It’s a busy time in the world of privacy. Canada will soon be facing the most significant changes to its federal private sector privacy law PIPEDA (the Personal Information and Protection of Information Act) in almost two decades. At the same time, the pandemic has underscored the importance of privacy and data issues by spurring a digital transformation on a level we’ve never seen before.
Privacy Law Reform Underway
Although the federal government will be focussed on COVID-19 issues well into the fall, we can expect PIPEDA reform to be a high priority once the parliamentary schedule begins to return to normal.
In the meantime, yet more legislative reform may be on the horizon as some provincial governments embark on introducing or modernizing their private sector privacy laws. At present, there are three provinces (B.C., Alberta and Quebec) with provincial privacy laws that apply - in place of PIPEDA - to private sector organizations operating entirely within their borders. Two of these provinces are looking at reforming their privacy laws and an additional province, Ontario, is planning to bring private sector privacy legislation to the province for the very first time.
Marketers should take note of the following updates:
On August 14, a Special Committee of the Legislative Assembly wrapped up a consultation on the reform of B.C.’s private sector privacy law, PIPA (the Personal Information and Protection Act). The Special Committee aims to make recommendations to the Legislative Assembly in a report to be released by February 2021.
The CMA submitted feedback to ensure PIPA remains a flexible law that will enable marketers to serve consumers effectively while protecting their privacy interests. See the full submission for details.
On June 12, the Government of Quebec introduced Bill 64, which contains proposed amendments to Quebec’s Act respecting the protection of personal information in the private sector. The current government has a majority in the National Assembly, and Bill 64 could be adopted, in some form, by the spring of 2021.
Bill 64 contains a number of new proposals inspired by more stringent privacy laws like the EU’s GDPR, including fines from the regulator of up to $10M (or up to 2 per cent of a company’s worldwide turnover), as well as new individual privacy rights for individuals, such as the right to data portability, which allows consumers to transfer their personal information between competitors.
Although the Bill contains some improvements, it is important that it be amended to ensure its measures are proportionate to the privacy goals at hand, without causing unnecessary complexity for consumers and businesses. In particular, the Bill’s proposed "adequacy" requirement, which requires Quebec companies to transfer personal information only to those jurisdictions whose legal frameworks have privacy protections equivalent to Quebec's, will complicate interprovincial and international business and trade.
The CMA will be providing feedback before the Bill goes back to Quebec's National Assembly this fall. CMA members with views to share should contact Fiona Wilson, Director of Government Relations.
On August 16, the Government of Ontario launched a consultation to create the province’s first-ever private sector privacy law.
The government is seeking input on several topics, including:
- New enforcement and fining powers for Ontario’s Information and Privacy Commissioner,
- Consent provisions allowing individuals to revoke consent at any time, including an opt-in consent model for secondary uses of their information,
- Clarity around the use of de-identified information,
- The establishment of “data trusts” for privacy protective data-sharing, and;
- New individual data portability and data deletion rights for individuals.
The deadline for submissions is October 1. CMA members who wish to provide feedback for the CMA’s submission should contact Fiona Wilson, Director of Government Relations (firstname.lastname@example.org).
International Updates Impacting Canadian Marketers
In addition to developments on the home front, Canadian organizations tracking and serving clients in other countries need to be aware of privacy law developments abroad. In May, we published a blog on the EU’s GDPR. Canada is still awaiting renewed adequacy status with the GDPR, which would ensure the continued transfer of EU citizen data to Canada without additional restrictions for organizations.
Final CCPA Regulations in Effect
On August 14, the final regulations under California Consumer Privacy Act (CCPA) came into effect, solidifying the compliance requirements for Canadian businesses subject to the law. (Check out our recent CCPA blog series for more on how the CCPA applies to Canadian for-profit organizations).
Canadian businesses will need to review the final revisions made to the Act in order to determine how they impact their current compliance plans. Businesses should pay close attention to provisions removed from the law, such as the requirement for a business that substantially interacts with consumers offline to provide notice to consumers through an offline method.
Opportunities to Stay Informed
For the latest privacy developments and guidance, check out our Privacy and Data Protection webpage. To hear directly from leading privacy and marketing experts, be sure to attend CMAprivacy, our annual privacy event for the marketing community, on October 20. And if you need to brush up on privacy compliance, our Privacy Essentials for Marketers workshop on November 18 and 19 is open for registrations.
Author: Fiona Wilson | Director, Government Relations @ CMA
Questions or comments? E-mail us – we want to hear from you.