On 4 May 2022, the Office of the Privacy Commissioner of Canada (OPC) reiterated their Key recommendations for a new federal private sector privacy law to replace the current Personal Information Protection and Electronic Documents Act (PIPEDA). This comes just ahead of the close of the current Privacy Commissioner of Canada, Daniel Therrien’s mandate in June 2022.
The recommendations are based heavily on the OPC’s May 2021 submission on Bill C-11. Bill C-11, the Digital Charter Implementation Act, 2020, was the last attempt by the Canadian government to replace PIPEDA; however, it died on the order paper last fall. The federal government of Canada has indicated their intention to introduce an amended private-sector privacy law sometime this year. The recommendations aim to support the development of a new law that “would enable responsible digital innovation within a legal framework that recognizes privacy as a fundamental human right”.
The key recommendations for the modernization of Canada’s federal private-sector privacy law highlighted by the OPC include:
- Enable responsible innovation – provide flexibility to organizations through the introduction of a legitimate commercial interests exception to consent, within a rights-based framework. Protecting Canadians by ensuring personal information is only collected for “specific, explicit and legitimate purposes”, re-introducing the knowledge and understanding element of meaningful consent, and ensuring algorithmic transparency related to automated decision-making;
- Adopt a rights-based framework – recognize both the fundamental right of privacy and the legitimate need of organizations to process information for appropriate purposes, within a legal framework where privacy is entrenched as a human right;
- Increase corporate accountability – provide an objective standard for accountability (i.e. the obligation to implement a privacy management framework) and prescribe proactive practices, such as privacy by design and privacy impact assessments for high-risk activities. Authorizing the OPC to conduct proactive audits of organizations to ensure compliance;
- Ensure interoperability of laws, internationally and domestically – prevent Canada from falling behind international trading partners and the provinces on key elements of privacy laws. Providing the OPC with enforcement powers comparable to their provincial counterparts, such as authorities to make orders, perform audits, and impose fines, etc.;
- Adopt quick and effective remedies – make all violations of the law subject to administrative penalties, authorizing the OPC to impose such penalties while removing appeals to the previously proposed Tribunal. Adopt a similar enforcement notice scheme to the UK’s, and broaden the list of factors considered prior to administrative penalties being recommended or imposed, for greater transparency and fairness; and
- Give the OPC tools to adopt a risk-based approach while being transparent – provide the OPC the discretion to investigate, and select advisory files, and enable them to adopt procedural rules for approving codes of practice.
Given the government’s intentions and the long-standing calls for the introduction of a modern private-sector privacy law in Canada, organizations should expect to see an updated federal private-sector privacy law introduced sometime in the near future. The draft legislation will seek to align Canada’s privacy framework with other international standards, helping ensure the rights of Canadians are protected, while enabling economic growth and competition on the global market. Organizations operating in Canada, especially those implementing jurisdiction-specific privacy compliance frameworks will need to be prepared to make any necessary updates to their privacy programs.
The recommendations are aimed at supporting the development of a new law that would enable responsible digital innovation within a legal framework that recognizes privacy as a fundamental human right.