Upcoming Changes to Canadian Privacy Law

Numerous changes to Canada's Personal Information Processing and Electronic Documents Act (PIPEDA) are expected in 2020 as part of Canada's privacy law overhaul.

The changes are designed to bring Canada privacy law in line with the most stringent international privacy laws out there, including the EU's General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).

We'll discuss how the laws will be changing so you can best prepare for compliance.

Right now, the two major privacy acts in force in Canada are the:

• Privacy Act
• PIPEDA

The Privacy Act gives Canadians the right to access whatever personal information the Canadian government holds on them. PIPEDA regulates how commercial and private-sector companies store, handle, process, and share personal data as part of their routine business activities. It lets Canadians control their personal information and limit who they share it with.

Although the Privacy Act is important, the proposed changes primarily concern PIPEDA, so we'll focus mostly on that.

The main point of PIPEDA is that companies must get someone's meaningful consent before they can collect their personal data and share it with anyone else. Companies must also be clear on what they plan on doing with the information, who they share it with, and why they need the data in the first place.

While these rights may sound comprehensive, they fall a little short when we compare them to the rights offered by, for example, the GDPR.

Recently, the Canadian Government agreed that PIPEDA doesn't go far enough to protect people's privacy rights in an increasingly digital world.

So, what do they plan on doing about it?

The Problems with Canadian Privacy Law

According to a Canadian government discussion paper, there are three major problems with existing Canadian privacy laws:

• Companies have a tendency to write overly long and complex Privacy Policies
• A growth in machine learning and AI makes it harder for people to control how their data is shared around the internet
• The laws don't keep pace with how quickly the digital world is advancing

The Canadian government wants to:

• Help companies understand their compliance responsibilities
• Ensure individuals understand the rights they have over personal data
• Make privacy rules more flexible to suit modern commerce

In other words, the government wants to give Canadians additional data rights without putting any extra burden on businesses. It sets out these goals and more in what's now known as the Digital Charter.

The Digital Charter

The Digital Charter aims to put every Canadian in full control of their personal information. The changes outlined in the Digital Charter aim to bring Canadian privacy law into alignment with stricter global privacy policies, including the GDPR and the CCPA.

10 Principles of the Digital Charter

The 10 principles of the Charter underpin everything that the Government is doing to tackle gaps in Canadian privacy law.

The 10 principles are:

1. Universal Access: Canadians must all have equal opportunity to access the internet and online resources.
2. Safety and Security: Every Canadian should have faith that the online services they use are secure and reliable.
3. Control and Consent: It should be easy for Canadians to understand who they're sharing personal data with and why.
4. Transparency, Portability, and Interoperability: Companies should make it simple for Canadians to move their data to another organization.
5. Open and Modern Digital Government: The Government will deliver clear, modern digital services to all Canadians.
6. A Level Playing Field: Fair competition between companies should be encouraged, with the caveat that Canadian personal data must be protected at all times.
7. Data and Digital for Good: Every business should use personal data for the benefit of its customers and the wider society.
8. Strong Democracy: Fake news, or misinformation designed to discredit Canada's democratic processes, will not be protected under freedom of expression.
9. Free From Hate and Violent Extremism: Digital platforms and apps must promote inclusivity and condemn hateful content.
10. Strong Enforcement and Real Accountability: There must be incentives in force to encourage legal compliance.

While it's impossible to say for sure what amendments the government will introduce until they're in force, there are steps you can take right now to prepare for the most likely changes.

How the Digital Charter Affects PIPEDA

Broadly speaking, there are 4 categories of privacy law changes that you should be aware of:

1. Data Access and Consent
2. Data Consent
3. Self-regulation
4. Enforcement

These are the 4 major areas of concern that the Canadian government wants to address through its 10 Digital Charter principles. Let's take a closer look at each one.

Data Access and Consent

The government's first goal is to help more Canadian people access the internet and control how they share their personal information. So, broadly, what changes can we expect? Here are the key proposals.

The Right to be Forgotten

Under the GDPR, every EU citizen has the "right to be forgotten." In other words, they can request that a company deletes whatever information they have on them. They can also insist that the company unsubscribes them from all future marketing communications.

To help you understand this better, let's look at an example from a GDPR-compliant Privacy Policy.

In its Privacy Policy, retailer Waterstones includes a clause called "Your right to erasure" that sets out this information:

Here's another example from health and beauty retailer, Boots. Boots very clearly sets out that users can withdraw their consent at any time:

As it stands, Canadians have no right to ask companies to delete their personal information. They can only ask companies to amend or delete their data if it's inaccurate.

If the proposed changes are rolled out to bring PIPEDA in line with the GDPR, you'll need to make some changes to your own processes. So, what might these changes look like? You might:

• Inform people of their deletion rights by updating your Privacy Policy
• Ensure people understand what will happen if their information is deleted
• Set up a way for users to make a data deletion request
• Respond promptly to these requests

Consent Fatigue

Right now, PIPEDA works on the basis of "meaningful consent." In other words, you should obtain a user's informed consent before you collect, use, or disclose their personal data.

The problem is that once you have someone's consent, how many times do you have to ask for it again? Is it ever possible to use personal data on the basis of implied consent? The government argues that it should be possible. Here's why:

Consider this example. You run an ecommerce store and you give people the option to sign up for your weekly newsletter. Users consent to signing up for these marketing communications, and so they receive your newsletter each week. However, maybe you decide that you want to send out newsletters twice a week. Do you really need consent for this?

Right now, the law implies that you do. However, the Government wants to change this so that you can use personal data if:

• You have a legitimate interest for doing so, and
• Your actions will not have any noticeable impact on the individuals

So, in the above example, the users have already consented to marketing newsletters. It may soon be disproportionate to expect you to get consent to sending them more fre quently.

No More Bundled Consent

Right now, companies can refuse to enter a contract with an individual if they don't consent to certain uses of their private information. Typically, this is when a company makes the contract contingent upon users consenting to marketing communications. Here's what we mean:

If you want to sign up for a Facebook account, you need to also agree to receiving SMS communications from them. There's no legitimate need for these SMS communications, and so users shouldn't have to consent to them to open an account. If PIPEDA changes, this will no longer be acceptable:

Note that it's not necessary to get express consent to using someone's personal data to actually fulfil the contract e.g. processing payment for an item the customer purchases. The changes are about addressing unclear and unfair consent procedures.

So, what should you do instead? You must unbundle your consent so that users are only consenting to what's necessary to fulfill the contract. You can then give them an option to opt-in to marketing and other communications. Here's an example:

To sign up for a Lancome account, users need to provide the company with the minimum information to open the account i.e. a name, email address, and password. Users can opt in to receive marketing materials by clicking a checkbox, but if they don't want to receive these communications, they can still open an account:

Clear Consent

What all these proposals are ultimately getting at is the idea of clear, informed consent. In other words, Canadians should know exactly:

• What information they are sharing with you
• Why they're sharing it (for what purpose will you use it for)
• What will happen to the information they share
• How they can withdraw consent

Here's an example from The Body Shop. When users sign up for an account, they can choose whether they want to receive news, offers, and updates by email, SMS, or post:

Users also must confirm that they've read the Terms of Service before signing up. The Body Shop takes steps to secure clear and informed consent before users register for an account.

On the same registration form, the company summarizes the main reasons why it uses data and who it's shared with, while giving users clear guidance on where to find further information via a link to the Privacy Notice:

Use concise and straightforward language like this going forward to make sure your users are the most informed when giving consent.

Easier Data Portability

Under PIPEDA, Canadians can ask for a copy of the personal data that any company has on them. This is known as the "right of access." The problem is that there's no further guidance on how:

• Companies should provide users with this data
• How people can easily transfer their data from one business to another e.g. between banks

By contrast, the GDPR gives EU citizens the right to "data portability," which makes it easy for people to transfer their personal information between companies, or simply see what information the company has on them.

The government wants to bring PIPEDA in line with the GDPR, so what will data portability look like going forward?

If it's not already possible for users to download a portable version of their private data from your website, you should set this up. Here's an example.

Instagram users can ask for a portable copy of their personal data delivered right to the email address of their choice:

You should also highlight data portability in your Privacy Policy and make it easy for users to submit a request.

Catella Group provides users with a form to fill in which emphasizes their data rights:

Catella Group also refers to data portability in its Privacy Policy and provides a link to the request form in the clause:

Enhanced Self-Regulation

We can cover self-regulation very briefly.

In short, the Canadian government wants to encourage the development of schemes, certificates, and codes of practice to prove a company's PIPEDA compliance. These self-regulation tools would be formally recognized and allow companies to demonstrate their commitment to PIPEDA.

The benefit of self-regulation is that if companies show they're serious about PIPEDA compliance, their dedication to data protection could be considered a mitigating factor in any future data breaches.

We can't comment much further on this right now, but it's likely that the Office of the Privacy Commissioner (OPC) will recognize these codes of practice and/or certifications once they're developed.

Strengthened Enforcement Mechanisms

Again, we can cover this briefly.

Right now, the OPC has very limited enforcement powers. Unlike the EU's data protection authorities (DPAs), the OPC has no real power to issue fines or sanctions against companies who fail to follow PIPEDA. All it can do is bring cases before Canadian courts, which wastes time, money, and resources. It's inefficient, and the Government plans on doing something about it.

The government hopes to roll out stronger OPC enforcement mechanisms, which may include:

• New, direct powers to fine and sanction
• Steeper financial penalties for non-compliance
• Rolling out damages for serious infractions
• Extending the range of sanctionable offences

Businesses should take steps now to improve their privacy law compliance to avoid falling foul of the OPC.

Conclusion

Although PIPEDA offers Canadians some control over what happens to their personal data and who may access it, it's not as robust as it could - or should - be. Through the new Digital Charter, the Canadian government plans on rolling out key legal changes which companies must prepare for, including:

• Tougher financial sanctions
• A greater emphasis on company responsibility and self-regulation
• Clearer, shorter, more user-friendly Privacy Policies
• Transparent, unbundled consent
• The right to be forgotten
• Exceptions to data consent where they're based on legitimate company interests
• Increased data portability and rights of access