Knowledge & News

More Changes on the Horizon for Privacy Laws in Canada

18 November 2020

We recently wrote that significant changes to Canada’s privacy law regime were expected, particularly in light of the increasing ubiquity of digital technologies. The Federal Government of Canada has now confirmed this by proposing several substantial amendments to current federal private sector privacy laws which would fundamentally alter the legal landscape.

On November 17, 2020, Canada’s Minister of Innovation, Science and Industry, Navdeep Bains, introduced a new Bill, the Digital Charter Implementation Act, 2020.  The Bill proposes to the modernize the framework for the protection of personal information in the private sector and in the commercial context, and to clarify the rules around privacy and personal information. The Bill sets out to provide: 

rules to govern the protection of personal information in a manner that recognizes the right of privacy of individuals with respect to their personal information and the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances.

Among significant provisions being proposed are the following: 

  • Empowering the Privacy Commissioner to make orders, including ordering an organization to comply with the Act or to stop acting in contravention of the Act. The Privacy Commissioner could also recommend the imposition of penalties on an organization for breaching the Act
  • Creating a new tribunal, the Personal Information and Data Protection Tribunal. The Tribunal would be empowered to impose administrative monetary penalties on organizations in contravention of the law based on the decisions of the Privacy Commissioner. The Tribunal can also hear appeals from orders made under the Act and from decisions of the Privacy Commissioner. 
  • An organization could be liable to for a penalty up to the higher of $10 million or 3% of the organization’s gross global revenue. The purpose of a penalty would be to promote compliance, and not to punish.  Among other things, the Tribunal could take into account any financial benefit that the organization obtained from the contravention.  
  • Criminal penalties would also be available for certain of the most serious offences, such as an organization failing to report to the Privacy Commissioner any breach of security safeguards involving personal information under its control, if the breach creates a real risk of significant harm to an individual, or where an organization is obstructing the Privacy Commissioner’s investigations. Such penalties, at their most serious, include indictable offences and fines of up to the higher of $25 million or 5% of the organization’s gross global revenue. 

The Bill also proposes new privacy rights. For example, individuals would have “mobility of personal information” rights - the right to request that an organization disclose the personal information that it has collected from the individual to an organization designated by the individual, provided the organizations are both subject to a data mobility framework. These rights exist within the new data mobility frameworks envisioned as Regulations to the Act, which will set out safeguards that must be put in place by organizations to enable the secure disclosure and collection of personal information, and parameters for the technical means for ensuring interoperability in respect of the disclosure and collection of that information. The Regulations will also specify which organizations are subject to these frameworks and what limited exceptions exist. 

The Bill also proposes to legislate standards for the de-identification of personal information, namely that de-identification measures applied to the information are proportionate to the purpose for which the information is de-identified and the sensitivity of the personal information and that an organization cannot use de-identified information alone or in combination with other information to identify an individual, except in limited security-testing circumstances. 

While the legislation is in its early days, this bill is another signal that Canada is on the precipice of significant changes to the privacy landscape and is taking steps to modernize its privacy laws in response to an increasingly digital world.

Authors

Sebastian Beck-Watt

Sebastian Beck-Watt Associate Toronto (Canada) Barrister and Solicitor

Catherine Lovrics

Catherine Lovrics Partner Toronto (Canada) Canadian Trademark Agent, Barrister and Solicitor

You may also be interested in...

.
Small business going international
Article

Small business going international

Obtaining robust IP protection in new markets

.
Articles

Can blockchain save democracy?

POSTED 25 November 2020

Find the right person

Find the office that suits you

Click here to view our offices

>