The Government of Canada announced, on 21 May 2019, that it had launched Canada’s Digital Charter (‘the Charter’) to modernise the rules that govern Canada’s digital sphere. In particular, the Charter outlines ten principles to ensure the protection of privacy, including control and consent, transparency, portability and interoperability, as well as enforcement and accountability, among other things. In addition, the Government announced proposals to modernise the Personal Information Protection and Electronic Documents Act 2000 (‘PIPEDA’) which will serve to implement the Charter’s principles.
Ruth E. Promislow, Partner at Bennett Jones LLP, told DataGuidance by OneTrust, “It can be expected that with the Charter and the proposed modernisation of PIPEDA, companies will be held to a more rigid standard, particularly with platforms and products that are designed to gather and share data, and/or monitor users. A clear theme is presented whereby companies will be expected to explain to individuals in clear terms what information is being collected, the purpose for which it is being collected, and the third parties to whom the information will be shared. Generic consent that may cover potential undisclosed future use and disclosure of the information will not be sufficient.”
In addition, the Government outlined that the proposed amendments to PIPEDA include enhancing individuals’ control of their personal data, enabling responsible innovation, and enhancing enforcement and oversight by the Office of the Privacy Commissioner of Canada (‘OPC’). Moreover, the proposed amendments aim to expand PIPEDA’s scope of application to include small and medium-sized enterprises, to ensure that individuals are protected and that companies have a level playing field in terms of accountability and responsibility.
The proposed amendments identify concerns that […] enforcement of PIPEDA is outdated and does not incentivise compliance
Promislow also noted, “A further requirement is proposed to inform individuals about the use of automated decision-making. In connection with this point, artificial intelligence has been identified as raising unique challenges for privacy in that it can go beyond its original programming to make ‘discoveries’ in the data that human decision-makers would not identify. [Additionally,] the proposed amendments identify concerns that […] enforcement of PIPEDA is outdated and does not incentivise compliance. [As such, the proposals would] provide the OPC with discretion to investigate, regardless of whether there are reasonable grounds, so that the OPC can periodically review an organisation’s adherence to standards. [They would also provide] the OPC with order-making power to halt the collection, use, or disclosure of personal information by a non-compliant organisation, and extend the regime for fines to other key provisions of PIPEDA including consent and data safeguard requirements, limiting use, disclosure and retention requirements.”
Furthermore, the Government highlighted that the Charter, in modernising Canada’s digital landscape, is aiming to rebuild citizens’ trust in institutions responsible for ensuring and enforcing compliance with rules on the protection of personal data. In particular, the Charter seeks to present a regulatory framework which would facilitate competitiveness, promote digital and data-driven innovation, and safeguard the protection of personal data.
Promislow concluded, “The Charter and the corresponding proposals to modernise PIPEDA address a series of related privacy concerns that have emerged as the digital landscape has evolved. Whether the Charter and proposal to modernise PIPEDA will strike the appropriate balance between addressing privacy concerns and promoting the growth of the economy remains to be seen. What is clear, however, is that the perspective on issues such as transparency and meaningful consent have evolved, and companies will be put to a higher standard than they have been in the past.”
IANA GAYTANDJIEVA Junior Privacy Analyst