Keeping up with what’s happening in this changing environment will help you avoid the quicksand without relinquishing the legitimate business purposes for using data. The following article summarizes anticipated changes relating to privacy legislation, cross-border data transfers, and sensitive data requirements such as biometric data and automated decisions.
What’s on the table in Canada?
Québec: Passed in September 2021, Québec’s Bill 64 is set to shake the Canadian privacy landscape with a fundamentally new GDPR-inspired law with massive penalties for non‑compliance of up to 8% of annual worldwide turnover for repeat offenders. Bill 64 introduced unique cyber incident reporting obligations, including a requirement to notify individuals if a confidentiality incident poses a “risk of serious injury,” as well as to take reasonable measures to reduce the risk or injury and prevent new incidents. The new transparency and consent standards require that consent be clear, free, informed and provided for specific purposes, which is a higher standard than that imposed by Canada’s current federal privacy legislation, PIPEDA. The operational requirements for cross-border transfers of personal information of Bill 64 task organizations with conducting impact assessments using prescribed privacy-related factors prior to communicating personal information outside of Québec. Privacy by default and privacy by design provisions will require a real change in mindset when acquiring technologies and designing new programs. New user rights will require new compliance approaches. Bill 64 starts to come into force in September 2022, with the penalties and most of the key provisions coming into force in September 2023.
Federal: Proposed in 2020 and potentially back on the table in similar form within the coming year, Bill C-11 would repeal PIPEDA and enact in its place the Consumer Privacy Protection Act (CPPA) and the Personal Information and Data Protection Tribunal Act (PIDPTA). The CPPA seeks to introduce new requirements for data protection in Canada and would apply to personal information that is collected in Canada. Although the Privacy Commissioner of Canada has referred to the legislation as a “step backwards,” if reintroduced and passed in similar form, Bill C-11 would significantly alter the Canadian privacy landscape, as it would pair important requirements with significant penalties of up to 5% of an organization’s gross global revenues.
Ontario: Released in June 2021, the white paper Modernizing Privacy in Ontario proposes substantial changes for a new provincial privacy statute. Broadly speaking, the white paper proposals suggest implementing stricter and less flexible requirements than those proposed in the CPPA. Although rumoured to be on the back burner as the provincial government focuses on other priorities, if introduced and passed, the Modernizing Privacy in Ontario model would introduce GDPR-inspired rights, enforcement, and penalties, including for employee personal information that currently falls into a grey area for most Ontario businesses. Also worth perusing is the Ontario IPC’s response to Modernizing Privacy in Ontario, which sets out an extensive wish list, including empowering the IPC to offer compliance support tools, such as advisory services, sectoral codes of practice and certification programs, with a special focus on “agile” regulation of SMEs. Helpfully, the IPC also calls for penalty powers that include “consideration of any regulatory action already taken by other jurisdictions as a possible mitigating factor, ensuring a harmonized, fair and proportionate approach.”
British Columbia: This fall, Bill 22 was introduced and passed in British Columbia to amend the Freedom of Information and Protection of Privacy Act (FIPPA). A notable change that would affect public bodies in the province is the elimination of the requirement for storing and allowing access to personal information only from within Canada. This would increase the number of service providers the government could access, as many providers do not have a physical presence in Canada. Bill 22 makes room for the possibility that these cross-border data transfers would be governed by regulations and permitted.
Classifying the nature of privacy rights: Not only are we seeing specific rights — such as the right to be forgotten or the right to data portability — explicitly enumerated within privacy legislation, but there are some murmurs that proposed laws could recognize privacy as a fundamental right. For example, in modernizing its privacy legislation, the Ontario white paper is considering the possibility of recognizing a fundamental right to privacy within the preamble of the provincial privacy legislation. Currently, Québec is the only province that recognizes a right to privacy, which is explicitly set out in s. 5 of the Québec Charter of Human Rights and Freedoms and Civil Code. The OPC has criticized the lack of a rights-focused preamble and purpose clause in other proposed legislation, including the CPPA, but has not yet seen its lobbying efforts bear fruit federally.
This consideration arises at an interesting time, namely one in which the courts seem to be questioning the value of describing privacy as a “quasi-constitutional right.”
In 2021, the Supreme Court of Canada characterized “the nature of limits of privacy as being in a state of ‘theoretical disarray’” and cautioned that “recognizing an important interest in privacy generally could prove to be too open‑ended and difficult to apply.” It emphasized that “much turns on the context in which privacy is invoked.” These statements followed other Supreme Court decisions of the past decade (Royal Bank of Canada v. Trang, Alberta (Information and Privacy Commissioner) v. United Food and Commercial Workers), in which privacy rights gave way to more compelling competing interests, demonstrating that contextual evaluations of privacy is the preferred judicial approach. Given the broad spectrum of privacy protections — spanning from a name and mailing address to the most intimate and impactful information about a person — as well as the propensity for privacy to clash with fundamental rights and values, the reluctance to treat privacy as a unitary concept seems a wise approach.
Much higher penalties: Currently, PIPEDA only permits maximum fines of C$100,000 for indictable offences. Bill C-11 would see that tribunals could impose fines of up to C$10 million or 4% of an organization’s gross global revenue, and that more serious offences could lead to fines of the higher of C$25 million or 5% of gross global revenue.
In Québec, Bill 64’s penalty clauses are even more severe, with repeat offenders exposed to penalties of C$50 million or 8% of annual worldwide revenues, whichever is greater. Unhelpfully, the legislative penalty factors do not take into account the potential for penalties being awarded elsewhere premised on the same facts, thus potentially leading to “multiple jeopardy” for a privacy incident that crosses many borders and attracts the attention of many regulators. Separation of Investigation and Decision-Making Powers: If reintroduced and passed in similar form, the CPPA would grant enhanced oversight authority to the Privacy Commissioner of Canada through a range of auditing, investigating, and order-making powers. The greatest departure from existing privacy law regimes both at home and abroad would be the creation of a tribunal that would hear administrative appeals following decisions rendered by the Privacy Commissioner of Canada. The tribunal would also be able to impose financial penalties. The tribunal would provide a layer of independence compared to existing structures in Canada, where there is a concern that the “judge, jury and executioner” are all working out of the same regulatory agency. The complexities of this regime is discussed at more length in our blog on The CPPA’s Privacy Law Enforcement Regime. By contrast, the CAI in Québec is taking carriage of enforcement matters under Bill 64, with fining powers of 2% of annual worldwide turnover or C$10 million. It has promised to develop and make public a general framework for the application of administrative monetary penalties before Bill 64 comes into force.
Cross-border data transfer complexities
Canada’s adequacy decision: Under a 2001 decision by the European Commission (most recently reaffirmed in May 2018), Canada is considered as providing an adequate level of protection for personal data transferred from the EU to recipients subject to PIPEDA, while in 2014, the EU Article 29 Working Party did not recommend that Québec receive a favourable adequacy assessment until certain improvements were made to its private sector law. Article 45(4) of the GDPR requires the Commission, on an ongoing basis, to monitor privacy-related developments in Canada that could affect the functioning of the existing adequacy decision. Unless Canada amends its federal data protection laws prior to the next review (which occurs every four years, beginning in May 2020), it is widely expected that Canada would not maintain its current adequacy status. Where there is no adequacy decision, a Transfer Impact Assessment must be completed (see full recommendations in PDF form).
Divergent approaches: The cross-border data transfer requirements of Bill 64 are a sharp contrast to the CPPA’s liberal approach that would not restrict the transfer of personal information outside of Canada or require organizations to undertake impact assessments for such transfers. Under Bill 64, before communicating personal information outside of Québec, an organization must conduct a Privacy Impact Assessment (PIA) and then enter into a written agreement that considers the outcome of the PIA and establishes adequate protections taking into account the sensitivity of the personal information, the purpose for which it is to be used, safeguards, and the receiving jurisdiction’s legal framework.
Trends in biometrics & automated decision making
Automated decision making: Following Bill 64, Québec is the first Canadian jurisdiction to introduce a right to be informed about decisions made with automated decision systems (ADS). Being informed about an ADS decision includes being informed about the principal factors and parameters that resulted in the decision, as well as the ability to comment or object to the decision. This means that companies need to get prepared to explain the ADS. The CPPA proposed similar ADS requirements, including requiring organizations to publish a general account of their use of any automated decision system to make predictions, recommendations or decisions about individuals that could have significant impacts on them, as well as an explanation of a prediction, recommendation or decision made about a specific person.
Ontario’s white paper proposal goes one step further, prohibiting ADS where the decision would significantly affect an individual, unless the individual’s express consent is obtained, or such a decision is authorized by law or necessary under contract. This is consistent with Article 22 of the GDPR, which (subject to certain exceptions) provides that data subjects shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects. It also prohibits decisions based on the “special categories” of data, including race, political opinions and biometric data for the purpose of uniquely identifying a natural person. Automated decisions are permitted if the decision is necessary for entering into or the performance of a contract, authorized by the Union or Member State law, or based on the data subject’s explicit consent.
How to prepare: Organizations that currently use or plan to use AI systems for their activities should prioritize two items:
- an Algorithmic Impact Assessment to identify the level of impact the ADS may have and to assess the possible harms;
- conveying the ADS in a manner that ensures consent; and
- providing a mechanism for human review of ADS.
In Canada, Algorithmic Impact Assessments requirements have only been seen in the Directive on Automated Decision-Making. Although it is limited in scope and only applicable to the public sector, the Directive is consistent with the increasing demand for impact assessments in a variety of contexts.
Biometrics: In keeping with the greater enforcement powers cropping up in privacy legislation, Québec’s Act to Establish a Legal Framework for Information Technology (AELFIT) provides for a new 60-day deadline to disclose to the CAI the creation of a biometric feature or measure bank before it is deployed. Express consent before the use of biometrics is required.
How to prepare: These two features — oversight and consent — are in keeping with the principles-based approach applied in Canada and will likely continue into the future. If your organization is considering using biometric data, be sure to crystallize a plan using the life cycle of the data as a guide.
Strategies for success
Privacy legislation is top of mind for legislatures across the world. Organizations need to be prepared to adapt to new privacy legislation from various levels of government within the narrow time frames prescribed by law, or risk facing hefty fines for non-compliance.
Impact assessments: Whether Privacy, Transfer, or Algorithmic, the trend toward mandating impact assessments across increasingly diverse contexts is likely to continue. Although PIPEDA imposes no such requirement, Bill 64 introduced impact assessments when transferring data outside of Québec and acquiring, developing or overhauling an information or electronic service delivery system involving the handling of personal information. The CPPA would introduce a variation on the theme by requiring a privacy management program be implemented. The GDPR already mandates impact assessments when there is a high risk to the rights and freedoms of natural persons, such as when new technologies or ADS are used.
How to prepare: Ensure that your organization has organization-specific impact assessment templates, in addition to internal standard operating procedures (SOPs) that flag when to conduct mandatory and recommended impact assessments based on legislative requirements. Recognize that different jurisdictions have different requirements for when and how to conduct impact assessments.
Anonymization and minimization: Under PIPEDA and the GDPR, de-identified information is not “personal information” because it is not information about an identifiable individual. Although there is some ambiguity in the CPPA, the proposed “de-identification” changes appear to treat all de-identified information as being subject to the CPPA. This could jeopardize the harmonization of our laws within Canada and potentially damage our countries’ ability to compete. For more information, please see our article: CPPA: Identifying the Inscrutable Meaning and Policy Behind the De-Identifying Provisions.
How to prepare: Innovative approaches to the anonymization of data, such as suppressing, scrambling and generalizing data, can reduce the need for storing personal information while maintaining the quality of analytics. For a more detailed analysis, please read the below section on Strategic Uses of Data Anonymization and Data Minimization in Data Analytics.
Know your data: Identifying and locating personal information, and then automating this process, will be the key to ensuring compliance with current and future laws. How to Prepare: Knowing your data requires implementing an information governance strategy to identify personal information, developing clear policies and procedures to manage the lifecycle of the data, creating a data map to track where the information is stored, leveraging technology to help implement the policies, and training employees to manage personal information.
By Daniel Glover and Ella Hantho