Proposed changes to Canadian privacy laws influenced by changes coming from EU

Recommendations from a Parliamentary committee to strengthen the Personal Information Protection and Electronic Documents Act and give more power to the federal privacy commissioner are likely being driven by privacy requirements coming into effect in Europe.

Proposed changes to Canadian privacy laws influenced by changes coming from EU
Patricia Kosseim is the former general counsel and director general of the Office of the Privacy Commissioner of Canada, now counsel wtih Osler Hoskin & Harcourt LLP.

Recommendations from a Parliamentary committee to strengthen the Personal Information Protection and Electronic Documents Act and give more power to the federal privacy commissioner are likely being driven by privacy requirements coming into effect in Europe.

On Feb. 28, the federal Standing Committee on Access to Information, Privacy and Ethics published a report on the Personal Information Protection and Electronic Documents Act. The study of federal private sector laws recommended stricter legislation and stronger enforcement powers.

In particular, it recommends “including in PIPEDA a framework for a right to erasure based on the model developed by the European Union (EU) that would, at a minimum, include a right for young people to have information posted online, either by themselves or through an organization, taken down.”

Patricia Kosseim, the former general counsel and director general of the Office of the Privacy Commissioner of Canada, says the recommendations are likely connected to the Canadian government wanting to keep in line with regulations required by the European General Data Protection Regulation coming into effect May 1.

“A lot of the impetus for that is coming from across the ocean in the form of GDPR regulations. That is certainly setting the pace and parliamentarians are very keen to make sure Canada doesn’t fall behind,” says Kosseim, who joined Osler Hoskin and Harcourt LLP last week as counsel to the firm’s Privacy and Data Management Practice Group.

Kosseim will work with Adam Kardash, chairman of the firm’s national Privacy and Data Management Practice. She will co-lead the “next generation” of Osler's AccessPrivacy platform.

The GDPR, which affects many Canadian companies that have customers and dealings in Europe, seeks to strengthen and unify data protection for those living in the EU and address the export of personal information outside the EU.

The standing committee’s report makes 19 recommendations to update PIPEDA and to take other measures to improve the protection of Canadians’ privacy in their relation with private sector organizations.

The committee also recommends amending PIPEDA to provide the privacy commissioner with enforcement powers — such as the power to make orders and impose fines for non-compliance — as well as broad audit powers, including the ability to choose which complaints to investigate.

At the federal privacy commission, Kosseim provided legal and policy advice on emerging privacy issues, advised Parliament on the privacy implications of legislative bills, led research initiatives on new information technologies and advanced privacy law in major litigation cases before the courts, including the Supreme Court of Canada. Prior to that, she worked at Genome Canada and the Canadian Institutes of Health Research.

Kosseim says the evolving privacy landscape will continue to be a “major preoccupation” for many organizations both large and small.

“I think some of the big privacy challenges that are concerning to many general counsel and private sector organizations is the fast and inevitable changes to the legislative landscape. Canada will be hard placed to align itself with the new GDPR regulations that are due to be fully implemented this May,” she says.

“Organizations are going to have to stand ready to implement whatever this new generation of privacy laws may usher in, on the one hand, but they also have a wonderful opportunity to help shape that policy agenda with input in the legislative and regulatory process and they will need to supplement that framework with practical operational solutions as well.”

While she says the majority of organizations try to do the right thing, there is a vast span of sophistication. Large-scale sophisticated organizations are not only complying with the law but setting the pace with new data governance processes and building privacy into their technologies as they build them.

“I think there are many industry leaders, but on the other end of the spectrum, you have many smaller promising startups with great ideas but absolutely no bandwidth to know how to begin to design even the most basic compliance programs,” she says.

Cybersecurity threats also plague organizations of all sizes and are increasing as external threats and actors become even more capable of infiltrating systems, along with internal threats.

Cyber-threats can be an “unwitting factor and reason” for non-compliance despite the best efforts of many. She says as long as organizations are taking reasonable efforts, they may still be found to be compliant even though their systems may have been breached.

“Breach is not synonymous with compliance, but certainly cybersecurity makes it challenging for everybody,” she says.

“We’re just dealing with really complex issues and nobody has answers to those and they have everybody stumped in terms of trying to resolve and find paths forward to take advantage of the great potential and promise of data while respecting people’s privacy, and I think that’s the challenge for everybody in the next couple of years if not the short- or medium-term horizon,” she says.