On May 22, the Government of Canada announced a 10-principle Digital Charter and released a Discussion Paper outlining proposals to modernize the Personal Information Protection and Electronic Documents Act (PIPEDA). These potential reforms are in an early stage of development but since they may have a significant impact on aspects of how firms do business with their customers, we want to give you heads-up about the direction of change. Of particular interest to our clients, we noted the following.
Potential changes to knowledge and consent system: According to the Discussion Paper, complex data flows, lengthy privacy policies, the multiplicity of online interactions, and the rise of machine learning make it challenging for people to understand and control how their personal data is used. Therefore, the Government wants to:
- Prohibit the bundling of consent into contracts;
- Require organizations to give people specific, standardized and plain-language information on the intended use of personal information and any third parties with whom information will be shared (see our article below on cross-border data flows);
- Require organizations to inform individuals about the use of automated decision-making, the factors involved in these decisions, and the logic upon which these decisions are made;
- Make it easier for businesses to use personal information in some situations by creating limited exceptions to the consent requirement, e.g. for common uses of personal information for standard business activities, with consent still required for uses that have the biggest impact on individuals; and
- Create an exception for the use and disclosure of “de-identified information” in some circumstances, together with penalties for re-identification.
Data mobility: Individuals would have the statutory right to direct that their personal information be moved from one organization to another in a standardized, digital format.
Self-regulation: The Government wants to incentivize the development of codes of practice, accreditation/certification schemes and standards, e.g., by:
- Formally recognizing them in PIPEDA as a means for organizations to demonstrate compliance with certain provisions in the legislation; and/or
- Enabling the Office of the Privacy Commissioner (OPC) to recognize them as a mitigating factor in investigations or enforcement matters.
Enforcement and Oversight: The Government wants to strengthen PIPEDA’s enforcement mechanisms, e.g., by:
- Giving the Privacy Commissioner cessation and records preservation powers for compliance audits and investigations;
- Substantially increasing the range of fines for offences and providing for a scheme that identifies mitigating and aggravating factors;
- Extending the existing regime for fines to other key provisions in PIPEDA (such as the consent and data safeguard requirements); and
- Empowering the Court to order statutory damages for certain breaches of the law.