Canada's government has signalled significant changes to privacy regulation in the country.
Canadian businesses already have strong privacy obligations under the existing Personal Information Protection and Electronic Documents Act (PIPEDA). However, the proposed changes could not only strengthen the requirement but broaden the scope of those affected.
Here's what you need to know and do.
- 1. Background
- 2. Implementation
- 3. Existing Legislation
- 4. International Regulations
- 4.1. General Data Protection Regulation (GDPR)
- 4.2. California Consumer Privacy Act (CCPA)
- 4.3. California Online Privacy Protection Act (CalOPPA)
- 4.4. Children's Online Privacy Protection Act (COPPA)
- 4.5. Stop Hacks and Improve Electronic Data Security Act (SHIELD)
- 5. The New Rights
- 5.1. Data Portability (also called Data Mobility)
- 5.2. Withdrawing Data
- 5.3. Data Use
- 5.4. Review and Challenge
- 5.5. Proactive Data Security Requirements
- 5.6. Data Breaches
- 5.7. Avoiding Online Discrimination Including Bias And Harassment
- 6. Making Changes Now
- 7. Conclusion
The proposed privacy changes are detailed in a letter from Canada's Prime Minister to the Minister of Innovation, Science and Industry. It is a mandate letter, which sets out the government's intentions and instructions for a government department.
The government has made the letter public, effectively making a commitment to carrying out the measures it details.
The letter specifically details two actions and a goal. The actions are to advance a Digital Charter for Canada and to enhance powers for the Privacy Commissioner. The goal is to "establish a new set of online rights" to include:
- Data portability
- The ability to withdraw, remove and erase basic personal data from a platform
- The knowledge of how personal data is being used, including with a national advertising registry and the ability to withdraw consent for the sharing or sale of data
- The ability to review and challenge the amount of personal data that a company or government has collected
- Proactive data security requirements
- The ability to be informed when personal data is breached with appropriate compensation
- The ability to be free from online discrimination including bias and harassment
Canada's Digital Charter is a list of principles covering all aspects of online and digital activity. The most relevant for privacy laws is principle 3, named 'Control and Consent' which reads:
"Canadians will have control over what data they are sharing, who is using their personal data and for what purposes, and know that their privacy is protected."
Privacy Policies will also be affected by principle 4, named 'Transparency, Portability and Interoperability' and reading:
"Canadians will have clear and manageable access to their personal data and should be free to share or transfer it without undue burden."
Both the digital charter and the proposed privacy rights are outcomes rather than processes. Exactly how they will be achieved remains to be seen, with three options most likely:
- Strengthen the powers and update the policies of the Privacy Commissioner including the ability to enforce PIPEDA
- Update PIPEDA to achieve the newly stated goals
- Introduce new federal legislation to achieve the goals
It's too early to say which is most likely. Whether new or updated federal legislation is introduced may depend on the federal government's wider priorities and the political aspect of running a minority government.
That said, businesses should still consider if and how they may have to update their privacy procedures to adjust to any changes, using the Digital Charter and proposed privacy rights as a guideline to what may happen.
Many businesses are already covered by PIPEDA. As a general rule it applies to any private sector organization that handles personal data unless it is already covered by a similar provincial law.
This exemption applies to most businesses (of any kind) in Alberta, British Columbia and Quebec, along with most cases involving health information in Labrador, New Brunswick, Newfoundland, Nova Scotia and Ontario.
PIPEDA always applies to information that crosses a provincial or national border. It also always applies to federally regulated businesses.
The key requirement of PIPEDA is to follow 10 "fair information principles" which can be summarised as follows:
- Be accountable for data privacy including appointing a dedicated compliance officer
- Say why you are collecting data and how you will use it
- Get the person's consent before collecting their data
- Only collect data necessary for the stated purpose
- Only keep and use data for as long as necessary for the stated purpose
- Make sure data is accurate and up to date
- Safeguard the data
- Publish details of your privacy policies and procedures
- Let individuals see what data you store about them and correct it if necessary
- Have clear guidelines for how an individual can challenge your alleged failure to comply with these principles
Your Canadian website or online business may also be affected by data privacy legislation from other countries that strengthens or adds to the requirements of PIPEDA.
These laws can apply even though your business is based in Canada. Complying with these laws will mean you are prepared for some of the possible changes to Canadian privacy law.
General Data Protection Regulation (GDPR)
The GDPR applies if you serve customers who are in a European Union country or if you physically process data in the EU (for example in European data centers).
The key measure is that you must get consent in advance and that it be meaningful consent. This is consent that is active and informed.
California Consumer Privacy Act (CCPA)
The CCPA applies if you have annual revenues of at least $25 million and serve any residents in California.
It also applies in the less likely situation that you handle personal data of more than 50,000 Californians or if half of your revenue comes from selling personal data about Californians.
The key measure is that you must let users opt out of you selling their personal data.
California Online Privacy Protection Act (CalOPPA)
Children's Online Privacy Protection Act (COPPA)
COPPA applies if your site is aimed at American children aged under 13 or if you know for certain they are using it.
The key measure is that you must get the consent of a parent or guardian (and verify their identity) before collecting personal data of under-13's.
Stop Hacks and Improve Electronic Data Security Act (SHIELD)
This applies if you handle private information about New York residents. The key requirements are that you have administrative, technical and physical safeguards to protect data and that you inform users promptly about any data breach.
The New Rights
As noted, while the goals of any changes are known, the precise methods of achieving them are still under debate.
Data Portability (also called Data Mobility)
PIPEDA already says individuals have their right to access the data you have stored about them. The proposed changes would go a step further and be closer to those required by the GDPR.
The idea is that users would have the right to ask that you transfer (or allow them to transfer) the data to another service provider or organization in a "standardized digital format."
This is more of a technical change than a privacy rules change. However, it may become necessary for Privacy Policies to set out:
- What data can be transferred in this way
- What formats are available
- What exceptions apply (for example where it's not technically possible or where it would be illegal to transfer the data)
PIPEDA already says individuals have the right to correct data and to withdraw consent for the data's use (which means you should delete the data).
The proposed changes would include making users more aware that they have the right to delete information they have provided and to explicitly make minors aware that they can delete or "de-identify" their personal information.
The changes could involve having a fixed time limit for storing data even if the consent is still valid and the original purpose for collecting it is still relevant. That may make it necessary to list this time limit in Privacy Policies.
PIPEDA already makes it so that individuals should know how their data is being used because they give consent based on a stated purpose. The proposed changes would strengthen this through two measures:
- Setting up a national advertising registry
- Giving users the right to refuse to have their data shared or sold (similar to the CCPA)
Review and Challenge
The mandate letter specifically refers to individuals gaining the right "to review and challenge the amount of personal data" that an organization holds about them.
Exactly how this would be implemented is unclear. PIPEDA already lets users find out what data you hold about them and correct any errors. They already have the right to withdraw consent for any reason in most circumstances.
It's not obvious how the amount of data you hold could be practically quantified or restricted. This means the proposed changes for this right shouldn't require any new actions on your part.
Proactive Data Security Requirements
PIPEDA already requires data safeguards that are "appropriate" to how sensitive the relevant data is. One key point is that PIPEDA doesn't specify any particular measures. It is possible any new regulation or law will set out specific requirements.
"Proactive" security, sometimes called "offensive security" means trying to anticipate and head off security threats in advance rather than simply tackling problems as they arise.
Key measures often include setting up system-wide security defenses, using encryption wherever appropriate, training staff, and restricting access (physically and technically).
Kissmetrics gives a clear and detailed explanation on how it secures data from multiple risks:
Although data breaches aren't explicitly covered by the fair information principles, PIPEDA does require businesses to report breaches if they create a "real risk of significant harm to an individual."
The report must be made to both the Office of the Privacy Commissioner and the individual or individuals affected. The business must also keep a record of all breaches.
This shouldn't be affected by measures to back up a new right "to be informed when personal data is breached with appropriate compensation." It is possible the threshold for reporting a breach be lowered to cover a risk of any harm, rather than the harm having to be significant, or even to cover any breach regardless of its effects.
At the moment under PIPEDA, Privacy Policies don't have to address your policy on data breaches and notifications.
Avoiding Online Discrimination Including Bias And Harassment
You must also let users know they have the right to challenge any such decisions and ask for a manual review.
Here's how Chubb details its automated decision making, including the use of personal data:
Similar measures could be involved in any changes to Canadian regulation as the algorithms or data used for automated decision making could unintentionally discriminate against some people.
Making Changes Now
- To check if it still complies with PIPEDA or a corresponding provincial law
- To check if it complies with any non-Canadian laws that apply to your business because you serve foreign citizens
- To check it is as clearly written as possible, saving you time dealing with unnecessary queries and complaints
Let's recap what you need to know about proposed changes to Canada's privacy laws.
- The Prime Minister has used a mandate letter to propose revising Canadian law to enforce newly-stated privacy rights.
- This could mean changes to the Privacy Commissioner's powers, an update to PIPEDA, or a new federal law.
- PIPEDA already requires most businesses to follow 10 fair information principles when handling personal data.
- Canadian firms handling personal data about people in the United States or Europe may be covered by a range of international laws that go beyond PIPEDA's requirements.
Some of the potential extra requirements for Privacy Policies include:
- Clearly stating what personal data users can transfer to other services and organizations and how they can do so
- Explicitly setting out the user's right to delete data they've previously provided and how to exercise this right
- Setting out specific time limits for how long you'll keep personal data rather than simply holding it until it's no longer needed for the stated purpose
- Giving specific detail about whether and how you will share or sell personal information
- Giving users the right to specifically withdraw consent for data sales or sharing
- Giving accurate details of your security safeguards (including proactive measures)
- Telling users whether you use automated decision making and telling them they can challenge the decisions or ask for a manual review