It’s too soon to tell the intention of outlined proposals
ANALYSIS Canada is ringing in the New Year with a proposal to revamp the country’s data privacy laws, including strengthened powers for its information regulator.
Outlining his government’s priorities in a mandate letter issued before Christmas, Prime Minister Justin Trudeau said that new online rights needed to be established in order to bring Canada’s Digital Charter into the next decade.
Many of the proposed provisions reflect those found in the European Union’s General Data Protection Regulation (GDPR), pertaining to a user’s knowledge of how their information is being collected, shared, and stored.
Ability to withdraw consent for data collection and remove some personal information, in particular, are outlined, among other, albeit vague, initiatives focused on the data practices of both government and business.
Privacy is a right, right?
Calls to revise Canada’s privacy laws have been prompted by tightened data protection rules in Europe and a debate about consumer rights in the less restrictive US market, both raising questions around how the nation should deal with personal information at home without disrupting its relationship with key trading partners cross-border.
Daniel Therrien, the current Privacy Commissioner of Canada, has been one of the more outspoken voices backing law revision, stating his preference for adopting a rights, rather than principles-based, approach to digital information governance.
“Commissioner Therrien has been calling for law reform that provides for enforcement mechanisms that result in quick and effective remedies for individuals, and broad and ongoing compliance by organizations and institutions,” an OPC spokesperson told The Daily Swig in November.
“Given the interests at stake for individual Canadians, the Commissioner's view is that the starting point for modernizing Canada's privacy framework is to give it a rights-based foundation.”
Canada presently regulates the use of personal data under two federal statutes – the Privacy Act, which regulates how the government handles personal information, and the business directed Personal Information Protection and Electronic Documents Act, or PIPEDA.
In 2018, in wake of the Cambridge Analytica-Facebook data debacle, the Canadian government expanded rules under PIPEDA mandating businesses to report to the Office of the Privacy Commissioner of Canada (OPC) when a breach of personal information of “significant harm” occurred.
The amendment has seen notifications of data breaches increase six-fold – 608 in the year from its initial enactment, according to recent statistics from the OPC.
Whether these revisions have gone far enough is perhaps answered by the Government’s stated initiatives for 2020. However, David Fraser, a privacy lawyer for McInnes law firm in Halifax, Nova Scotia, maintains that many of the elements spotlighted already exist in PIPEDA, including a ‘right to erasure’ and an individual’s ability to withdrawal previously issued consent from personal data collection.
“The challenge we have in Canada under our federal constitution is that civil rights, including privacy, are exclusively within provincial jurisdiction,” Fraser told The Daily Swig.
“The federal parliament has used its jurisdiction over trade generally to implement laws like PIPEDA, so recasting it as a ‘right’ has implications for whether the legislation is within federal jurisdiction.”
The power of enforcement
Enforcement has been a key issue within the discussion of privacy law reform, with the Ministry of Innovation, Science and Economic Development (ISED) reviewing whether businesses are sufficiently incentivized to comply with any current and future data regulation. Penalties for non-compliance are rare and are currently administered by the Attorney General of Canada.
“There are some indications, based on the response of organizations when breach reporting became mandatory in 2018, and with it, the possibility of fines for willfully not reporting or keeping records of breaches, that the threat of financial penalties causes organizations to pay attention,” the ISED stated in its review of PIPEDA.
“Likewise, when the GDPR came into force, much of the media coverage and discussion in various fora centred on the substantial fines that could accrue to organizations found offside of the law.”
The OPC, which currently acts in an ombudsman role with powers to investigate data privacy fouls and take companies to court, is the likely contender to take up any strengthened enforcement duties enacted in the years to come.
But some, like Fraser, argue that the OPC has not exhausted the tools it already has at its disposal to hold companies to account.
“Giving the OPC the ability to issue fines will completely change the dynamic of investigations,” Fraser said.
“Instead of trying to work towards a resolution in an investigation, it would result in more aggression on his [Daniel Therrien] office’s part and greater defensiveness on the part of the organization.”
Fraser notes that in the OPC’s annual report for 2018-2019, 178 of the 380 PIPEDA complaints received were resolved at an early stage of investigation.
“Most investigations where the reported violation was concluded to be ‘well founded’ are resolved during the investigation,” Fraser said.
“That looks like success to me.”
A survey conducted by the OPC in 2016 found that 74% of Canadians questioned thought they had fewer privacy rights than they did ten years ago. Most (71%) said they supported companies being subjected to stricter financial penalties.
“I think we should be maintaining strict supervision by judges, which are after all impartial decision-makers who are used to balancing rights and issuing appropriate orders,” Fraser said.
“They’re also in a better position to consider what is meaningful compensation to affected individuals.
“It will be interesting to see where the conversation goes and whether the government has an actual appetite to completely revisit our privacy framework,” he added.
