Renewing Canada’s Privacy Act, 1983
Written by Miranda Bocci
Graduate, B.A. (Hons.), University of Toronto
Disclaimer: Please note that the views expressed below represent the opinions of the article's author. The following does not necessarily represent the views of Law & Order.
In late 2020, Canadian leaders proposed a replacement to current privacy laws with a legislative framework for information sharing that reflects the emerging trends of the COVID-19 era. The nation’s current Privacy Act was enacted in 1983, a time when data was stored predominantly on paper. Due to fears surrounding privacy breaches, major financial institutions and corporations were reluctant to jump on the paperless bandwagon. However, since then banks such as the Toronto-Dominion Bank (TD), the Bank of Nova Scotia (Scotiabank), and the RBC Royal Bank of Canada (RBC), and as well as a few well-known law firms in the province of Ontario have been pioneers in the 20th Century digital revolution. The revamp of Canada’s Privacy Act, 1983 will further support these corporations’ efforts in protecting the confidential information of their staff and clients. It will also modernize medical and educational institutions and assist small businesses to thrive in the modern world.
Policies and governance structures that address the emerging needs of the COVID-19 era will certainly require at least some restructuring of the old privacy law system, with a legislative framework that is more in line with the post-2020 world.
To that end, Canada’s newly proposed Bill C-11 holds great promise, but without adequate public education on collective rights protection there is reason to question whether the outcome might be, at best, ambiguous.
Such a scenario is currently unfolding in Europe with the General Data Protection Regulation (GDPR) and has been the cause of much skepticism on the usefulness of Canada’s sister instrument. The EU’s GDPR – which was implemented in 2018 – has suffered from a failure of enforcement ever since its implementation, though leaders insist that the regulation is in fact working. Scholars, activists, and political theorists are not convinced. While only time will tell whether the GDPR’s less than impressive success will see an eventual improvement without the need for radical revisions, the increase in privacy breaches since the instrument’s coming into force has raised some concerns about Canada’s own capacity to avoid a similar situation.
The EU’s GDPR and Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) are both designed around notions of transparency and accountability, but the crucial difference lies in how each instrument defines the meaning of consent within the purview of privacy law. The GDPR has a strict model for consent which includes six requirements that must be met for businesses to prove their due diligence; but PIPEDA’s own definition of the term is less than clear.
It might well seem that the GDPR’s stringent requirements are the reason behind the EU’s failure in successfully enforcing its privacy laws, but that would inadvertently lead to the assumption that PIPEDA’s more ambiguous regulations might help to explain Canada’s success. This would be incorrect because PIPEDA’s definition of consent is only loosely defined, but its fines for privacy breaches are also higher than those in the EU. Furthermore, PIPEDA deals only with the private sector, whereas the GDPR covers both the private and public sectors. 6 Thus, Canada’s more vague privacy regulations and loose model for consent cannot be the underlying reason behind the nation’s success, but neither would stricter rules by the country’s answer to modernizing privacy laws. What Canada will need going forward is more federal funding for consumer protection awareness programs.
Recent trends have made it abundantly clear that public education on collective privacy rights is an absolute necessity for the country to avoid similar enforcement issues as those observed in the EU.
Organizations, corporations, banks, and legal entities must acknowledge their responsibility in implementing programs that instruct their employees and clients on how to stay protected online. Bill C-11 might be on the right track in addressing and responding to those issues, but its critics are not convinced that the bill has the capacity to meet the emerging needs of the post-COVID-19 world - which includes public awareness programs on the country’s privacy laws. Lack of access to these crucial programs can often lead to privacy issues for consumers, but also to greater hurdles for companies.
Two criticisms mounted against the proposed bill are that it will “create significant compliance risks for businesses. [...] Further, the most egregious CPPA violations would constitute offenses punishable, upon the prosecution, with a fine up to C$25,000,000 or 5 percent of the organization’s global gross revenues.” There is no simple way to address these problems but if history has any insight to impart, it is that Canada’s Courts have, more often than not, tended to be fairly reasonable on privacy breaches where the business in question had legitimate justification to believe that full compliance had been achieved. Educating the public on privacy rights and funding more consumer protection awareness programs will pre-empt these scenarios and create greater online safety for businesses and consumers in the post-COVID-19 era.
 Canada, Your rights under the Access to Information Act and Privacy Act, CANADA REVENUE AGENCY (Jun. 23, 2016), https://www.canada.ca/en/revenue-agency/corporate/about-canada-revenue-agency-cra/access-information-privacy-canada-revenue-agency/your-rights-under-access-information-act-privacy-act.html  Roslyn Layton, The 10 Problems of the GDPR, AMERICAN ENTERPRISE INSTITUTE (Mar. 12, 2019), https://www.judiciary.senate.gov/imo/media/doc/Layton%20Testimony1.pdf  Brussels, General Data Protection Regulation shows results, but work needs to continue, EUROPEAN COMMISSION – PRESS RELEASE (Jul. 24, 2019), file:///C:/Users/Miranda/Downloads/General_Data_Protection_Regulation_shows_results__but_work_needs_to_continue.pdf  Derek du Preez, The impact of GDPR – 160,000 breach notifications in Europe and €114m in fines, DIGINOMICA, https://diginomica.com/impact-gdpr-160000-breach-notifications-europe-and-eu114m-fines  Ben Wolford, What are the GDPR consent requirements?, GDPR.EU (2021), https://gdpr.eu/gdpr-consent-requirements/  Robert B., GDPR v. PIPEDA, TERMSFEED (Jan. 18, 2021), https://www.termsfeed.com/blog/gdpr-vs-pipeda/  Éloïse Gratton, Canada’s Consumer Privacy Protection Act: Impact for Businesses, RESPONSE MARKETING ASSOCIATION (Nov. 20, 2020), https://responsema.org/privacy/canadas-consumer-privacy-protection-act-impact-for-businesses/