As privacy law reform legislation multiplies in Canada, each pursuing its own direction, around the world privacy law reform is also splintering through varied legislative developments. Even Europe’s assertive stance on uniformity with the adoption of the General Data Protection Regulation (GDPR) to replace national privacy laws with one European law, and the creation of the European Data Protection Board (EDPB) “to ensure the consistent application of this Regulation” (Article 70 GDPR), the domestic pull of local politics and culture is fraying consistency in application of the GDPR and uniformity proves illusory. Canada’s constitutional federation has all the makings to lead us in the same direction. The challenge and the strategy is for governments to ensure interoperability of laws and for organizations to develop cohesive internal compliance mechanisms

1. Canada’s constitutional privacy law framework

Simply to set the stage, it is helpful to step back and situate the Canadian privacy regulatory framework in its constitutional context.

Constitutionalists will argue that Canada is the only truly federated state because of the degree of autonomy of each level of government, ensured by the clear division of revenue sources and legislative power. That is the context of the Canadian privacy regulatory framework. The federal Personal Information Protection and Electronic Documents Act (PIPEDA) was adopted under the federal government’s legislative competence over “Trade and Commerce” (Article 91(2) of the Constitution Act of 1867). Québec challenges the constitutionality of PIPEDA arguing that the protection of personal information in the private sector rests exclusively within provincial legislative competence over “Property and Civil right” (Article 92.13). Provincial privacy laws deemed “substantially similar” to PIPEDA apply within the sphere of provincial jurisdiction. Concretely, this means organizations need to comply with the following division of privacy law within Canada:

  • Organizations that fall within the legislative authority of the federal government, such as airlines, banks or telcos, are entirely governed by PIPEDA in relation to both their customer data and their employee data (section 4(1) PIPEDA);
  • Organizations that do not fall within the authority of the federal government but are pan-Canadian, such as national retailers, will be governed by both PIPEDA and provincial legislation:
    • Where the province has enacted its own private sector privacy legislation, being Alberta, with the Personal Information Protection Act (Alberta PIPA), British Columbia with its own Personal Information Protection Act (BC PIPA), and Québec with an Act respecting the protection of personal information in the private sector (Québec Act), the organization must comply with those laws in that province in relation to its customers’ as well as its employees’ information;
    • In the other provinces and territories, the organization must comply with PIPEDA in relation to its customer information but there is a legal void in relation to employee information; that being said, because privacy is a fundamental human right, PIPEDA has been recognized to have quasi-constitutional status and employee information is expected to be protected in accordance with the principles enshrined in privacy law.
  • Organizations that do not fall within the authority of the federal government and operate in one province or one territory only, where:
    • The province has not adopted private sector privacy law, are governed by PIPEDA for their customer data and, as above, through a legal void, by principles of privacy in relation to their employees;
    • The province has adopted private sector privacy law, are governed entirely by that law in relation to both its customer and employee information.
  • Organizations in the health sector, such as pharmacies, are governed by provincial and territorial health information protection laws except in British Columbia and Québec, where they are governed by the private sector privacy law and in Nunavut where they are governed by PIPEDA.

To ensure interoperability through this legislative quilt, two strategies are imperative: i) legislative consistency among privacy laws such that they are substantively similar, and ii) clear delineation of scope, such as section 3 of the BC PIPA excluding from its application the collection, use or disclosure of personal information, if “the federal Act applies to [it]”.

Both strategies appear at risk as Canadian privacy law reform plans evolve independently. Still, organizations can achieve harmonization in their privacy programs with their own strategies. We will come to that after having surveyed how main emerging trends in privacy law reform in Canada converge and diverge.

2. Emerging data protection trends and regulations

Trends in Canadian privacy law reform appear from four legislative proposals, at various stages of adoption: i) Québec Bill 64, amending An Act respecting the protection of personal information in the private sector, passed on September 22, 2021, is set to come in force gradually in September 22, 2022, 2023 and 2024; ii) former Bill C-11, An Act to Implement the Digital Charter 2020, introduced on November 17, 2020, died on the Order Paper due to the election and will be re-introduced, similar or equal to the earlier version; iii) the Ontario White Paper on Modernizing Privacy in Ontario, leads public consultation in view of adopting an Ontario private sector privacy law; iv) the Report of the British Columbia Legislative Assembly Special Committee to Review the Personal Information Protection Act, was released on December 6, 2021.

These legislative proposals have much in common:

  • Consent requirements are increased to ensure “meaningful consent”;
  • Transparency requirements are also higher to ensure simple, clear and accessible privacy policies, inherent to ensuring meaningful consent;
  • Explicit consent is required for the processing of sensitive data;
  • Automatic decision-making systems (ADS), referring to the use of artificial intelligence, are subject to specific transparency requirements to counter both discrimination through algorithmic bias and violation of privacy through excessive collection;
  • Privacy regulation now includes within its scope de-identified and anonymized information;
  • Breach notification will be mandatory where there is a risk of significant harm;
  • Additional individual rights are considered, such as the right to disposal or right to be forgotten and the right to portability;
  • Regulators will have enforcement powers with fines proportionate to the organization`s revenues.

The report of the British Columbia Special Committee stresses the need to maintain BC privacy legislation “substantially similar” to PIPEDA and to aim at adequacy with the GDPR.

But these legislative proposals differ on critical points:

  • Québec’s Bill 64 subjects transfer of personal information outside Québec to a privacy impact assessment to ensure the jurisdiction of destination provides adequate protection; other proposed legislation only requires notification of the individual;
  • Bill 64 makes privacy impact assessments (PIAs) mandatory in relation to certain operations increasing privacy risk; the only other reference to PIAs is raised as a question for consultation in the Ontario White Paper;
  • Bill 64 creates access and challenge rights around ADS, beyond other legislation or proposals;
  • “De-identified” and “anonymized” information are defined and treated differently among the legislative proposals.

3. Strategies for harmonization in organizations’ internal compliance programs

To implement cohesive and operational internal privacy compliance programs, organizations may pursue the following strategies:

  • Elevating the privacy program to one, highest common denominator: that was Microsoft’s strategy upon the adoption of the California Consumer Privacy Act (CCPA). It announced that, throughout the United States, it would comply with the requirements of the CCPA.
  • Following action from and between different Data Protection Authorities (DPAs). As DPAs proceed to joint enforcement action or release joint policy statements, as they often do, common positions emerge in the application of diverse privacy laws. They serve as guidance for organizational compliance in a diversified privacy regime.
  • Approaching cross-border data transfers for the real privacy risks they raise. Hosting data in certain states, for political, economic and/or legal reasons, undermines the security of the data. Both privacy law, as a matter of accountability for safeguarding personal data, and consumers expectations impose due diligence in cross-border of data transfers. Adopting a PIA process to identify low to high risk cross-border transfers could both ensure compliance where required and serve to guide decisions on data storage on a long term basis, informing supplier risk management.
  • Ensuring integrity of artificial intelligence processes or use of ADS is a matter of organizational risk management in general. No organization wants recruitment efforts skewed by algorithmic bias, or lose control over ADS for lack of algorithmic transparency. Discipline around ADS will assist organizations in providing a general account of its use to meet their transparency obligations and will ensure integrity of ADS both in relation to the organization’s corporate objectives and to its obligations under privacy law on the use of ADS.
  • Achieving convergence in a global privacy data program is an organization best strategy to bring certainty, clarity and effectiveness to its internal compliance mechanisms. Global cooperate privacy and security policies, supported by intra-group agreements, offer a robust governance structure to ensure compliance with diverse privacy regimes. Without the formality of Binding Corporate Rules, global policies implemented through an intra-group agreement provide convergence of privacy rules for the organization and an internal accountability mechanism to ensure their implementation.

These strategies have already proven successful for many organizations. Still, they do not relieve governments of their duty to ensure a cohesive privacy regulatory framework.