Proposed Digital Charter Could Bring Sweeping Changes to Canadian Privacy Laws
Proposed Digital Charter Could Bring Sweeping Changes to Canadian Privacy Laws
On May 21, 2019, the Canadian federal government released a proposed Digital Charter (the “Charter”), as well as an initial set of actions and recommendations intended to implement the Charter’s ten principles.
The Charter, which does not yet have the power of law, is a product of ongoing national consultation and committee hearings regarding a proposed overhaul of Canadian privacy and data protection laws.
The Charter is intended to respond to the continued impact of the digital revolution on Canadians’ lives and the economy. A strong theme throughout the Charter and the government’s accompanying announcement is the balancing of technological innovation and economic advancement with Canadians’ trust and confidence regarding the collection, use and disclosure of their personal information in this digital age.
The Charter’s Ten Principles
The proposed Charter would implement the following ten principles, against which government policies, legislation and initiatives would be measured:
- Universal Access – the equal opportunity to participate in the digital world and the necessary tools to do so, including access, connectivity, literacy and skills;
- Safety and Security – the ability to rely on the integrity, authenticity and security of the services Canadians use, and the right to feel safe online;
- Control and Consent – the control over what personal data one shares, who uses that personal data, and for what purposes;
- Transparency, Portability and Interoperability – clear and manageable access to one’s personal data and the freedom to share or transfer that data without undue burden;
- Open and Modern Digital Government – the ability to access modern digital services from the government that are secure and simple to use;
- A Level Playing Field – ensuring fair competition in the online marketplace to facilitate economic growth and development while protecting Canadian consumers from market abuses;
- Data and Digital for Good – ensuring the ethical use of data to create value, promote openness and improve the lives of people in Canada and worldwide;
- Strong Democracy – defending freedom of expression and protecting against online threats and disinformation designed to undermine the integrity of elections and democratic institutions;
- Free from Hate and Violent Extremism – the right to expect digital platforms that will not foster or disseminate hate, violent extremism or criminal content; and
- Strong Enforcement and Real Accountability – clear and meaningful penalties for violations of the laws and regulations that support the Charter’s principles.
A number of the Charter’s principles are in direct response to hot topics such as the promulgation of “fake news” and growing concerns about the role of social media in the dissemination of hate speech, online extremism and electoral interference. When announcing the proposed Charter earlier this month, Prime Minister Justin Trudeau indicated that the government intends to take action to encourage social media companies to crack down on the spread of disinformation, promising “meaningful financial consequences” for those platforms that do not address these concerns.
Proposed Amendments to PIPEDA
The federal government has also published a lengthy discussion paper outlining proposed amendments to the Personal Information Protection and Electronic Documents Act (“PIPEDA”) which are intended to reflect the Charter’s ten principles.
The discussion paper suggests that amendments to PIPEDA are needed, in part, to better align Canadian privacy legislation with international privacy law frameworks (including those in the European Union and United States) in order to achieve an integrated digital economy both domestically and abroad.
Some of the proposed amendments to PIPEDA include:
- requiring organizations to provide specific, standardized and plain-language information to individuals about the intended use of their information and the third parties with whom that information will be shared;
- prohibiting the “bundling” of consent into a contract;
- providing for alternatives or exceptions to consent in order to facilitate the use of personal information by businesses under certain circumstances;
- adding a definition of de-identified information, along with an exception to consent for its use and disclosure for certain prescribed purposes or when managed by a data trust;
- imposing specific penalties for re-identification of de-identified information, including when it occurs as the result of negligence or recklessness;
- requiring that individuals be informed about the use of automated decision-making, the factors involved in the decision and, where the decision is impactful, information about the logic upon which the decision is based (excluding confidential commercial information);
- explicitly requiring organizations to demonstrate their accountability, including in the context of cross-border data flows;
- providing an explicit right for individuals to direct that their personal information be moved from one organization to another in a standardized digital format (otherwise known as “data mobility”) in order to enhance consumer choice;
- providing individuals the right to request the deletion of information about them, subject to as-yet-unspecified caveats; and
- requiring organizations to communicate changes to or deletion of personal information to any other organization to whom it has been disclosed.
In a move that many have complained is long overdue, the government has also proposed that the powers of the Privacy Commissioner of Canada (the “Commissioner”) be enhanced to incentivize organizations’ compliance with PIPEDA.
PIPEDA is currently primarily enforced through an “ombudsman” model that relies heavily on non-binding recommendations of the Commissioner. Some have argued that this current approach provides little incentive for organizations to implement any recommendations.
In response, the federal government has suggested a variety of additional powers for the Commissioner, including the ability to issue an order to halt the collection, use or disclosure of personal information by a non-compliant organization, extending PIPEDA’s existing fine regime, and substantially increasing the range of potential fines.
Other Supporting Initiatives
In addition to the proposed amendments to PIPEDA, the government has or intends to take a variety of other steps aimed at implementing the principles of the Charter, including:
- writing to the Competition Bureau to ensure that it has the necessary tools to promote competition and digital innovation, particularly for small businesses;
- creating a Canadian Statistics Advisory Council to undertake a review of the Statistics Act and provide advice on the relevance, quality and transparency of the national statistical system; and
- supporting the Standards Council of Canada in launching the Canadian Data Governance Standardization Collaborative, an effort to coordinate development and compatibility of data governance standards in Canada.
The federal government has also indicated that an examination of potential reforms to the Privacy Act – which governs the personal information practices of federal institutions – is continuing to be led by Justice Canada in conjunction with the Treasury Board Secretariat.
The federal government has called for submissions and input to inform ongoing discussions around its proposed amendments to PIPEDA. Numerous questions and points for consideration raised in the discussion paper suggest that there is still much consultation to take place before any bill to amend privacy legislation is tabled. Accordingly, it seems unlikely that the Charter and accompanying legislative reforms will become law prior to the federal election this fall.
Though not yet in force, the Charter and suggested amendments to PIPEDA suggest that a more onerous privacy compliance regime is on its way. Organizations are advised to take early steps to assess their handling of personal information and the maturity of their privacy and data security compliance program.
The federal government has indicated that further information regarding the Charter and proposed amendments to PIPEDA will be forthcoming.
by Lyndsay Wasser and Kristen Pennington
 Canada’s Digital Charter.
 Minister Bains announces Canada’s Digital Charter, Government of Canada News Release, May 21, 2019.
 Trudeau warns of ‘meaningful financial consequences’ for social media giants that don’t combat hate speech, The Canadian Press, May 16, 2019.
 Strengthening Privacy for the Digital Age, Government of Canada, Ministry of Innovation, Science and Economic Development Canada, May 21, 2019.
A Cautionary Note
The foregoing provides only an overview and does not constitute legal advice. Readers are cautioned against making any decisions based on this material alone. Rather, specific legal advice should be obtained.
© McMillan LLP 2019
Related Publications (5 Posts)
Companies consider registering copyright as a potential dispute arises, but recent case law shows this may not be the best course of action to enforce IP rights
Legal news bulletin discussing recent changes to ICMA Green Bond Principles.
Amendments to the Ontario Business Corporations Act remove Canadian resident director requirement and ease rules for written shareholder resolutions.
Will BC’s UNDRIP action plan create compliance challenges under the US Foreign Corrupt Practices Act, the UK Bribery Act or the Criminal Code of Canada?
Will BC’s UNDRIP action plan create compliance challenges under the US Foreign Corrupt Practices Act, the UK Bribery Act Criminal Code of Canada?
The Court in Freshly Squeezed applied the Raibex test to determine what deficiencies in disclosure entitle a
franchisee to the two-year rescission remedy.
Get updates delivered right to your inbox. You can unsubscribe at any time.
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.