Key recommendations for a new federal private sector privacy law
The Office of the Privacy Commissioner of Canada (OPC) has developed a number of recommendations for a new federal private sector privacy law to replace the current Personal Information Protection and Electronic Documents Act (PIPEDA).
These recommendations take into account proposals from the government on Bill C-11, the Digital Charter Implementation Act, 2020. Bill C-11 died on the order paper with the 2021 federal election call. The government has said it plans to introduce a new bill.
The recommendations are aimed at supporting the development of a new law that would enable responsible digital innovation within a legal framework that recognizes privacy as a fundamental human right. The OPC’s submission on C-11 provides further details about each recommendation.
Enable responsible innovation
Provide greater flexibility to organizations by introducing a legitimate commercial interests exception to consent, within a rights-based framework, rather than the overly broad exceptions of C-11. Amend slightly the socially beneficial purposes clause. (See Recommendations 14(ii) and 15 of the OPC’s C-11 submission)
Maintain C-11’s provisions regarding the use of de-identified information. (Recommendation 17)
Re-introduce the knowledge and understanding element of meaningful consent. (Recommendation 11)
Stipulate that personal information may not be collected for any purpose determined by an organization (self-regulation) but only for “specific, explicit and legitimate purposes.” (Recommendation 6)
Adopt a rights-based framework
Strengthen the constitutional grounding of the federal statute in trade and commerce, by making explicit that its purpose is to promote confidence and therefore the sustainability of information-based commerce. (Recommendation 2)
Having done so, adopt a preamble that gives the statute a rights-based approach that also recognizes the legitimate interest of organizations to process personal data. (Recommendation 1)
Replace the current purpose clause, which is based on the idea that privacy and commercial use of information are competing interests that must be balanced, and replace it with new ss. 5 and 12 which would recognize both the fundamental right of privacy and the legitimate need of organizations to process information for appropriate purposes. Prescribe factors to be considered by the regulator in determining what is appropriate. (Recommendations 2 to 5)
Make federal political parties subject to privacy law. (Recommendation 10)
Increase corporate accountability
Prescribe an objective standard for accountability, namely the obligation to implement a privacy management program “to ensure compliance” with the law. (Recommendation 20)
Authorize the OPC, as other privacy regulators worldwide, to perform proactive audits to ensure compliance with the law, so that organizations may demonstrate accountability (for example, algorithmic transparency) and consumers may have trust that they may participate in the digital economy without fear that their rights will be violated. (Recommendations 47 and 48)
Prescribe two important proactive practices, namely privacy by design and the obligation to undertake privacy impact assessments for high-risk activities. (Recommendation 22)
Ensure interoperability of laws, internationally and domestically
At a minimum, ensure Canada does not fall behind other trading partners on key elements of privacy laws as per a jurisdictional comparison chart. Act as recommended in the G7 Ministers’ recent declaration, which called for a human centric approach to post-pandemic prosperity guided by shared democratic values of competitive markets, human rights and international cooperation.
Domestically, ensure Canada leads in the adoption of high privacy standards and does not fall behind provinces that have or are about to adopt rights-based laws. Ensure the OPC has enforcement powers comparable to, and as effective and efficient as provincial counterparts (namely, have equivalent authorities to make orders, perform audits, impose fines, with equivalent appeal provisions), so that the federal regulator remains influential in the development of privacy law.
Adopt quick and effective remedies
Make all violations of the law subject to administrative penalties. Adopt the UK enforcement notice scheme, to ensure organizations understand the nature of a violation to be remedied before a penalty may be imposed. (Recommendation 38)
For greater transparency and fairness, broaden the list of factors to consider before administrative penalties are recommended or imposed. (Recommendation 39)
Authorize the OPC to impose administrative penalties and remove appeals to the proposed Tribunal, to ensure consumers truly have access to quick remedies and so that the federal OPC is not at a disadvantage compared to provincial commissioners in protecting consumers and having influence in the development of privacy law. (Recommendation 36)
Strengthen the compliance agreement scheme to ensure it can hasten the resolution of inquiries and lead to negotiated administrative penalties. (Recommendation 35)
Rewrite the criminal prosecutions scheme so that sanctions are actually possible. (Recommendation 52)
Give the OPC tools to adopt a risk-based approach while being transparent
To ensure consumers are not left without a remedy, expand the private right of action. (Recommendation 41)
Give the OPC discretion in selecting advisory files. (Recommendation 43)
Encourage rather than require the OPC to consider size and other factors, to avoid litigation. (Recommendation 46)
- Date modified: