Canadian provinces lead privacy reform efforts, eyeing Europe's GDPR

Canadian tech companies will soon be subject to tougher privacy laws as lawmakers face intense pressure to keep pace with European privacy standards and stay competitive in global e-commerce.

The federal government has promised to amend substantially Canada’s aging privacy statute, which currently regulates commercial activity without any threat of financial penalties: the Personal Information Protection and Electronic Documents Act, or PIPEDA.

But the federal government’s efforts are lagging. So provincial governments are stepping in and introducing their own updated privacy legislation. Québec has proposed Canada’s first European-style privacy statute, closely followed by Ontario, which this summer announced its commitment to enacting stronger commercial privacy legislation.

The efforts have raised concerns that a patchwork of local privacy laws with conflicting rules and regulations will soon emerge, imposing burdensome costs on Canadian companies. Critics point to the United States, where states such as California and Nevada have tried to fill the regulatory void left by the lack of a comprehensive federal privacy law, with confusing results, particularly for small businesses.

That outcome is unlikely in Canada. While difference are inevitable, it’s clear that provincial lawmakers are modeling their proposals closely after Europe’s General Data Protection Regulation. They will share the same core provisions granting GDPR-style privacy rights, including the right to be forgotten and the right to data portability. And they will include stiff penalties for violators.

— Adequacy concerns —

The EU set out to make GDPR a global standard, and it applies to any company outside the EU that engages in certain processing activities for EU citizens. It also imposes special requirements for transferring personal data outside of the European Economic Area (EEA) to countries that do not ensure an adequate level of protection.

Since a European Commission Declaration in 2001, Canada has enjoyed a limited “adequacy status” that applies only to data transferred to recipients bound by PIPEDA.

But PIPEDA’s status has not been reviewed since then, although Europe's Article 29 Data Protection Working Group assessed Québec privacy law in 2014 and did recommend some improvements.

Now some are worried that Canada could lose its adequacy status if it were to face a further review by the EU, especially after the US mechanism for transferring data to the EU has been invalided by the European Union Court of Justice due to inadequate protections from government access.

PIPEDA is insufficient, critics charge. PIPEDA is enforced by the Privacy Commissioner of Canada, which has no power to order compliance or administer penalties. Without the threat of stiff penalties, the law lacks any teeth, some say.

Instead, PIPEDA relies on the good will of companies to be on their best behavior, which doesn’t always work. Canada’s privacy commissioner is trying to force Facebook to change its personal data-sharing practices in the wake of the Cambridge Analytica data breach, which the social network is fighting in court, arguing the commissioner is exceeding his authority.

Members of Canada’s House of Commons Standing Committee on Access to Information, Privacy and Ethics agreed more than two years ago that PIPEDA needs an update, releasing a report with 19 recommendations on how to update the law.

The federal government responded with its own report in June 2018, saying it shared the committee’s view that the law needs to be updated, and that it was committed to studying privacy reform because the business rules for using personal information need to be clear and enforceable.

Then in May 2019, the federal government issued a discussion paper titled "Strengthening Privacy for the Digital Age," which laid out a general direction for strengthening enforcement mechanisms.

— Quebec’s Bill 64 —

Instead of waiting for the federal government to take action, Quebec has opted to introduce Bill 64, “An Act to modernize legislative provisions as regards the protection of personal information,” which incorporates numerous features of the GDPR.

It includes breach reporting requirements and new individual rights, including a right to data portability, the right to be forgotten, the right to object to automatic processing, and the right to receive notice if someone is subject to surveillance.

It would also set up an accountability framework, establishing the role of privacy officers and requiring governance policies and practices, such as privacy by design requirements.

In a videoconference address to the National Assembly of Quebec on Sept. 24, Daniel Therrien, the Privacy Commissioner of Canada, urged Quebec not to go too far with consent requirements.

“My suggestion would be not to shy away from using the GDPR as a source of inspiration, but to avoid going beyond it, unless you deem it necessary for specific provisions,” he said.

Quebec should follow the European model and allow some information to be used without consent, if that is necessary to perform a task for the public interest or for a legitimate business interest, Therrien said.

Bill 64 would also significantly increase the fines that may be levied against companies that fail to comply with the law. Private companies could be subject to fines ranging from C$15,000 to C$25,000,000, or up to 4 percent of worldwide turnover for the preceding fiscal year, whichever is greater.

And it would create a private right of action so consumers can seek a minimum award of $1,000 in punitive damages. Some version of the proposal is expected to be adopted sometime in the spring of 2021.

— Ontario, British Columbia —

Ontario, which is Canada’s largest province by population, is looking to follow Quebec, announcing in August that the province is launching its own privacy reform initiative, declaring “we are committed to creating a unique, made-in-Ontario solution to today’s privacy challenges.”

Ontario is seeking public comment and conducting town halls based on a policy paper that discusses the rights provided in both GDPR and Bill 64, including the right to be forgotten and data portability, and the power to issue tough fines for non-compliance.

The province is looking at ways to increase transparency about how businesses collect, use and disclose personal information, and to enhance consent to allow individuals to revoke permission at any time.

Like Quebec, Ontario is also considering allowing increased enforcement powers and the ability to levy substantial fees.

British Columbia could be next. A review of the British Columbia Personal Information Protection Act is underway.

In June, British Columbia Information and Privacy Commissioner Michael McEvoy filed a paper calling for reforms modeled after GDPR. McEvoy is also lobbying for mandatory breach reporting requirements, stronger audit and investigative powers, and the power to levy “substantial” administrative penalties.

“The trend to global privacy law reform is not limited to Europe,” McEvoy said. “Many of the principles of GDPR have been embraced from California to Japan. British Columbia must pay heed to global currents for both the benefit of our citizens and for businesses that market themselves within BC and across the world.”