Written by Miranda Bocci
Graduate, B.A. (Hons.), University of Toronto
Disclaimer: Please note that the views expressed below represent the opinions of the article's author. The following does not necessarily represent the views of Law & Order.
In late 2020, Canadian leaders proposed a replacement of current privacy laws with a legislative framework for information sharing that reflects the emerging trends of the COVID-19 era. The acceleration of digital transformation, the redefinition of globalization, and urban transformation due to change in workplace habits are some examples of recent trends that call for greater sensitivity to data protection laws.
The nation’s current privacy act was enacted in 1983 , a time when data was predominantly stored on paper. Due to fears surrounding privacy breaches, major financial institutions and corporations were reluctant to convert their services from paper to digital. However, since then, banks such as the Toronto-Dominion Bank, the Bank of Nova Scotia, and the RBC Royal Bank of Canada, as well as a few well-known law firms in the province of Ontario, have been pioneers in the paperless world.
A revamp of Canada’s Privacy Act will serve to promote these corporations’ efforts in protecting sensitive and confidential information.
The old privacy system set out rules for how Canadian institutions “collect, use, disclose, retain and dispose” of individuals’ personal information. But new policies that address the needs arising out of the COVID-19 era will require Canada’s Privacy Act to be restructured into a legislative framework that is more in line with the post-2020 world.
The proposed Bill C-11 seeks to enact the Consumer Privacy Protection Act and the Personal Information and Data Protection Tribunal Act and “to make related and consequential amendments to other Acts.” Should the CPPA be adopted, stricter enforcement and data privacy regulations are anticipated. A recent publication on JDSUPRA notes that it will be one of the “strictest privacy laws in the world” and “comparable to the GDPR and California’s privacy regulation.”
However, structural issues in the EU’s General Data Protection Regulation (GDPR) have caused much skepticism about the usefulness of Canada’s proposed Bill C-11 . The EU’s GDPR, which was implemented in 2018, has consistently suffered from a failure of enforcement ever since its implementation, though leaders insist that the regulation is working . While it remains to be seen whether the GDPR’s less than impressive success will show an eventual improvement, the increase in privacy breaches ever since the regulation was ratified has raised some concerns about Canada’s capacity to avoid a similar situation.
The EU’s GDPR and Canada’s Privacy Act are both designed around notions of transparency and accountability through compliance with the law and the 10 fair information principles. The crucial difference lies in how each instrument defines the meaning of consent within the purview of data protection laws. The GDPR has a strict model for consent defined in Article 4(11) as: “any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her,” which also includes six requirements that must be met for businesses to prove their due diligence ; on the other hand, PIPEDA’s own definition of the term is not as elaborate.
Some have argued that the GDPR’s stringent requirements (for example, having to conduct regular trainings “to ensure that employees remain aware of their responsibilities with regard to the protection of personal data and identification of personal data breaches as soon as possible”) are the reason behind the EU’s failure to enforce its privacy laws.
The more regulations there are, the less likely it is that they will be enforced. However, this line of reasoning leads to the assumption that PIPEDA’s less stringent requirements help explain Canada’s success. In fact, Canada’s fines for privacy breaches are higher than those in the EU, so it is more likely to be the deciding factor.
That leads some political activists to argue that the proposed Bill C-11’s higher fines will reduce privacy breaches, or at the very least address them; but its critics are not convinced that the bill has the capacity to meet the emerging needs of the post-COVID-19 world. Two criticisms have been mounted against the proposed bill. The first is that it will “create significant compliance risks for businesses [...]. The second is that, the most egregious CPPA violations would constitute offenses punishable upon prosecution, with a fine up to C$25,000,000 or five percent of the organization’s global gross revenues” . While there is no simple way to address these problems, if history has any insight to impart, it is that Canada’s courts have, more often than not, been reasonable about privacy breaches in which the business in question had legitimate justification to believe that it had achieved full compliance.
 Canada, Your rights under the Access to Information Act and Privacy Act, CANADA REVENUE AGENCY (Jun. 23, 2016), https://www.canada.ca/en/revenue-agency/corporate/about-canada-revenue-agency-cra/access-information-privacy-canada-revenue-agency/your-rights-under-access-information-act-privacy-act.html  Roslyn Layton, The 10 Problems of the GDPR, AMERICAN ENTERPRISE INSTITUTE (Mar. 12, 2019), https://www.judiciary.senate.gov/imo/media/doc/Layton%20Testimony1.pdf  Brussels, General Data Protection Regulation shows results, but work needs to continue, EUROPEAN COMMISSION – PRESS RELEASE (Jul. 24, 2019), file:///C:/Users/Miranda/Downloads/General_Data_Protection_Regulation_shows_results__but_work_needs_to_continue.pdf  Derek du Preez, The impact of GDPR – 160,000 breach notifications in Europe and €114m in fines, DIGINOMICA, https://diginomica.com/impact-gdpr-160000-breach-notifications-europe-and-eu114m-fines  Ben Wolford, What are the GDPR consent requirements?, GDPR.EU (2021), https://gdpr.eu/gdpr-consent-requirements/  Robert B., GDPR v. PIPEDA, TERMSFEED (Jan. 18, 2021), https://www.termsfeed.com/blog/gdpr-vs-pipeda/  Éloïse Gratton, Canada’s Consumer Privacy Protection Act: Impact for Businesses, RESPONSE MARKETING ASSOCIATION (Nov. 20, 2020), https://responsema.org/privacy/canadas-consumer-privacy-protection-act-impact-for-businesses/