This article was co-authored by Lyndsay Wasser, Co-Chair of Mcmillan LLP's Privacy & Data Protection, and Cyber Security Groups; and Kristen Pennington, an associate lawyer in the Advocacy and Employment Group of McMillan LLP.
In May of this year, the Canadian federal government released a proposed Digital Charter (the “Charter”), alongside an initial set of actions and recommendations intended to implement the Charter’s ten principles.
The Charter, which does not yet have the force of law, is a product of ongoing national consultation and committee hearings regarding a proposed overhaul of Canadian privacy and data protection laws.
The Charter is intended to respond to the continued impact of the digital revolution on Canadians’ lives and the economy. A strong theme throughout the Charter and the government’s accompanying announcement is the balancing of technological innovation and economic advancement with Canadians’ trust and confidence regarding the collection, use and disclosure of their personal information in this digital age.
The Charter’s Ten Principles
The proposed Charter would implement the following ten principles, which would shape future government policies, legislative amendments and initiatives:
1. Universal Access – the equal opportunity to participate in the digital world and the necessary tools to do so, including access, connectivity, literacy and skills;
2. Safety and Security – the ability to rely on the integrity, authenticity and security of the services Canadians use, and the right to feel safe online;
3. Control and Consent –control over what personal data one shares, who uses that personal data, and for what purposes;
4. Transparency, Portability and Interoperability – clear and manageable access to one’s personal data and the freedom to share or transfer that data without undue burden;
5. Open and Modern Digital Government – the ability to access modern digital services from the government that are secure and simple to use;
6. A Level Playing Field – ensuring fair competition in the online marketplace to facilitate economic growth and development while protecting Canadian consumers from market abuses;
7. Data and Digital for Good – ensuring the ethical use of data to create value, promote openness and improve the lives of people in Canada and worldwide;
8. Strong Democracy – defending freedom of expression and protecting against online threats and disinformation designed to undermine the integrity of elections and democratic institutions;
9. Free from Hate and Violent Extremism – the right to expect that digital platforms that will not foster or disseminate hate, violent extremism or criminal content; and
10. Strong Enforcement and Real Accountability – clear and meaningful penalties for violations of the laws and regulations that support the Charter’s principles.
Combatting Online Ills
A number of the Charter’s principles are in direct response to hot topics such as the promulgation of “fake news” and growing concerns about the role of social media in the dissemination of hate speech, online extremism and electoral interference.
When introducing the idea of the Charter in early May 2019, Prime Minister Justin Trudeau indicated that the federal government intends to take action to encourage social media companies to crack down on the spread of disinformation, promising “meaningful financial consequences” for those platforms that do not address these concerns.
Proposed Amendments to PIPEDA
The federal government has also published a lengthy discussion paper outlining proposed amendments to the Personal Information Protection and Electronic Documents Act (“PIPEDA”) which are intended to align with many of the Charter’s principles.
The discussion paper suggests that amendments to PIPEDA are needed, in part, to better align Canadian privacy legislation with international privacy law frameworks (including those in the European Union and United States) in order to achieve an integrated digital economy and allow Canada to remain competitive in the digital age.
Some of the proposed amendments to PIPEDA include:
- requiring organizations to provide specific, standardized and plain-language information to individuals about the intended use of their information and the third parties with whom that information will be shared;
- prohibiting the “bundling” of consent into a contract;
- providing for alternatives or exceptions to consent in order to facilitate the use of personal information by businesses under certain circumstances;
- adding a definition of de-identified information, along with an exception to consent for its use and disclosure for certain prescribed purposes or when managed by a data trust;
- imposing specific penalties for re-identification of de-identified information, including when it occurs as the result of negligence or recklessness;
- requiring that individuals be informed about the use of automated decision-making, the factors involved in the decision and, where the decision is impactful, information about the logic upon which the decision is based (excluding confidential commercial information);
- explicitly requiring organizations to demonstrate their accountability, including in the context of cross-border data flows;
- providing an explicit right for individuals to direct that their personal information be moved from one organization to another in a standardized digital format (otherwise known as “data mobility”) in order to enhance consumer choice;
- providing individuals the right to request the deletion of information about them, subject to as-yet-unspecified caveats; and
- requiring organizations to communicate changes to or deletion of personal information to any other organization to whom it has been disclosed.
Potential Enhanced Commissioner Powers
In a move that many have complained is long overdue, the federal government has also proposed that the powers of the Privacy Commissioner of Canada (the “Commissioner”) be enhanced to incentivize organizations’ compliance with PIPEDA.
PIPEDA is currently primarily enforced through an “ombudsman” model that relies heavily on non-binding recommendations of the Commissioner. Some have argued that this current approach provides little motivation for organizations to implement the Commissioner’s recommendations.
In response, the federal government has suggested a variety of additional powers for the Commissioner, including the ability to issue an order to halt the collection, use or disclosure of personal information by a non-compliant organization, extending the circumstances in which fines can be levied, and substantially increasing the range of potential fines.
Other Supporting Initiatives
In addition to the proposed amendments to PIPEDA, the federal government has taken or plans to take a variety of other steps aimed at implementing the principles of the Charter, including:
- writing to the Competition Bureau to ensure that it has the necessary tools to promote competition and digital innovation, particularly for small businesses;
- establishing the new Canadian Statistics Advisory Council to undertake a review of the Statistics Act and provide impartial and independent advice about the relevance, quality and transparency of the national statistical system; and
- supporting the Standards Council of Canada in launching the Canadian Data Governance Standardization Collaborative, an effort to coordinate development and compatibility of data governance standards in Canada.
The federal government has also indicated that an examination of potential reforms to the federal Privacy Act will continue to be led by Justice Canada in conjunction with the Treasury Board Secretariat.
The federal government has called for submissions and input to inform ongoing discussions around its proposed amendments to PIPEDA. Interested parties may make written submissions to or request a meeting with the Director of Privacy and Data Protection Policy Directorate, Innovation, Science and Economic Development (the “Director”). We are advised that, while there is no deadline for commenting on the proposed amendments, the Director is open to receiving ongoing feedback through the Fall.
Numerous questions and points for consideration raised in the discussion paper suggest that there is still much consultation to take place before any bill to amend privacy legislation is tabled. It is unlikely that the Charter or any accompanying legislative reforms will become law prior to the federal election this fall.
However, though not yet in force, the Charter and proposed amendments to PIPEDA suggest that a more onerous Canadian privacy compliance regime is likely on its way. Organizations are accordingly advised to take early steps to assess their handling of personal information and the maturity of their privacy and data security compliance program, and to carefully monitor new developments as they are announced.