European Influence and the Modernization of Canadian Privacy Law: Is Alberta Next?
November 2020 - 5 min read
Canada’s privacy laws have arguably lagged behind the European Union for years. The EU’s General Data Protection Regulation (GDPR) has incorporated a human rights-based approach to privacy within its data protection legislation, including a right to be forgotten. The GDPR has significant penalties and, at least theoretically, robust enforcement mechanisms. Based in Dublin, the European regulator has initiated enforcement against several tech giants, including Twitter, Google, and, most recently, the dating app Tinder. Fines are no small matter under the GDPR - the regulator has the power of imposing fines equal to the greater of $20 million or 4 % of global turnover.
This fall, Quebec’s National Assembly conducted a number of special consultations and reviews on a bill which will bring the province’s privacy legislation in line with many of the privacy principles found in the GDPR. If enacted, Bill C-64 will initiate significant changes to Quebec’s privacy legislation, including the Act Respecting the Protection of Personal Information in the Private Sector, CQRL, c P-39.1 (the “Act”). The Privacy Commissioner of Canada has recommended similar changes in the past. These changes will be watched across Canada, including in Alberta, where reviews of the Personal Information Protection Act (PIPA) have taken place, but large scale reform has not followed in recent years.
While some of the proposed amendments bring Quebec in line with existing Canadian private sector legislation like PIPA and the federal Personal Information Protection and Electronic Documents Act (PIPEDA), Bill C-64 launches Quebec to the forefront of Canadian privacy regulation by proposing several changes:
Greater Accountability + Transparency
- Privacy by design becomes an engrained legislated principle. Any person carrying on an enterprise collecting personal information when offering a technological product or service must ensure that the parameters of the technological products or services they use to collect personal information provide the “highest level of confidentiality by default, without any intervention by the person concerned” (s. 95).
- An organization’s obligation to appoint a privacy officer is commonly recognized in Canada. Still, Bill C-64 explicitly places responsibility for implementation and compliance of the Act at the very top (the “person exercising the highest authority”), although written delegation is permitted (s. 95).
- A person carrying on an enterprise will be required to implement policies and practices for the keeping and destruction of information, defining personnel’s responsibilities through the life cycle of the information, and outlining a process for dealing with privacy-related complaints (s. 95).
- Privacy assessments (akin to “Privacy Impact Assessments” in Alberta) will need to be completed in relation to any information system project or electronic service delivery project that involves the collection, use, release, keeping or destruction of personal information (s. 95).
- Additionally, Bill C-64 requires a person carrying on an enterprise to conduct a privacy assessment prior to communicating information outside of Quebec. The assessment must determine if the information will receive similar protection in the State in which the information would be communicated, including looking at the State’s legal framework and the framework’s degree of equivalency with the personal information protection principles of Quebec (s. 103).
Protection of Personal Information
- Basic principles of consent to collect, use, and disclose personal information are maintained but strengthened in some instances. For example, express consent must be provided when “sensitive personal information” is being collected (s. 102).
- Bill C- 64 also brings certain exceptions to facilitate business activities, including an exception that would allow the disclosure of information to conclude a commercial transaction (s. 107). Certain criteria, including limitations on use, must still be met.
- Perhaps of most significant interest to other jurisdictions is Bill C-64’s explicit expansion of individual rights similar to the framework embodied in the GDPR. If enacted, individuals will have:
- There is a right to data portability and the ability to access computerized personal information collected from them. The data must be communicated in “a structured, commonly used technological format” unless doing so “raises serious practical difficulties” for the enterprise (s. 112).
- There is a right to be forgotten and the de-indexing of personal information in certain circumstances (s. 113).
- There is a right to be informed of the personal information used by an enterprise to make a decision through automated processing (s. 103).
Robust Enforcement + Significant Penalties
- The Quebec privacy regulator will have the power to directly impose monetary penalties on businesses for contraventions of the Act (s.150). Administrative monetary penalties may reach a maximum amount of $50,000 in the case of a natural person, and in all other cases, the greater of up to $10 million or 2% of worldwide turnover.
- Fines for offences will be even more significant and could reach up to $25 million or 4% of worldwide turnover.
- Bill C-64 will allow a private right of action, with punitive damages being made available for infringements that are intentional or result from gross fault.
Implications for Alberta
Bill C-64 will continue to be reviewed in the coming weeks. Bill C-64 will likely set a standard for other provinces and territories as they ultimately look at overhauling or implementing their legislation. The Information and Privacy Commissioner of Ontario raises similar change themes in her recent discussion paper on Ontario private sector privacy reform. What can be expected in Alberta, and what may organizations anticipate?
- Responsibility for privacy compliance will increasingly run from the top down and not the other way around. While administrative leaders within an organization can delegate as necessary, they must remain informed of all privacy-related issues - from day to day regulatory compliance to breach mitigation and response.
- The concept of privacy by design has largely been aspirational in Canada. However, organizations will be expected to consider privacy by default when creating or implanting new technologies and systems. While Privacy Impact Assessments remain mandatory only for health custodians in Alberta under the Health Information Act, the Alberta Office of the Information and Privacy Commissioner has long encouraged public bodies and private organizations to submit Privacy Impact Assessments as well. Organizations will need to dedicate additional resources to evaluating new information handling processes at the outset. Still, an early assessment may significantly save time and expenses in dealing with breaches, complaints, and litigation later on.
- As part of a privacy assessment, organizations should evaluate issues of data portability. While PIPA is currently not as prescriptive in terms of what format information must be provided to an applicant of an access request, there is an increasing trend and requirement for organizations to provide access to personal information in a meaningful and useful format. This should be considered when new databases and repositories are being evaluated for use.
- Private sector privacy legislation often recognizes an organization’s need to retain third party service providers to handle personal information. However, it is generally understood that service providers should provide the same level of data protection as the organization relying on their services. Privacy legislation may become increasingly prescriptive concerning the terms that must be included in such service agreements.
- The private right of action provisions under PIPA remain relatively untested in Alberta. However, as individuals continue to be educated about individual privacy rights, claims of this nature may continue to arise through civil actions. Organizations should also be aware of the risk of punitive damages for intentional acts or acts of gross negligence.
If you would like to find out more about Privacy Impact Assessments, or if you have any questions about how the review of PIPA could impact your organization, please contact Field Law's Privacy + Data Management Group.