Federal Privacy Commissioner Releases Key Recommendations for a New Federal Private Sector Privacy Law

Federal Privacy Commissioner Releases Key Recommendations for a New Federal Private Sector Privacy Law

Earlier this month, the Office of the Privacy Commissioner of Canada (“OPC”) released a summary of its key recommendations for a new federal private sector privacy law (the “Key Recommendations”), one that would update or replace the existing Personal Information Protection and Electronic Documents Act (“PIPEDA”).[1]

The federal government most recently attempted to amend PIPEDA by introducing Bill C-11, the Digital Charter Implementation Act, 2020. The bill faced criticism from businesses, privacy advocates and the OPC itself, before ultimately dying on the order paper with the calling of the 2021 federal election.

Since coming into power, the new federal government has not taken any significant steps to advance a similar bill. However, the introduction of a new privacy bill is widely expected in order for Canada’s federal privacy law to maintain consistency with the modernization of privacy regimes in other jurisdictions.

The OPC’s Key Recommendations touch on the following themes:

• Re-imagining Canada’s consent-based framework.

The OPC recognizes certain challenges arising from PIPEDA’s current consent-based framework, in which consent is the primary justification for the collection, use or disclosure of personal information. For example, under the current model, long and legalistic privacy policies and terms of use agreements may make it difficult for consumers to exert real control over the handling of their personal information or to make meaningful decisions about consent.[2] Furthermore, personal information is often transferred to many different entities in the course of its lifecycle, and organizations may struggle to summarize or concisely explain all possible transfers or uses of data at the time of collection.

In its Key Recommendations, the OPC recommends the introduction of either (i) new exceptions to PIPEDA’s current consent requirement where personal information will be processed for explicit, knowable purposes (such as for product delivery, network security, or search engines), and/or (ii) a flexible “legitimate commercial interests” exception to PIPEDA’s current consent requirement, which would be available only when organizations have met certain pre-requisites (such as the completion of a privacy impact assessment and balancing test).

At the same time, the OPC recommends that federal privacy legislation reflect a recommitment to the principles of consent and transparency, by integrating knowledge and understanding into the statutory requirements to obtain valid consent. The OPC’s proposal aims to make consent valid only when certain information is provided in an intelligible and easily accessibly format such that it is reasonable to expect that an individual would understand that information.

The OPC also recommends including specific requirements with respect to automated decision-making, including a right for individuals to obtain an explanation of the automated decisions made about them, and to contest those decisions.[3]

• Rights-based framework.

The OPC recommends that the federal legislation include a framework that establishes a fundamental right to privacy, while recognizing the legitimate need of organizations to process personal information for appropriate purposes. A similar right to privacy has been enshrined in the Civil Code of Québec[4] and the Charter of Fundamental Rights of the European Union.[5]

The OPC also recommends providing for a right to reputation, by giving individuals the ability to seek the removal of their personal information from search results (i.e., a right to de-indexation) under certain conditions. A similar right has already been enacted in Québec and will come into force in September 2023.[6]

• Enforcement Powers.

The OPC also once again calls for enhanced enforcement powers, including powers to (i) perform proactive audits to ensure compliance, (ii) make orders, (iii) impose fines, including administrative monetary penalties (“AMPs”), (iv) enter into compliance agreements incorporating AMPs, and (v) register such compliance agreements with the court to aid in enforcement.

Had it passed, Bill C-11 would have allowed for the levying of significant AMPs, however these were limited to only a handful of violations. Bill C-11 also would have created a separate tribunal that could have imposed AMPs. The OPC recommends that federal privacy legislation instead allow for the imposition of AMPs for all violations and that the OPC be empowered to impose AMPs itself, rather than such power being reserved for a separate tribunal.[7]

The OPC also recommends that a private right of action be instituted for consumers, independent of the OPC investigation process, so that they are not left without a remedy should the OPC choose not to investigate a privacy complaint.

The above are just some of the most prevalent themes within the OPC’s recommendations regarding the future of Canada’s federal private sector privacy legislation. It remains to be seen how many of these recommendations will be adopted, in whole or in part, by lawmakers. We will continue to monitor and provide updates about any further developments in this respect, including any bills that are tabled to amend or replace PIPEDA.

McMillan’s Privacy & Data Protection Group is available to help your organization evaluate, develop and implement appropriate privacy and data protection policies and procedures to comply with PIPEDA’s current requirements.

McMillan Vantage, McMillan LLP’s public affairs arm, is also available to assist organizations that wish to engage with the federal government to advocate for changes to PIPEDA or the contents of its successor legislation.

[1] Office of the Privacy Commissioner, Key recommendations for a new federal private sector privacy law, May 4, 2022, available online [Key Recommendations].
[2] OPC Bill C-11 Submission, s.v. “exceptions to consent”.
[3] Key Recommendations, s.v. “Enable responsible innovation”.
[4] Civil Code of Québec, CQLR c CCQ-1991, s 3.
[5] Charter of Fundamental Rights of the European Union, 2012/C 326/02, article 7 and 8.
[6] Act respecting the protection of personal information in the private sector, CQLR c P-39.1, section 28.1 (as modified by Bill 64, an Act to modernize legislative provisions as regards the protection of personal information, SQ 2021, c 25).
[7] OPC Bill C-11 Submission, s.v. “Access to quick and effective remedies and the role of the OPC”.

by Robbie Grant, Kristen Pennington, Mitch Koczerginski

A Cautionary Note

The foregoing provides only an overview and does not constitute legal advice. Readers are cautioned against making any decisions based on this material alone. Rather, specific legal advice should be obtained.

© McMillan LLP 2022