Canada: The Digital Charter and shifting framework for consent-based privacy legislation
On 21 May 2019, the Canadian federal Government ('the Government') launched Canada's new Digital Charter ('the Charter')1, as well as a discussion paper entitled 'Strengthening Privacy for the Digital Age' ('the Paper')2, which contains a set of proposals that aim to modernise privacy laws based on the principles set out in the Charter ('the Principles'). Marco Ciarlariello, Associate at Cassels Brock & Blackwell LLP, examines the Charter and the requirements in Canada for organisations processing data.
The Principles are intended to inspire economic growth within Canada's digital economy, while fostering a greater sense of trust by consumers that their personal information is being used and protected appropriately.
The Principles include:
- Universal Access;
- Safety and Security;
- Control and Consent;
- Transparency, Portability and Interoperability;
- Open and Modern Digital Government;
- A Level Playing Field;
- Data and Digital for Good;
- Strong Democracy;
- Free from Hate and Violent Extremism; and
- Strong Enforcement and Real Accountability.
In the Paper, the Government provides insight into potential amendments that might be made to Canada's existing federal privacy legislation, the Personal Information Protection and Electronic Documents Act, 2000 ('PIPEDA'). The Paper contemplates a range of systemic changes, the most significant of which relate to a transition away from the current consent-based system to a hybrid regime under which alternative legal grounds for the collection, use, and disclosure of personal information may be implemented. Such changes could significantly impact the way in which organisations do business in Canada, and will likely require significant revisions to privacy practices, policies, and procedures designed for compliance with PIPEDA and Canadian provincial privacy laws3.
The consent-based system in Canada
Under Article 6(1) of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), organisations are able to rely on six lawful bases for processing personal data, namely:
- consent given from the data subject;
- the performance of a contract in which the data subject has entered into;
- compliance with a legal obligation;
- protection of the vital interests of the data subject;
- public interests; and
- legitimate interests.
Organisations subject to the GDPR often rely on the lawful bases of 'legitimate interests' and/or 'performance of a contract' when processing personal data, rather than seeking the consent of the data subject for such processing. Canadian privacy laws do not currently allow private organisations to rely on general lawful bases for the processing of personal information and private organisations must obtain an individual's informed consent to collect, use or disclose an individual's personal information. To obtain a proper consent, the organisation must inform the individual of the purposes of the collection, use, and disclosure of their personal information, and may only rely on a limited number of exceptions to otherwise deal with such information.
These limited exceptions are not designed to facilitate the use of personal information in connection with an organisation's business, as is the case with the lawful bases of 'legitimate interests' and 'performance of a contract' under Article 6(1) of the GDPR. Instead, the Canadian exceptions provide grounds for collection, use, and disclosure for matters that predominantly relate to the protection of the interests of individuals and the public including, safety, emergencies, employment, and to address contraventions of law as well as supporting research initiatives.
Without a viable alternative to obtaining express consent for the collection, use and disclosure of an individual’s personal information, organisations operating under Canadian laws often implement unnecessarily lengthy and cumbersome privacy policies that aim to obtain an individual's consent to all possible purposes for the collection, use, and disclosure of personal information in connection with their business.
Creating a hybrid system privacy regime
The Government's proposed updates to PIPEDA indicate that certain changes will made to:
- narrow the circumstances under which individuals are required to provide their consent;
- standardise the language that organisations use when obtaining consent; and
- prohibit organisations from bundling consents into contracts.
Perhaps most significantly, the Government is also considering the notion of providing exceptions and alternatives to obtaining consent for certain uses in prescribed circumstances that are similar to those that exist under Article 6(1) of the GDPR, including common uses of personal information for standard business activities. The proposed revisions would institute a system of reliance upon organisations to demonstrate their accountability for the protection of personal information under their control. These changes are intended to give more meaningful control to individuals by reducing the risk of the consent fatigue.
In the Paper, the Government has articulated that to properly implement the Principles outlined in the Charter into Canadian privacy laws, it will be required to develop new terms, codes of practice, standardised technical and procedural standards for the handling of personal information, as well as more robust enforcement mechanisms for non-compliance.
Further legislation and/or regulatory guidance, regarding the classification of the various types of personal information being collected, should be expected4 as the Government actively considers the development of enhanced protections relating to certain categories of personal information based on materiality and risk. Examples include the creation of a definition and specific policies relating to the handling of 'sensitive information,' similar to those which are found under Article 9 of the GDPR relating to the processing of personal data, as well as the proposal to introduce the notion of 'de-identified information' as a means of enabling increased security in data use and sharing.
The addition of a definition of 'de-identified information' would likely be coupled with:
- a form of exception to consent for its use and disclosure in certain prescribed purposes; and
- penalties and enforcement measures for the re-identification of such information.
The Government has also proposed the introduction of an exception to obtaining consent for the collection, use, and disclosure of personal information in connection with 'standard business practices,' which could include purposes such as:
- fulfilling services;
- identity authentication;
- sharing information with third party processors; and
- meeting regulatory requirements.
Each of these proposed frameworks can be viewed as an effort to institute a system of reliance upon organisations who demonstrate their accountability for the protection of personal information under their control and will help to alleviate the burden currently placed on the individual when making informed decisions about their personal information.
By streamlining the ways in which different types of personal information are defined and treated, as well as introducing practical alternatives to obtaining consent, the Government will create greater opportunities to better inform individuals regarding the implications that technological advances have on the handling of their personal information. For example, the Government proposes to amend PIPEDA to include:
- a requirement that organisations advise individuals of the use and implications of automated decision-making and to adopt common approaches to data transference, reception and use;
- a right to be forgotten, namely a right to require an organisation to delete information about them and to also communicate changes to, or the deletion of, their personal information to other organisations to which it has been disclosed; and
- a right for individuals to direct that an organisation move its information to another organisation to enhance consumer choice, often referred to as 'data mobility.'
The changes to the consent-based regime, as well as the introduction of new rights for individuals, will require stronger enforcement mechanisms to be introduced into PIPEDA. In the Paper, the Government has signalled that more robust penalties will be introduced for non-compliance, possibly akin to those that are available to regulators under the GDPR. Without such improved mechanisms, it will be difficult to create the environment of accountability, security and innovation that the Charter seeks to inspire.
The implementation of the Principles outlined in the Charter into Canadian privacy laws will only be made possible if the existing consent-based structure of PIPEDA is refined and supplemented to include modernised information classifications, standard legal bases for processing, technical and procedural standards, as well as enhanced enforcement mechanisms. Businesses that are subject to Canadian privacy laws should be aware that significant changes to them, and regulatory guidelines, are forthcoming, some of which may be enacted on a rolling basis. The Government has requested submissions and input regarding the proposals raised in the Paper and will be initiating further consultations regarding legislative reforms in the near future.
Marco Ciarlariello Associate
Cassels Brock & Blackwell LLP, Toronto
1. Available at: https://www.ic.gc.ca/eic/site/062.nsf/eng/h_00108.html
2. Available at: https://www.ic.gc.ca/eic/site/062.nsf/eng/h_00107.html
3. The Personal Information Protection Act, SA 2003 c P-6.5 (Alberta), the Personal Information Protection Act, SBC 2003 c 63 (British Columbia) and the Act respecting the protection of personal information in the private sector, CQLR c P-39.1 (Quebec) govern the collection, use, and disclosure of personal information within each of the above-noted provinces. These provincial laws continue to apply within each province on the basis that they have been deemed to be 'substantially similar' to PIPEDA.
4. The Office of the Privacy Commissioner of Canada, and its provincial counterparts in Alberta and British Columbia, have recently issued guidance on the organisations responsibility to notify individuals regarding the types of personal information collected, which may be further revised and supplemented in accordance with the Paper. The discussion paper 'Guidelines for Obtaining Meaningful Consent' (May 2018) is available at: https://www.priv.gc.ca/en/privacy-topics/collecting-personal-information/consent/gl_omc_201805/