Back to all blog posts

Posted in: Privacy

Dec 19, 2019

Federal Privacy Law – Is It About to Change?

By Donald B. Johnston

The 2018-2019 Annual Report to Parliament of the Office of the Privacy Commissioner is interesting reading, and it shows that the OPC has been doing some deep thinking about the nature of privacy and has been looking around the world at the philosophies of privacy in other jurisdictions.

The report focuses on two main themes:

1. Enhancing the power of the federal Privacy Commissioner to include:

  • the right to prescribe “binding rules” and “binding guidance” for the purpose of enforcing privacy rights and principles
  • the right to initiate proactive investigations/audits so that “demonstrable accountability” can be shown to exist. This seems to imply spot checks of businesses – something like the privacy equivalent of a R.I.D.E. program or a suitcase check at the airport – to ensure compliance even in the absence of a complaint
  • the right to enforce remedies that are “quick and effective”

2. Amending PIPEDA to make it clear that privacy is a “fundamental human right” and that PIPEDA is not just a bunch of principles, or even rules, about data protection, but rather (in effect) an intrinsic adjunct to Canada’s constitution.

In other words, privacy is not merely about consent, access and transparency, but about respect for human rights.

Because of the quasi-constitutional implications of the amendments that the OPC would like to see, a number of collateral changes could occur:

  • the right to be free of “unjustified surveillance” by businesses
  • the concept that the use of technology that is incompatible with rights-based privacy laws is illegal
  • the embedding in our laws of the “right to be forgotten” that is found in the European General Data Protection Regulation (GDPR)

It seems that the Privacy Commissioner is tired of PIPEDA and wants to throw out the bathwater while keeping a close eye on the baby. What I believe is being proposed is a whole new federal privacy regime that will see:

  • new private sector privacy legislation that is drafted with both rights and obligations, as in most statutes
  • elimination of the “principles-based” look and feel of PIPEDA, which reads like an industry code of conduct rather than as a statute
  • enshrining the Office of the Privacy Commissioner in the role of a real regulator with the obligation to enforce the law, provide quick and effective remedies for breaches and police ongoing compliance by businesses

Personally, I like it. It’s been hard for me as a lawyer, over the years, to throw the chicken bones into the air and somehow divine how to provide commercial clients with demonstrably reliable advice. Privacy and data security consultants have experienced much the same quandary. Privacy principles are great, but lawyers and privacy consultants should not have to be mind readers. PIPEDA was good at the time it came in, but it’s time now for Canada to take its rightful place as a country in which privacy isn’t just a good idea, but rather a right that individuals can expect to exercise and in which businesses know exactly what they have to do to respect privacy rights.

I’m going to write a bit more about this after the holidays, so stay tuned!

Related Blogs

Posted in: Data Protection | Security | Data Security/Privacy

Insights TheSpotlight
Canada’s New Digital Charter and What this Means for PIPEDA By Sarah Newman Jun 13, 2019 On May 21, 2019, the Honourable Navdeep Bains, Minister of Innovation, Science and Economic Development, announced the launch of Canada’s own Digital Charter.

Posted in: Data Protection | Privacy | Data Security/Privacy

Insights TheSpotlight
Biometric Identification and Privacy Concerns: a Canadian Perspective By Paige Backman May 21, 2019 Advancements in technology have greatly expanded the types of biometric information that we are readily able to collect from individuals, as well as the ways in which such biometric information can be used. Facial structure, fingerprints, speech patterns, voice recognition, iris composi...

Posted in: Data Protection | Data Security/Privacy | Privacy

Insights TheSpotlight
OPC Proposed Change Equal to Legislative Change Without Legislative Process By Paige Backman and Donald B. Johnston May 08, 2019 On April 9, 2019, the Office of the Privacy Commissioner of Canada (OPC) announced it was looking to change their position on trans-border flow of personal information. The proposed change in position will impact not only cross-border data transfers between controllers and processo...

Posted in: Privacy | Court Decision | Data Security/Privacy

Insights TheSpotlight
“Privacy is Not an All-or-Nothing Concept”: The Supreme Court of Canada’s decision in R. v. Jarvis By Donald B. Johnston and Brandon Carter Feb 20, 2019 On February 14, 2019, the Supreme Court of Canada released its decision in R. v. Jarvis, a case that centered on determining when and where a person will be criminally liable for observing or recording others, without their knowledge, for sexual gratification.

Posted in: Data Protection | Data Security/Privacy | GDPR

Insights TheSpotlight
GDPR - Impact on Canadian Business Obligations, Liability and Contract Terms By Paige Backman Feb 06, 2019 The European Union’s General Data Protection Regulation (GDPR) came into effect nearly nine months ago on May 25, 2018. The GDPR clearly applies to those located in the EU, but its application is worldwide in that it expressly imposes obligations, liability and contractual terms o...