Federal Privacy Commissioner Releases Key Recommendations for a New Federal Private Sector Privacy Law

Earlier this month, the Office of the Privacy Commissioner of Canada (“OPC”) released a summary of its key recommendations for a new federal private sector privacy law (the “Key Recommendations”), one that would update or replace the existing Personal Information Protection and Electronic Documents Act (“PIPEDA”).[1]

The federal government most recently attempted to amend PIPEDA by introducing Bill C-11, the Digital Charter Implementation Act, 2020. The bill faced criticism from businesses, privacy advocates and the OPC itself, before ultimately dying on the order paper with the calling of the 2021 federal election.

Since coming into power, the new federal government has not taken any significant steps to advance a similar bill. However, the introduction of a new privacy bill is widely expected in order for Canada’s federal privacy law to maintain consistency with the modernization of privacy regimes in other jurisdictions.

The OPC’s Key Recommendations touch on the following themes:

Re-imagining Canada’s consent-based framework.

The OPC recognizes certain challenges arising from PIPEDA’s current consent-based framework, in which consent is the primary justification for the collection, use or disclosure of personal information. For example, under the current model, long and legalistic privacy policies and terms of use agreements may make it difficult for consumers to exert real control over the handling of their personal information or to make meaningful decisions about consent.[2] Furthermore, personal information is often transferred to many different entities in the course of its lifecycle, and organizations may struggle to summarize or concisely explain all possible transfers or uses of data at the time of collection.

In its Key Recommendations, the OPC recommends the introduction of either (i) new exceptions to PIPEDA’s current consent requirement where personal information will be processed for explicit, knowable purposes (such as for product delivery, network security, or search engines), and/or (ii) a flexible “legitimate commercial interests” exception to PIPEDA’s current consent requirement, which would be available only when organizations have met certain pre-requisites (such as the completion of a privacy impact assessment and balancing test).

At the same time, the OPC recommends that federal privacy legislation reflect a recommitment to the principles of consent and transparency, by integrating knowledge and understanding into the statutory requirements to obtain valid consent. The OPC’s proposal aims to make consent valid only when certain information is provided in an intelligible and easily accessibly format such that it is reasonable to expect that an individual would understand that information.

The OPC also recommends including specific requirements with respect to automated decision-making, including a right for individuals to obtain an explanation of the automated decisions made about them, and to contest those decisions.[3]