Digital Brain
digital brain
digital brain

Federal Privacy Commissioner Releases Key Recommendations for a New Federal Private Sector Privacy Law

May 17, 2022 Privacy and Data Protection Bulletin 4 minute read

Earlier this month, the Office of the Privacy Commissioner of Canada (“OPC”) released a summary of its key recommendations for a new federal private sector privacy law (the “Key Recommendations”), one that would update or replace the existing Personal Information Protection and Electronic Documents Act (“PIPEDA”).[1]

The federal government most recently attempted to amend PIPEDA by introducing Bill C-11, the Digital Charter Implementation Act, 2020. The bill faced criticism from businesses, privacy advocates and the OPC itself, before ultimately dying on the order paper with the calling of the 2021 federal election.

Since coming into power, the new federal government has not taken any significant steps to advance a similar bill. However, the introduction of a new privacy bill is widely expected in order for Canada’s federal privacy law to maintain consistency with the modernization of privacy regimes in other jurisdictions.

The OPC’s Key Recommendations touch on the following themes:

  • Re-imagining Canada’s consent-based framework.

The OPC recognizes certain challenges arising from PIPEDA’s current consent-based framework, in which consent is the primary justification for the collection, use or disclosure of personal information. For example, under the current model, long and legalistic privacy policies and terms of use agreements may make it difficult for consumers to exert real control over the handling of their personal information or to make meaningful decisions about consent.[2] Furthermore, personal information is often transferred to many different entities in the course of its lifecycle, and organizations may struggle to summarize or concisely explain all possible transfers or uses of data at the time of collection.

In its Key Recommendations, the OPC recommends the introduction of either (i) new exceptions to PIPEDA’s current consent requirement where personal information will be processed for explicit, knowable purposes (such as for product delivery, network security, or search engines), and/or (ii) a flexible “legitimate commercial interests” exception to PIPEDA’s current consent requirement, which would be available only when organizations have met certain pre-requisites (such as the completion of a privacy impact assessment and balancing test).

At the same time, the OPC recommends that federal privacy legislation reflect a recommitment to the principles of consent and transparency, by integrating knowledge and understanding into the statutory requirements to obtain valid consent. The OPC’s proposal aims to make consent valid only when certain information is provided in an intelligible and easily accessibly format such that it is reasonable to expect that an individual would understand that information.

The OPC also recommends including specific requirements with respect to automated decision-making, including a right for individuals to obtain an explanation of the automated decisions made about them, and to contest those decisions.[3]

  • Rights-based framework.

The OPC recommends that the federal legislation include a framework that establishes a fundamental right to privacy, while recognizing the legitimate need of organizations to process personal information for appropriate purposes. A similar right to privacy has been enshrined in the Civil Code of Québec[4] and the Charter of Fundamental Rights of the European Union.[5]

The OPC also recommends providing for a right to reputation, by giving individuals the ability to seek the removal of their personal information from search results (i.e., a right to de-indexation) under certain conditions. A similar right has already been enacted in Québec and will come into force in September 2023.[6]

  • Enforcement Powers.

The OPC also once again calls for enhanced enforcement powers, including powers to (i) perform proactive audits to ensure compliance, (ii) make orders, (iii) impose fines, including administrative monetary penalties (“AMPs”), (iv) enter into compliance agreements incorporating AMPs, and (v) register such compliance agreements with the court to aid in enforcement.

Had it passed, Bill C-11 would have allowed for the levying of significant AMPs, however these were limited to only a handful of violations. Bill C-11 also would have created a separate tribunal that could have imposed AMPs. The OPC recommends that federal privacy legislation instead allow for the imposition of AMPs for all violations and that the OPC be empowered to impose AMPs itself, rather than such power being reserved for a separate tribunal.[7]

The OPC also recommends that a private right of action be instituted for consumers, independent of the OPC investigation process, so that they are not left without a remedy should the OPC choose not to investigate a privacy complaint.

The above are just some of the most prevalent themes within the OPC’s recommendations regarding the future of Canada’s federal private sector privacy legislation. It remains to be seen how many of these recommendations will be adopted, in whole or in part, by lawmakers. We will continue to monitor and provide updates about any further developments in this respect, including any bills that are tabled to amend or replace PIPEDA.

McMillan’s Privacy & Data Protection Group is available to help your organization evaluate, develop and implement appropriate privacy and data protection policies and procedures to comply with PIPEDA’s current requirements.

McMillan Vantage, McMillan LLP’s public affairs arm, is also available to assist organizations that wish to engage with the federal government to advocate for changes to PIPEDA or the contents of its successor legislation.

[1] Office of the Privacy Commissioner, Key recommendations for a new federal private sector privacy law, May 4, 2022, available online [Key Recommendations].
[2] OPC Bill C-11 Submission, s.v. “exceptions to consent”.
[3] Key Recommendations, s.v. “Enable responsible innovation”.
[4] Civil Code of Québec, CQLR c CCQ-1991, s 3.
[5] Charter of Fundamental Rights of the European Union, 2012/C 326/02, article 7 and 8.
[6] Act respecting the protection of personal information in the private sector, CQLR c P-39.1, section 28.1 (as modified by Bill 64, an Act to modernize legislative provisions as regards the protection of personal information, SQ 2021, c 25).
[7] OPC Bill C-11 Submission, s.v. “Access to quick and effective remedies and the role of the OPC”.

by Robbie Grant, Kristen Pennington, Mitch Koczerginski

A Cautionary Note

The foregoing provides only an overview and does not constitute legal advice. Readers are cautioned against making any decisions based on this material alone. Rather, specific legal advice should be obtained.

© McMillan LLP 2022

Insights (5 Posts)

Featured Insight

Round One of Competition Act Amendments Passed; National Security Review Regime Amended

New amendments to the Competition Act were passed today as part of the budget implementation bill.

Read More
Jun 27, 2022
Featured Insight

Privacy Reform is on the Table Once More: Canada Introduces the Digital Charter Implementation Act, 2022

New federal privacy legislation has been introduced. If passed, Bill C-27 will materially change the legal landscape for privacy and data protection in Canada.

Read More
Jun 22, 2022
Featured Insight

Plan for the Ban: Canada Announces Timeline for Single-Use Plastics Prohibition

Canada's final Single-use Plastics Prohibition Regulations have been published and come into effect on December 20, 2022

Read More
Jun 22, 2022
Featured Insight

Canada’s Greenhouse Gas Offset Credit System Creates Green Incentives for Regulated Facilities (Update)

Canada has published the Greenhouse Gas Offset Credit System Regulations establishing a system for projects preventing or removing GHGs from the atmosphere.

Read More
Jun 21, 2022
Featured Insight

The Federal Government Suspends its Mandatory Vaccination Requirements

The Government of Canada has lifted its mandatory vaccination requirements for employees in the air, marine and rail sectors.

Read More
Jun 21, 2022