Insights Header image
Insights Header image
Insights Header image

New Year, New Laws? Canada Sets its Privacy Law Resolutions

January 2020 Privacy Law Bulletin 3 minute read

A number of recent developments suggest that momentum for significant reform to Canadian privacy and data protection laws is building.

In late December 2019, Prime Minister Justin Trudeau sent mandate letters to the Minister of Innovation, Science and Industry, the Minister of Justice and the Minister of Canadian Heritage (the “Ministers”) urging them to work together to implement changes to privacy laws in order to enhance the protection of Canadians’ personal information.[1]

The mandate letters echo some of the Privacy Commissioner of Canada’s recent pleas for major reform to and modernization of Canadian privacy laws.[2]

Mandate letters offer clues about changes to come

The Prime Minister has expressly tasked the Ministers with advancing various tenets of the Digital Charter.  Released by the federal government in May 2019, the Digital Charter is a set of ten principles designed to respond to the continued impact of the digital revolution on Canadians’ lives and the economy.

Though the Digital Charter does not itself have the power of law, Minister of Innovation, Science and Industry Navdeep Bains (“Minister Bains”) has indicated that its ten principles will be reflected in forthcoming legislation, policies and programs.[3]

Mandates assigned to the Ministers include:

  • Working together to enhance the enforcement powers of the Office of the Privacy Commissioner (the “OPC”);
  • Establishing a new set of online rights, including the ability to withdraw, remove and erase basic personal data from a platform and to review and challenge the amount of personal data that a company or government has collected;
  • Creating a national advertising registry and enabling Canadians to withdraw consent for the sharing or sale of personal data;
  • Enacting unspecified proactive data security requirements; and
  • Creating new regulations for large digital companies to enhance the protection of Canadians’ personal information and foster competition in the digital marketplace, which will be overseen by a newly-established Data Commissioner.

Significantly, Prime Minister Trudeau tasked the Ministers with establishing Canadians’ right to “appropriate compensation” when their personal data is breached.  Though the details of this compensation scheme have not yet been outlined, Minister Bains has made it clear that compensation will be “significant and meaningful” and, in the spirit of deterrence, will include “punitive fines” for companies.[4]

Privacy Commissioner warns “the world is passing us by”

In his impassioned year-end report to Parliament and accompanying statement, Privacy Commissioner of Canada Daniel Therrien (“Commissioner Therrien”) lamented that “[w]hile Canada used to be a leader in privacy protection, unfortunately the world is now passing us by”.[5]

Noting that some 30 million Canadians have suffered a data breach in the past year, Commissioner Therrien advocated for significant reforms to privacy legislation that centre on privacy as a fundamental human right and not a set of “process rules” governing consent, access and transparency.

Commissioner Therrien also called for the redrafting of privacy legislation to replace “suggested best practices” with enforceable rights and obligations.

In Commissioner Therrien’s view, significant increases to enforcement mechanisms are required, including proactive inspection rights for his office, as well as the ability to make binding orders and issue financial penalties to organizations found to have violated privacy laws.  Citing delayed access to justice, Commissioner Therrien has been critical of the federal government’s suggested privacy reform that would still require the involvement of the Attorney General before levying fines.

Despite its differing opinion regarding the scope of the OPC’s enhanced powers, Commissioner Therrien’s office has indicated that it “looks forward to consulting on any plans [the federal] government may have for modernizing federal privacy law”.[6]

If not now, when?

No timeline has been set for the implementation of forthcoming changes to Canadian privacy and data protection laws, however Minister Bains has suggested that fulfilling the federal government’s mandate is a top priority.

In the coming months, organizations may have the opportunity to participate in public consultations about prospective changes to Canada’s privacy laws.  Businesses interested in availing themselves of such opportunities are invited to reach out to McMillan Vantage, a full-service, national public affairs firm affiliated with McMillan LLP, for advice about how to have their voices heard.

Though details regarding a number of the potential changes are still somewhat scarce, a clear theme is emerging: changes to Canadian privacy and data protection laws are coming, and the penalties for non-compliance won’t be light.  It is therefore critical for organizations doing business in Canada to stay up to date with ongoing developments and start planning for the coming changes.

by Kristen Pennington and Chiedza Museredza

[1] Mandate letter to the Minister of Innovation, Science and Industry, December 2019; Mandate letter to the Minister of Justice, December 2019; Mandate letter to the Minister of Canadian Heritage, December 2019.
[2] 2018-2019 Privacy Commissioner’s Annual Report to Parliament on the Privacy Act and the Personal Information Protection and Electronic Documents Act.
[3] Ottawa considering ‘significant and meaningful’ compensation for privacy breach victims.
[4] Ibid.
[5] Supra note 2.[ps2id id=’5′ target=”/]
[6] Ibid.

A Cautionary Note

The foregoing provides only an overview and does not constitute legal advice. Readers are cautioned against making any decisions based on this material alone. Rather, specific legal advice should be obtained.

© McMillan LLP 2020

Insights (5 Posts)View More

Featured Insight

Adjudication Under the Construction Act: Fast but Fair

Adjudicator discretion under the Construction Act. Ontario Court recently confirmed a limit on this discretion in Ledore Investments v. Dixin Construction

Read More
Feb 23, 2024
Featured Insight

Environmental Protection: An Essential Consideration for Any Minor Exemption

The Quebec Court of Appeal quashed, on environmental grounds, a municipal resolution on a minor exemption

Read More
Feb 22, 2024
Featured Insight

2024 Update: Risks of Anonymized and Aggregated Data

The ability to glean personal information from both anonymized and aggregated data creates a risk of re-identification.

Read More
Feb 21, 2024
Featured Insight

Defending Dignity in the Dawn of Deepfakes

On January 29, 2024, in an era dominated by digital connectivity and rapid technological advancements, BC's Intimate Images Protection Act comes into force.

Read More
Feb 16, 2024
Featured Insight

Exploring Extraterritoriality: Do You Need a Physical Presence for Privacy Laws to Apply?

Join McMillan and Kochhar & Co. for an international webinar about the extraterritorial application of privacy laws in each of their jurisdictions. Can organizations without a facility or employees in Canada or India be subject to local privacy legislation? This is a must-watch program for organizations doing business in Canada and/or India.

Wednesday, March 6, 2024