minister Bains”) has indicated that its ten principles will be reflected in forthcoming legislation, policies and programs.[3]

Mandates assigned to the Ministers include:

  • Working together to enhance the enforcement powers of the Office of the Privacy Commissioner (the “OPC”);

  • Establishing a new set of online rights, including the ability to withdraw, remove and erase basic personal data from a platform and to review and challenge the amount of personal data that a company or government has collected;

  • Creating a national advertising registry and enabling Canadians to withdraw consent for the sharing or sale of personal data;

  • Enacting unspecified proactive data security requirements; and

  • Creating new regulations for large digital companies to enhance the protection of Canadians’ personal information and foster competition in the digital marketplace, which will be overseen by a newly-established Data Commissioner.

Significantly, Prime Minister Trudeau tasked the Ministers with establishing Canadians’ right to “appropriate compensation” when their personal data is breached.  Though the details of this compensation scheme have not yet been outlined, Minister Bains has made it clear that compensation will be “significant and meaningful” and, in the spirit of deterrence, will include “punitive fines” for companies.[4]

Privacy Commissioner warns “the world is passing us by”

In his impassioned year-end report to Parliament and accompanying statement, Privacy Commissioner of Canada Daniel Therrien (“Commissioner Therrien”) lamented that “[w]hile Canada used to be a leader in privacy protection, unfortunately the world is now passing us by”.[5]

Noting that some 30 million Canadians have suffered a data breach in the past year, Commissioner Therrien advocated for significant reforms to privacy legislation that centre on privacy as a fundamental human right and not a set of “process rules” governing consent, access and transparency.

Commissioner Therrien also called for the redrafting of privacy legislation to replace “suggested best practices” with enforceable rights and obligations.

In Commissioner Therrien’s view, significant increases to enforcement mechanisms are required, including proactive inspection rights for his office, as well as the ability to make binding orders and issue financial penalties to organizations found to have violated privacy laws.  Citing delayed access to justice, Commissioner Therrien has been critical of the federal government’s suggested privacy reform that would still require the involvement of the Attorney General before levying fines.

Despite its differing opinion regarding the scope of the OPC’s enhanced powers, Commissioner Therrien’s office has indicated that it “looks forward to consulting on any plans [the federal] government may have for modernizing federal privacy law”.[6]

If not now, when?

No timeline has been set for the implementation of forthcoming changes to Canadian privacy and data protection laws, however Minister Bains has suggested that fulfilling the federal government’s mandate is a top priority.

In the coming months, organizations may have the opportunity to participate in public consultations about prospective changes to Canada’s privacy laws.  Businesses interested in availing themselves of such opportunities are invited to reach out to McMillan Vantage, a full-service, national public affairs firm affiliated with McMillan LLP, for advice about how to have their voices heard.

Though details regarding a number of the potential changes are still somewhat scarce, a clear theme is emerging: changes to Canadian privacy and data protection laws are coming, and the penalties for non-compliance won’t be light.  It is therefore critical for organizations doing business in Canada to stay up to date with ongoing developments and start planning for the coming changes.

by Kristen Pennington and Chiedza Museredza