In the context of the Canadian Government’s plans to replace the current federal private sector privacy legislation in Canada – The Personal Information Protection and Electronic Documents Act (the “PIPEDA“), the Office of the Privacy Commissioner of Canada (the “OPC“) has released key recommendations for the proposed new law (the “Recommendations“). These Recommendations are in the form of amendments to the former Bill C-11, which sought to replace the PIPEDA with the Consumer Privacy Protection Act (the “CPPA“) but failed to see the light of day.
The primary focus of the Recommendations is to strengthen the proposed CPPA by formulating a rights-based framework that would “enable responsible digital innovation within a legal framework that recognizes privacy as a fundamental human right.”
Key objectives of the Recommendations
The principal objectives of the Recommendations can be grouped under the following themes:
1. Enabling responsible innovation
The underlying objective of these Recommendations is to strike a balance between the needs of an organization and the rights of consumers with respect to their personal information. Primarily, the OPC seeks to curtail the discretionary powers of an organization by allowing collection of personal information only for “specific, explicit and legitimate purposes”. It also redefines the term “consent” to enhance consumers’ control over their personal information and ensure that consent is more informed and meaningful.
The OPC also seeks to introduce a “legitimate commercial interests” exception to consent to recognize reasonable purposes which may legitimately require an exception (but which would still need to be based on specific purposes) and to mandate a “socially beneficial” purpose for the collection and use of personal information. These changes would better align Canadian law with the legal bases for “processing” of personal information in the European context under the General Data Protection Regulation.
In this context, the OPC has noted that the CPPA has achieved a balance between de-identification, innovation and flexibility to organizations and the need to maintain controls and oversight, but has recommended that such a balance be more explicitly spelled out in the new legislation. Championing the cause of consumers to get meaningful explanations in the realm of automated decision-making, and to challenge such automated decisions are also key objectives under this theme.
2. Privacy as a human right
The OPC aims to entrench the rights-based approach of the CPPA in the Preamble itself by emphasizing on every individual’s fundamental right to privacy, while ensuring that the legitimate interest of organizations to process personal data for specified appropriate purposes be given due recognition, and confidence in the new legislation be promoted through sustainability of information-based commerce. The Recommendations also aim to (i) make Federal political parties more accountable by bringing them under the ambit of privacy law; (ii) ensure that the level of protection accorded to personal information under Canadian law is maintained when such information moves outside Canada; and (iii) provide for the right to protect an individual’s reputation from the adverse impact of information posted online by allowing for deletion of such information.
3. Increased accountability
The OPC is mindful of the fundamental importance of accountability as a means to ensure privacy protection in a regime that gives organizations greater authority to process personal information without consent. As such, it recommends an objective standard for accountability by obligating the implementation of a privacy management program in conformity with the law and proactive practices such as privacy by design and the obligation to undertake privacy impact assessments for high-risk activities. It is also proposed that the OPC should be authorized to perform proactive audits on organizations so that they may demonstrate their commitment to accountability and consumers may trust them enough to participate in the digital economy without fear of violation of their personal rights.
The OPC is also keen to ensure, at a minimum, that Canada does not fall behind other trading partners on key elements of privacy laws based on parameters laid out in a jurisdictional comparison chart. As identified by the OPC, “a human centric approach to post-pandemic prosperity guided by shared democratic values of competitive markets, human rights and international cooperation” is the need of the hour. Domestically too, the OPC emphasizes that the Federal Government should aim to actively introduce and implement superlative standards of privacy and move towards a rights-based regime. By getting enforcement powers comparable to its Provincial counterparts, the OPC can wield the necessary influence and lead from the front in the development of privacy law.
The OPC considers compliance agreements to be an important means of resolving potential disputes and an effective enforcement mechanism. To improve their effectiveness, the OPC recommends utilizing compliance agreements for speedier resolution of inquiries which can lead to negotiated settlements prior to the issuance of a compliance order or the imposition of an administrative monetary penalty (“AMP“) to defaulters. The OPC also seeks greater powers to impose AMPs and remove appeals to the proposed Tribunal to provide consumers with quick and effective remedies. Other Recommendations under this category include (i) adopting the UK enforcement notice scheme to enable organizations to understand the nature of violations before a penalty may be imposed; (ii) ensuring greater transparency and fairness by expanding on the list of factors to consider before administrative penalties are recommended or imposed; and (iii) rephrasing the criminal prosecutions scheme to ensure the effective imposition of sanctions.
The OPC drafted these Recommendations in the hope that their implementation will be a positive step in the direction of a modern privacy law that recognizes privacy as a fundamental right, heightened corporate accountability, regulatory interoperability, expeditious and effective enforcement options, and a strengthened private right of action in the realm of privacy law.