Canada's government has signalled significant changes to privacy regulation in the country.

Canadian businesses already have strong privacy obligations under the existing Personal Information Protection and Electronic Documents Act (PIPEDA). However, the proposed changes could not only strengthen the requirement but broaden the scope of those affected.

Here's what you need to know and do.


Background

The proposed privacy changes are detailed in a letter from Canada's Prime Minister to the Minister of Innovation, Science and Industry. It is a mandate letter, which sets out the government's intentions and instructions for a government department.

The government has made the letter public, effectively making a commitment to carrying out the measures it details.

The letter specifically details two actions and a goal. The actions are to advance a Digital Charter for Canada and to enhance powers for the Privacy Commissioner. The goal is to "establish a new set of online rights" to include:

  • Data portability
  • The ability to withdraw, remove and erase basic personal data from a platform
  • The knowledge of how personal data is being used, including with a national advertising registry and the ability to withdraw consent for the sharing or sale of data
  • The ability to review and challenge the amount of personal data that a company or government has collected
  • Proactive data security requirements
  • The ability to be informed when personal data is breached with appropriate compensation
  • The ability to be free from online discrimination including bias and harassment

Implementation

Canada's Digital Charter is a list of principles covering all aspects of online and digital activity. The most relevant for privacy laws is principle 3, named 'Control and Consent' which reads:

"Canadians will have control over what data they are sharing, who is using their personal data and for what purposes, and know that their privacy is protected."

Privacy Policies will also be affected by principle 4, named 'Transparency, Portability and Interoperability' and reading:

"Canadians will have clear and manageable access to their personal data and should be free to share or transfer it without undue burden."

Both the digital charter and the proposed privacy rights are outcomes rather than processes. Exactly how they will be achieved remains to be seen, with three options most likely:

  • Strengthen the powers and update the policies of the Privacy Commissioner including the ability to enforce PIPEDA
  • Update PIPEDA to achieve the newly stated goals
  • Introduce new federal legislation to achieve the goals

It's too early to say which is most likely. Whether new or updated federal legislation is introduced may depend on the federal government's wider priorities and the political aspect of running a minority government.

That said, businesses should still consider if and how they may have to update their privacy procedures to adjust to any changes, using the Digital Charter and proposed privacy rights as a guideline to what may happen.

Existing Legislation

Existing Legislation

Many businesses are already covered by PIPEDA. As a general rule it applies to any private sector organization that handles personal data unless it is already covered by a similar provincial law.

This exemption applies to most businesses (of any kind) in Alberta, British Columbia and Quebec, along with most cases involving health information in Labrador, New Brunswick, Newfoundland, Nova Scotia and Ontario.

PIPEDA always applies to information that crosses a provincial or national border. It also always applies to federally regulated businesses.

The key requirement of PIPEDA is to follow 10 "fair information principles" which can be summarised as follows:

  1. Be accountable for data privacy including appointing a dedicated compliance officer
  2. Say why you are collecting data and how you will use it
  3. Get the person's consent before collecting their data
  4. Only collect data necessary for the stated purpose
  5. Only keep and use data for as long as necessary for the stated purpose
  6. Make sure data is accurate and up to date
  7. Safeguard the data
  8. Publish details of your privacy policies and procedures
  9. Let individuals see what data you store about them and correct it if necessary
  10. Have clear guidelines for how an individual can challenge your alleged failure to comply with these principles

International Regulations

International Regulations

Your Canadian website or online business may also be affected by data privacy legislation from other countries that strengthens or adds to the requirements of PIPEDA.

These laws can apply even though your business is based in Canada. Complying with these laws will mean you are prepared for some of the possible changes to Canadian privacy law.

General Data Protection Regulation (GDPR)

The GDPR applies if you serve customers who are in a European Union country or if you physically process data in the EU (for example in European data centers).

The key measure is that you must get consent in advance and that it be meaningful consent. This is consent that is active and informed.

California Consumer Privacy Act (CCPA)

The CCPA applies if you have annual revenues of at least $25 million and serve any residents in California.

It also applies in the less likely situation that you handle personal data of more than 50,000 Californians or if half of your revenue comes from selling personal data about Californians.

The key measure is that you must let users opt out of you selling their personal data.

California Online Privacy Protection Act (CalOPPA)

CalOPPA applies if your website collects personal data about any user in California. The key measure is that you must publish a Privacy Policy.

Children's Online Privacy Protection Act (COPPA)

COPPA applies if your site is aimed at American children aged under 13 or if you know for certain they are using it.

The key measure is that you must get the consent of a parent or guardian (and verify their identity) before collecting personal data of under-13's.

Stop Hacks and Improve Electronic Data Security Act (SHIELD)

This applies if you handle private information about New York residents. The key requirements are that you have administrative, technical and physical safeguards to protect data and that you inform users promptly about any data breach.

The New Rights

The New Rights

Before you can decide if you need to update your Privacy Policy to prepare for any changes, it's important to understand how the new rights work with existing legislation such as PIPEDA, and which aspects would involve new requirements.

As noted, while the goals of any changes are known, the precise methods of achieving them are still under debate.

Data Portability (also called Data Mobility)

PIPEDA already says individuals have their right to access the data you have stored about them. The proposed changes would go a step further and be closer to those required by the GDPR.

The idea is that users would have the right to ask that you transfer (or allow them to transfer) the data to another service provider or organization in a "standardized digital format."

This is more of a technical change than a privacy rules change. However, it may become necessary for Privacy Policies to set out:

  • What data can be transferred in this way
  • What formats are available
  • What exceptions apply (for example where it's not technically possible or where it would be illegal to transfer the data)

MyData Global's Privacy Policy details this right for users:

MyData Global Privacy Policy: Data Subject Rights - Data Portability clause

Withdrawing Data

PIPEDA already says individuals have the right to correct data and to withdraw consent for the data's use (which means you should delete the data).

The proposed changes would include making users more aware that they have the right to delete information they have provided and to explicitly make minors aware that they can delete or "de-identify" their personal information.

The changes could involve having a fixed time limit for storing data even if the consent is still valid and the original purpose for collecting it is still relevant. That may make it necessary to list this time limit in Privacy Policies.

Bournemouth University is a good example of an evolving Privacy Policy when it comes to data retention periods. Explaining why it needs to keep data for a particular period is helpful to the reader:

Bournemouth University Privacy Policy: Data Retention clause

Data Use

PIPEDA already makes it so that individuals should know how their data is being used because they give consent based on a stated purpose. The proposed changes would strengthen this through two measures:

This could mean you need to update your Privacy Policy to give more explicit information about how you share or sell their data. You'll also need to be clear about how users can check these details later and how they can withdraw consent for data selling or sharing.

NVA's Privacy Policy details how it complies with the CCPA's rules on consent for data sales and sharing:

NVA Privacy Policy: Personal Information Sales Opt-Out and Opt-In Rights clause

Review and Challenge

The mandate letter specifically refers to individuals gaining the right "to review and challenge the amount of personal data" that an organization holds about them.

Exactly how this would be implemented is unclear. PIPEDA already lets users find out what data you hold about them and correct any errors. They already have the right to withdraw consent for any reason in most circumstances.

It's not obvious how the amount of data you hold could be practically quantified or restricted. This means the proposed changes for this right shouldn't require any new actions on your part.

Proactive Data Security Requirements

PIPEDA already requires data safeguards that are "appropriate" to how sensitive the relevant data is. One key point is that PIPEDA doesn't specify any particular measures. It is possible any new regulation or law will set out specific requirements.

"Proactive" security, sometimes called "offensive security" means trying to anticipate and head off security threats in advance rather than simply tackling problems as they arise.

Key measures often include setting up system-wide security defenses, using encryption wherever appropriate, training staff, and restricting access (physically and technically).

Any legal changes on this point likely won't affect your Privacy Policy. However, you should make sure any claims you make in your policy about security measures are true. This helps users make an informed choice about giving consent.

Kissmetrics gives a clear and detailed explanation on how it secures data from multiple risks:

Kissmetrics How We Secure Your Data page - Hackers and Technology Disasters sections

Data Breaches

Although data breaches aren't explicitly covered by the fair information principles, PIPEDA does require businesses to report breaches if they create a "real risk of significant harm to an individual."

The report must be made to both the Office of the Privacy Commissioner and the individual or individuals affected. The business must also keep a record of all breaches.

This shouldn't be affected by measures to back up a new right "to be informed when personal data is breached with appropriate compensation." It is possible the threshold for reporting a breach be lowered to cover a risk of any harm, rather than the harm having to be significant, or even to cover any breach regardless of its effects.

At the moment under PIPEDA, Privacy Policies don't have to address your policy on data breaches and notifications.

If you do detail this in your Privacy Policy, make sure the information you give is clear and accurate so the user can make an informed choice about giving consent.

Avoiding Online Discrimination Including Bias And Harassment

For the most part, any changes to the law for this new right shouldn't affect Privacy Policies. One possibility is the introduction of a requirement already in the GDPR that says your Privacy Policy must say if you use any automated decision making.

You must also let users know they have the right to challenge any such decisions and ask for a manual review.

Here's how Chubb details its automated decision making, including the use of personal data:

Chubb Privacy Policy: Automated Decision Making and Profiling clause

Similar measures could be involved in any changes to Canadian regulation as the algorithms or data used for automated decision making could unintentionally discriminate against some people.

Making Changes Now

Making Changes Now

It's understandable that you may not want to spend time and effort rewriting your Privacy Policy for legal changes that aren't definitely going to happen, or where the precise detail has yet to be decided. However, it's worth reviewing your Privacy Policy for several reasons:

  • To check if it still complies with PIPEDA or a corresponding provincial law
  • To check if it complies with any non-Canadian laws that apply to your business because you serve foreign citizens
  • To check it is as clearly written as possible, saving you time dealing with unnecessary queries and complaints

You should also review the possible changes discussed in this article. You may find that you can update your Privacy Policy now to anticipate some of these changes without risking unnecessary added burden and administration.

You could also consider how you would need to update your Privacy Policy were the proposed measures and rights incorporated into law.

Conclusion

Let's recap what you need to know about proposed changes to Canada's privacy laws.

  • The Prime Minister has used a mandate letter to propose revising Canadian law to enforce newly-stated privacy rights.
  • This could mean changes to the Privacy Commissioner's powers, an update to PIPEDA, or a new federal law.
  • PIPEDA already requires most businesses to follow 10 fair information principles when handling personal data.
  • Canadian firms handling personal data about people in the United States or Europe may be covered by a range of international laws that go beyond PIPEDA's requirements.
  • The proposed changes could affect what you must include in your Privacy Policy. You should review your policy to see whether you should make any of these changes now in anticipation of new regulations. You should also think about how you would update your policy later on if the proposals come into effect.
  • Some of the potential extra requirements for Privacy Policies include:

    • Clearly stating what personal data users can transfer to other services and organizations and how they can do so
    • Explicitly setting out the user's right to delete data they've previously provided and how to exercise this right
    • Setting out specific time limits for how long you'll keep personal data rather than simply holding it until it's no longer needed for the stated purpose
    • Giving specific detail about whether and how you will share or sell personal information
    • Giving users the right to specifically withdraw consent for data sales or sharing
    • Giving accurate details of your security safeguards (including proactive measures)
    • Telling users whether you use automated decision making and telling them they can challenge the decisions or ask for a manual review