Privacy laws are expected to keep up with the pace of technological changes, and the pandemic has highlighted the necessity of ensuring that Canadians can stay connected via technology and access vital services virtually, while having their privacy rights protected in an ever-changing digital landscape.
Last year, the Federal government introduced a new Bill (Bill C-11), which would modernize the framework for the protection of personal information in the private sector. The Bill aims to update Canada’s privacy laws to address evolving technologies, and to bring Canadian federal privacy legislation on a par with peer nations.
If passed, the Bill C-11 would establish a new Personal Information and Data Protection Tribunal, and a new private sector privacy law in Canada: the Consumer Privacy Protection Act (CPPA), which would replace the Personal Information Protection and Electronic Document Act (PIPEDA). If adopted, CPPA would modernize rules around the use of personal data by providing Canadians with plain-language information on consent, simplifying consent requirements, giving people the right to direct the transfer of their personal information from one organization to another and enabling them to request that a company dispose of their personal information.
Within the past year, there has also been a push for legislative updates to Canada’s privacy landscape on a jurisdictional level. Here are a few examples from across the country:
Ontario launched consultations on private sector privacy reform to ensure that privacy legislation in the province meets the challenges of the digital age and takes into account the size and complexity of the province and its business landscape. Privacy in the private sector in Ontario is currently governed by the PIPEDA. There are only three provinces in Canada that currently have their own provincial privacy legislation in the private sector that is substantially similar to PIPEDA: Alberta, British Columbia and Quebec.
In addition, Quebec introduced Bill 64, An Act to modernize legislative provisions as regards the protection of personal information. The proposed legislation aims to make the reporting of privacy breaches mandatory, and includes provisions with more comprehensive consent requirements, as well as “a right to be forgotten.”
The BC Privacy Commissioner also called for changes to their provincial Personal Information Protection Act, which signals that BC is also on track for significant privacy legislation updates.
Changes to private sector privacy legislation will affect the public sector, too. The CPPA will not be directly applicable to public sector health care organizations, which operate predominantly under provincial health laws; however, such major legislative reform on the federal level will likely encourage the development of new standards and guidelines for personal information protection, consent requirements, acceptable uses of de-identified information and will raise expectations on how personal information should be handled, regardless whether it is done by a private or a public entity.
Some public sector privacy legislation changes are happening already. For example, Ontario’s Personal Health Information Protection Act (PHIPA) underwent a series of changes in 2020, which included doubling the fines for offences under the Act (i.e., fines for privacy breaches), enabling individuals to access their personal health information in electronic format, and establishing mandatory audit requirements for custodians.
In addition, last year, the Alberta government introduced Bill 46, which amends their current Health Information Act (HIA) as well as other health statutes. Discussions are also happening in other jurisdictions about updating their health information privacy laws. Furthermore, the Federal government has committed to review and update the Privacy Act, Canada’s public sector privacy law.
Ultimately, the proposed and contemplated legislative changes around personal information protection in Canada aim to support innovation and increased adoption of technology, including health care technology, while promoting responsible use of data. It will be interesting to see how work towards modernizing our privacy legislative framework in Canada will unfold over the coming year.
Have a comment about this post? We’d love to hear from you.