This was the year an overhaul of federal private-sector privacy law died. But one expert says 2022 may be the year of private-sector privacy law upheaval — if Parliament and three provincial legislatures move fast.
“All of the signals suggest that we’re potentially going to see quite a bit of private sector data protection law reform at the federal and provincial levels next year,” Teresa Scassa, Canada Research Chair in Information Law and Policy at the University of Ottawa law school said in a year-end interview.
Depending on the provisions, legislation could have a significant effect on the data collection and protection practices of businesses.
Consider that
–the federal minister of innovation, who is responsible for privacy legislation, told a news site that the government will introduce legislation to replace of Bill C-11 (the Digital Charter Implementation Act), which died when the fall election was called.
No date was given for the introduction of a new bill. Nor is it clear if the new legislation will radically or just slightly change C-11;
–a B.C. legislature committee this month released the results of a public consultation on updating the provincial private sector privacy law and made 34 recommendations. The next step is drafting new legislation;
–Alberta is reviewing the results of a public consultation, which finished in October, on updating its private sector law;
–Ontario released a white paper in June with a suggested outline of the province’s first private sector privacy law. One proposal: Up to a $25 million fine or five per cent of an organization’s global revenue for failing to report a breach of security safeguards, failing to abide by a compliance order or re-identifying personal information that had been de-identified.
The provincial government hasn’t committed to introducing a law. Scassa noted that the white paper’s outline was based on C-11; now that it no longer exists, Ontario may choose to wait until its replacement is introduced and/or passed before proceeding.
–Meanwhile Quebec is just starting a three-year implementation of provisions of Bill 64, an overhaul of its private sector privacy law. Starting in September 2022, organizations must begin notifying the privacy regulator and individuals regarding any breaches to compromised personal information that present a “risk of serious injury” to the affected individuals.
More issues
This year also saw the public pay more attention to the increased use of surveillance and facial recognition technologies by businesses and governments, Scassa said. In addition to the federal and three provincial privacy commissioners declaring the scraping of images from the internet by Clearview AI to be a violation of their respective privacy laws, there has been criticism about how far firms can go in monitoring employees working from home and higher education institutions can go in monitoring students taking exams.
Data governance issues were also more prominent this year, with the federal and provincial governments investigating data-sharing frameworks. C-11 and Quebec’s Bill 64, for example, have sections on ways to protect data shared by researchers. After creating the Ontario Health Data Platform for sharing data collected by the province for COVID-19 research, the province is wondering if the platform could be adapted when the pandemic ends for sharing other provincially-held data.
The loss of C-11 may not be mourned by many, but, Scassa said, “at least it showed what the federal government was thinking.”
And while it may not have had a lot of support in the business community, Scassa believes many companies “just want to get on with it [reform]”… “I think they could have lived with it.”
She does give the Liberal government credit for effectively re-writing the existing Personal Information Protection and Electronic Documents Act (PIPEDA). “That was a massive undertaking, to tackle many important areas from enforcement and order making-powers for the Privacy Commissioner, to the creation of new structures like the Data Tribunal, new rights to have data about you erased and attempts to balance privacy with the interests of those who want to use large quantities of data for research.
“That was one of the stumbling blocks of the bill — it just was trying to do a lot of different things, so it sparked a lot of controversy.”
Privacy Commissioner Daniel Therrien was “very critical,” she added, “which didn’t help”
Former Ontario Privacy Commissioner Ann Cavoukian, now executive director of the Global Privacy and Security By Design Centre, won’t miss C-11, which she called a “stupid bill … Hopefully they’re going to start all over again.”
Arguably the biggest privacy breach of the year in this country was…
Demo
excerpt goes here …