By Cristina Onosé, MA, CIPP.C, CIPM
The rapid adoption of technologies amid the current pandemic has pushed privacy and security to the forefront of key public policy issues. Several provinces have already announced their intent to introduce or update privacy laws, pressuring the federal government to speed up (already planned) privacy law reforms. Here are three (3) important public policy developments to which organizations need to pay close attention.
The Ontario government recently wrapped up a public consultation seeking input from industry, consumer groups and others on the potential need for a made-in-Ontario, private-sector privacy law. This idea is certainly not a new one; in 2018, a private members bill was introduced detailing draft privacy rules that would apply to businesses operating in Ontario, but was suspended following the provincial elections which saw a new government come to power. Other provinces, including Alberta, BC and Quebec, have already enacted provincial privacy laws deemed substantially similar to Canada’s Personal Information and Electronic Documents Act (PIPEDA).
Ontario’s new privacy commissioner, Patricia Kosseim, is overall supportive of the provincial government’s initiative which in her opinion “recognizes modern business realities of different-sized organizations and aims to solve problems rather than add to the regulatory load”. The government initiative includes several considerations: (1) Increased Consent and Clear Transparency, (2) Data Rights: Erasure and Portability, (3) Oversight, Enforcement, and Fines, (4) Application to Non-commercial Organizations, (5) Deidentified Personal Information and Data Derived from Personal Information, and (6) Exploring the possibility of ‘data trusts’ to enable data sharing.
An overlap in requirements and enforcement between provincial and federal regulations can potentially increase costs and regulatory headaches for businesses. Many of Ontario’s recommendations are either currently provided under PIPEDA (e.g. consent, transparency, etc. albeit to various extents), or are currently being assessed (e.g. right to be forgotten, data portability, etc.) by the federal government as part of upcoming reforms to PIPEDA.
In June 2020, the Quebec government tabled Bill 64, an Act to modernize the Act Respecting the Protection of Personal Information in the Private Sector (the “Quebec Privacy Act”). If enacted, Bill 64 will expose companies to significant financial penalties and damages which may be similar, if not even more severe than those prescribed by the EU's General Data Protection Regulation (GDPR).
Concerns regarding the Bill’s impacts on organizations are further amplified by the fact that many of the proposed provisions not only meet many of GDPR’s prescriptive standards, but in some cases even surpass them. For example, the proposed consent requirements would require organizations to seek consent for each specific purpose, separately from any other information. The GDPR does not have such complex requirements, nor does it treat consent as the primary authority for processing personal information.
Undoubtedly, organizations operating in Quebec could be severely impacted by these reforms. It would not be surprising to see many of them move operations outside of the province to avoid the legal, financial and operational challenges that they would have to face if the Bill passes in its current form.
In a recent op-ed, Federal Privacy Commissioner Daniel Therrien argues that the increased use of technology amid the current pandemic highlights important privacy risks for Canadians. In his opinion, new laws are “urgently needed that allow technologies to produce benefits in the public interest while ensuring fundamental rights such as privacy will be protected”. In other words, Commissioner Therrien says our current federal laws do not provide a level of protection suited to the digital environment.
It is not the first time we’re seeing the Commissioner push for changes to PIPEDA, nor for recognizing privacy as a human right. The op-ed makes the case that our current privacy laws are drafted largely as data protection statutes rather than as laws that protect and promote the exercise of a broad range of rights. Canada’s Charter of Rights and Freedoms doesn’t expressly make privacy a fundamental right, although the Courts do require private and public sector bodies to protect the collection of personal data and report data breaches.
Important changes to PIPEDA are coming. The federal government’s current digital agenda includes reforms to PIPEDA. ISED, the ministry overseeing this process has already consulted with industry (including PwC) and other groups over the past 2 years. Understandably, other files have taken priority due to the current pandemic but it is clear from the provincial developments highlighted above (and proposed privacy reforms in BC) that PIPEDA reforms need to be fast-tracked.
The provincial developments point to the possibility of competing private-sector privacy rules across Canada that could result in conflicting rules, increased costs and business uncertainty. Although provincial privacy laws can help bridge regulatory gaps with PIPEDA, a strong national law is essential to reduce red tape and unnecessary regulatory business. This is not to say that provincial privacy protections are not needed, but the main source of privacy rights for Canadians needs to come from the federal level. The provinces can then help fill the gaps.
About the Author:
Cristina is part of the Cybersecurity, Privacy and Financial Crimes team at PwC Canada where she holds a dual role as Lead for Privacy Advocacy and Thought Leadership, as well as Cyber Threat Intelligence. She works with organizations to optimize their privacy and security programs, enhance consumer trust, ensure compliance with applicable privacy and security requirements, and intelligently assess cyber threats.
Source: LinkedIn Pulse
© Marketing Research and Intelligence Association