New data privacy laws are coming in Canada. Businesses have lots of suggestions, but the debate will take months to reach an outcome.

Key Points:

  • Canada’s federal government and provinces are developing new data privacy laws.
  • Changes are in store for such hot-button issues as individual consent, data residency, and breach notification.
  • Enforcement is expected to increase under the new provisions.

Canadian data privacy policy is poised for sweeping change – and Canadian companies will be contending with ongoing uncertainty and confusion as various proposals are deliberated in coming months.

Stronger privacy policies backed by tougher enforcement are being developed at the national and provincial levels. Canada’s businesses have offered up their policy preferences, supporting new approaches to collecting and using personal information, the continuation of cross-border data flows, and better alignment of rules between and among the provinces and Ottawa.

Canada is seen as a pioneer in data privacy. The Personal Information Protection and Electronic Documents Act (PIPEDA), the country’s federal law on the collection, use and disclosure of personal information, took effect in 2001 – long before laws in many other countries. But technological, cybercriminal and international developments have overtaken PIPEDA, and most agree that it now needs a significant update.

Canada’s privacy debate is also being influenced by the European Union’s General Data Protection Regulation (GDPR), which has had a global impact because of its implications for doing trans-Atlantic business. The EU has deemed Canada’s privacy rules “adequate” for protecting European citizens’ data within its borders, while countries including the U.S. failed to meet this data privacy standard. Still, some observers are questioning whether Canada’s aging privacy regulations will meet the GDPR standard when they are next reviewed.

For these and other reasons, the federal government was working to revise PIPEDA when Quebec introduced a new data privacy bill,[1] followed by the release of policy proposals in British Columbia and Ontario.[2] Since Quebec came first, its legislation has attracted the most attention. 

Quebec Bill Leads Policy Debate

Canada’s Privacy Commissioner, Daniel Therrien, has said that a number of the provisions in Quebec’s bill are consistent with federal thinking,[3] though national legislation has not yet been introduced. For example, Therrien generally agreed with the stronger enforcement provisions in Quebec’s “Bill 64.” But he cautioned against provisions that might hinder the flow of data outside of Quebec.

Many of Bill 64’s provisions mirror the EU’s GDPR. The bill seeks to clarify requirements relating to the consent required from individuals before collecting, using or releasing their personal information to a third party, such as a data processor. Legal observers singled out some provisions as potentially problematic for companies, including penalties of C$10 million (about $7.5 million) or 2% of global revenue, whichever is greater, for infractions.

Another section of Bill 64 would impact data residency, requiring a privacy impact statement before outsourcing personal information outside Quebec for processing.[4] Data residency is an area that has been subject to some confusion in Canada, with the Office of the Privacy Commissioner recently issuing and then rescinding a requirement that companies get express consent for the transfer of personal information to service providers outside of Canada.[5]

These and myriad other details across federal and provincial policy proposals will continue to be discussed in coming months, including the “right to be forgotten,” reporting requirements for data breaches and more. Other developments that could affect national policy include a coordinated class action suit filed in three provinces contesting a major tech multinational’s collection of personal information.[6] And in the midst of an already complicated environment, COVID has prompted government officials to relax some privacy rules regarding related personal information.[7]

Companies Express Concerns

“It is critical that the private sector play a role in shaping Canada’s data strategy,” the Business Council of Canada wrote in a policy paper capturing the consensus of large Canadian companies and subsidiaries of foreign multinationals. “Everyone is in the data business.”[8] A sampling of the council’s recommendations includes:

  • PIPEDA should provide legal grounds on consent, exceptions and alternatives — including on the use of algorithms for automated decision-making.
  • Canadians should have some, albeit limited, right to request that companies delete their personal information.
  • Enforcement of privacy laws should be strengthened in the case of serious violations.
  • Voluntary compliance methods, such as pre-approval of use cases or self-disclosure of unintentional misuses, should be implemented without penalty.
  • Future international trade agreements should include provisions against data localization/data residency requirements and other barriers to cross-border data flows.
  • The federal government should collaborate with the provinces to align data strategies and create a national market for the free flow of data.

The Takeaway

As Canadian policymakers and business leaders debate new data privacy laws, Canadian companies are being encouraged to begin preparing for stronger regulations and enforcement. The measures may take up to two years to come into force, but the clock is already ticking.

[1]Bill 64, An Act to Modernize Legislative Provisions as Regards the Protection of Personal Information,” National Assembly of Quebec

[2]Consultation: Strengthening Privacy Protections in Ontario,” Ontario Ministry of Government and Consumer Services

[3]Appearance Before the Committee on Institutions of the National Assembly of Quebec Regarding Bill 64, An Act to Modernize Legislative Provisions as Regards the Protection of Personal Information,” Office of the Privacy Commissioner of Canada

[4]Proposed Amendments to the Quebec Law on the Protection of Personal Information: Consequences on Businesses,” BLG

[5]Bank Ensures Openness and Comparable Protection for Personal Information Transferred to Third Party,” Office of the Privacy Commissioner of Canada

[6]Google Faces Class Action in Canada Alleging it Turns Canadians' Electronics into Tracking Devices Without Their Consent,” Branch MacMaster LLP

[7]A Framework for the Government of Canada to Assess Privacy-Impactful Initiatives in Response to COVID-19,” Office of the Privacy Commissioner of Canada

[8]Data Driven,” Business Council of Canada

Want more great articles like this?Subscribe to our blog.

Get all the latest news, tips and articles delivered right to your inbox

You may also like:

Moving E-discovery to the Cloud

As the volume of digital documentation c…

As the volume of digital documentation continues to grow, la… Read More >

Mercedes Cardona

by Mercedes Cardona

Contributing Writer

Posted Sep 28, 2020

EU-U.S. Data Privacy Shield Is Invalidated: Now What?

With the EU-U.S. Privacy Shield for data…

With the EU-U.S. Privacy Shield for data transfers up in the… Read More >

Karen Lynch

by Karen Lynch

Contributing Writer

Posted Sep 22, 2020

Ransomware Death Paints an Ugly Future for Cyber Crossfire Liability

Civilian lives are at risk as critical n…

Civilian lives are at risk as critical national infrastructu… Read More >

Richard Botley

by Richard Botley

Senior Security Writer

Posted Sep 24, 2020