Organizations should review privacy policies and practices, writes Amanda Branch
Strengthening privacy legislation was a priority for governments across Canada in 2020 and organizations must keep an eye on the continued evolution in 2021. In particular, new or amended private-sector privacy legislation has been proposed at both the federal and provincial level. One longstanding criticism of Canadian privacy legislation is the lack of enforcement powers for the regulators. Ontario’s potential private-sector legislation, Quebec’s Bill 64 and the federal Bill C-11 all include stronger enforcement regimes, including the introduction of monetary penalties and the ability for commissioners to make orders.
In June 2020, the Government of Quebec tabled Bill 64, An Act to modernize legislative provisions as regards the protection of personal information, which would update the existing legislation applicable to the protection of personal information. In particular, Bill 64 includes new notification and record-keeping requirements relating to data breach incidents, as well new data subject rights such as the right to data portability, the right to be forgotten and various rights related to automated processing and decision-making.
Bill 64 would also give the Commission d’accès à l’information the power to impose administrative monetary penalties of the greater of $10 million or 2% of worldwide turnover in the previous fiscal year. In the case of penal proceedings for violations of the Private Sector Act, fines could be the greater of $25 million or four per cent of worldwide turnover in the previous fiscal year.
In August 2020, the Government of Ontario released a discussion paper and held a consultation seeking input on private sector privacy law reform in the province. The discussion paper includes a series of proposals the government is exploring to consider a “made-in-Ontario” privacy law. These proposals are largely in line with other Canadian privacy laws and include the requirement for clear consent provisions and increased transparency to provide individuals with more detail about how their information is being used.
The discussion paper further proposes oversight, compliance and enforcement powers for the Information and Privacy Commissioner, which would include the ability to impose financial penalties. The discussion paper notes that a proactive approach to compliance will be preferred; however, empowering Ontario’s enforcement regime will be crucial to modernizing privacy protections and will help to support the public’s confidence that enforcement is meaningful.
In November 2020, the federal government introduced Bill C-11, the Digital Charter Implementation Act, 2020, which enacts the Consumer Privacy Protection Act and the Personal Information and Data Protection Tribunal Act. Like the Personal Information Protection and Electronic Documents Act, the CPPA would apply to private-sector organizations that collect, use or disclose personal information in the course of commercial activity.
Bill C-11 would repeal the privacy provisions of PIPEDA and introduce new obligations for organizations, including an obligation to implement a privacy management program that includes policies, procedures and training of its employees, as well as the requirement to provide a user with certain information, in plain language, at the time consent is sought.
The CPPA includes a stronger enforcement regime. Under PIPEDA, the Privacy Commissioner of Canada does not have the power to issue orders against organizations. The CPPA would give the commissioner various order-making powers including, for example, the ability to make orders requiring organizations to take measures to comply with the CPPA or to stop doing something that contravenes the CPPA. After completing an inquiry, the commissioner may recommend to the newly created Personal Information and Data protection Tribunal that a monetary penalty be imposed. The maximum amount is the higher of $10 million or three per cent of the organization’s gross global revenue for the prior financial year. Other contraventions of the CPPA carry even higher fines. For example, failing to report a breach to the Office of the Privacy Commissioner of Canada could result in a fine of up to $25 million or five per cent of global annual revenue.
In preparation for the potential changes to Canada’s private-sector privacy landscape, organizations should take this opportunity to review their privacy policies and practices, including reviewing customer-facing privacy policies to ensure they are drafted in clear and plain language, implementing or updating internal privacy compliance programs (including policies, procedures and training for employees) and creating or updating breach response plans and record-keeping requirements.