Norton Rose Fulbright - Data Protection Report blog

Happy Data Privacy Day! Data Privacy Day represents a timely opportunity to highlight anticipated significant developments in Canadian privacy law in 2020 that we are monitoring following two major developments from the Government of Canada.

In the private sector in Canada, federally regulated businesses, works and undertakings are subject to the Personal Information Protection and Electronic Documents Act (“PIPEDA”), including with respect to their collection, use and disclosure of employee personal information. In addition, provincially and territorially regulated organizations that collect, use or disclose personal information in the course of their commercial activities are subject to the Act. The Act applies unless provincial or territorial legislation deemed “substantially similar” has been enacted. Currently, only Alberta, British Columbia, and Quebec have enacted substantially similar legislation with the result that PIPEDA’s application is broad in scope, to organizations across Canada.

Digital Charter

In response to consultations across Canada and in recognition of the importance of Canada’s growing digital economy, the Government of Canada announced its Digital Charter, and launched its National Digital and Data consultations by publishing an accompanying paper entitled Strengthening Privacy for the Digital Age, which included numerous recommendations for amending PIPEDA.

In its Digital Charter, the Government of Canada articulates a principled approach to digital and data transformation, setting out ten principles to guide amendments to PIPEDA. Proposed amendments include:

  • Enhancing the control and transparency that individuals have over their personal information by requiring specific standardized plain language information on its use;
  • Providing data mobility opportunities to support greater individual control over data and promotion of consumer choice; and
  • Strengthening enforcement mechanisms, including enhanced penalties for non-compliance.

Mandate Letter from the Prime Minister’s Office

It now appears that amendments to PIPEDA may be on the horizon. On January 17, 2020, the Prime Minister’s Office delivered a mandate letter to the Minister of Innovation, Science and Industry, outlining a number of data protection initiatives for the Ministry. Notably, some of these initiatives include:

  • advancing Canada’s Digital Charter;
  • enhancing the power of the Office of Privacy Commissioner of Canada, such as adding the ability to award administrative monetary penalties, creating new offences, or providing additional oversight by the Federal Court of Canada to incentivize compliance;
  • establishing a new set of rights for individuals online, including:
    • data portability/privacy; and
    • the right to be forgotten.
  • enhancing knowledge of how personal data is being used; and
  • creating new regulations for large digital companies to protect personal data and to encourage greater competition in the digital space.

Each of these amendments, if implemented, have the potential to effect a fundamental change in the way private-sector organizations in Canada collect, use, and disclose personal information. Such amendments would also more closely align Canada with the robust, rights-based data protection regime in the European Union under the General Data Protection Regulation (GDPR); an important consideration in light of the imminent sun-setting of PIPEDA’s adequacy decision by the EU, which allows for free data exchanges between the EU and Canada, with the exception of employee data and under certain conditions.

The authors would like to thank Miranda Sharpe, articling student, for her contribution to this article.