The federal Digital Charter Implementation Act was introduced for First Reading on November 17, 2020 as Bill C-11. If enacted, the new Consumer Privacy Protection Act will replace the privacy portions of the current Personal Information Protection and Electronic Documents Act (“PIPEDA”), and consequential amendments will be made to several other statutes. Bill C-11 follows on the introduction of Quebec’s Bill C-64 as well as consultation processes in Ontario and British Columbia with respect to changes to provincial privacy regimes.
As with any Bill, it will be subject to amendment throughout the upcoming stages of the legislative process; but it is quite clear that whatever details are to follow, Canadian privacy law will have more teeth in the form of penalties and enforcement, as well as enhancements to address the challenges and promises of present-day technology. We anticipate additional scrutiny both from privacy and civil rights proponents as well as from industry, given the increasing importance of privacy regulation. Some of the proposed changes include:
- New private right of action;
- New regulatory enforcement powers, including establishment of an adjudication Tribunal;
- New maximum administrative monetary penalty, up to $10 million (CAD) or 3% of the organization’s gross global revenue (whichever is higher);
- New offences, up to a maximum fine of $25 million (CAD) or 5% of global revenue (whichever is higher);
- Consent will not be required to collect, use and/or disclose personal information in a wide variety of specified contexts;
- De-identification introduced as a meaningful option for using personal information without consent;
- Transparency will be required for automated decision-making;
- Enhanced record-keeping requirements, particularly regarding proposed use; and
- Data mobility framework will be detailed in upcoming regulations.
Ontario is also undertaking consultations with a view to proposing private sector regulation. In their discussion paper, entitled “Ontario Private Sector Privacy Reform: Improving Private Sector Privacy for Ontarians in a Digital Age,” the Government outlined some of their goals for the new privacy framework:
- Transparency: Greater transparency regarding how an individual’s information is being used by businesses;
- Application to Not-for-profits: Expanded scope and application of the law to include non-commercial organizations, including not-for-profits, charities, trade unions and political parties;
- Consent: Revocations of consent at any time and adopting opt-in models for secondary uses of information;
- Right to be forgotten: Requests by an individual for their information to be deleted, providing a right to erasure;
- Data Portability: Greater data portability to enable individuals to switch service providers without losses of data;
- Enforcement: Increased enforcement powers for the Information and Privacy Commissioner to ensure businesses comply with the law (penalties are being considered);
- Use of anonymized data: Clarified requirements for the application of privacy protection to de-identified data derived from personal information; and
- Data Trusts: Creating the framework for the establishment of so-called “data trusts” to enable sharing data in a “commons” that protects privacy.
These consultations are occurring in the context of increasingly louder calls from Canadian Privacy Commissioners for the laws to be enhanced, as discussed in our previous blog article. They arise during the context of the COVID-19 pandemic (our blog highlights some tips for Canadian organizations) and the increased and changing context of the online processing of personal information, new legal regimes in the US, such as the California Consumer Privacy Act (“CCPA”), and the highly influential European General Data Privacy Regulation (“GDPR”), which entered into force in May 2018.
In addition to Ontario, in June the British Columbia Information and Privacy Commissioner called for changes to the province’s Personal Information Protection Act. Similarly, Quebec engaged in a complete overhaul of their privacy law regime, introducing Bill 64, An Act to Modernize Legislative Provisions Respecting the Protection of Personal Information. Once passed, the Bill seeks to strengthen consent, transparency and accountability through imposing higher penalties and mandatory breach notification requirements. These efforts demonstrate an increasing importance placed on data privacy, inching closer to the strong protections and enforcement mechanisms afforded under GDPR and CCPA.
What this Means for School Boards
While school boards are not subject to the privacy laws that apply to commercial actors, they contract with hundreds of commercial providers of digital technology solutions for students and staff. The proliferation of educational apps and the use of virtual platforms to provide innovative instructional tools for teachers and communication tools for schools and school boards require school boards to ensure that their digital tools meet privacy standards in the best interests of students. New laws that establish standards and provide an enforcement mechanism for those offering digital products to Ontario school boards should be welcomed.
In addition to the modernization of Canada’s privacy laws, on October 15, 2020, the Ontario Government announced a new panel on cyber security that is intended to assist in modernizing cyber security infrastructure in Ontario’s public sector. The panel includes representation from both the Peel District School Board and Thames Valley District School Board.
As school boards across Ontario are implementing digital student record systems hosted in the cloud, ways in which the public sector can work together to ensure the security of student data become increasingly important.