New regime aligns with international trends and may prompt Quebec’s stricter rules to be revisited
The federal government provided an early Christmas present to privacy lawyers in enacting its Digital Charter Implementation Act in November, and law firms released a flurry of updates just after the long-awaited changes were announced.
The new proposed legislation will impose heavier fines on businesses for breaching individuals’ digital privacy rights and give individuals greater control over their personal information. Privacy lawyers had long complained that Canada was lagging in international trends on privacy protection.
“I would say it’s the most important privacy reform in 20 years,” Chantal Bernier, head of Dentons Canada LLP’s Canadian Privacy and Cybersecurity practice group and interim privacy commissioner of Canada from 2013 to 2014, told Canadian Lawyer when the legislation was released.
The corporate fines that would be imposed for the most serious infractions of digital privacy are significant: five per cent of an organization’s gross global revenue in its financial year before the one in which the organization is sentenced or $25 million, whichever figure is higher.
“These fines represent a sea change in comparison to how our federal regulator has previously approached non-compliance and will likely spur all businesses subject to these new laws to take a much harder look at their existing privacy practices,” says Lisa Lifshitz, a partner at Torkin Manes in Toronto and leader of the firm’s technology, privacy & data management group.
If passed, the reforms will enact two new acts — the Consumer Privacy Protection Act and the Personal Information and Data Protection Tribunal Act — and amend some other acts. The government is seeking feedback until Jan. 17, 2021.
Before the federal overhaul, Quebec was leading the provincial pack in developing a framework that was more consistent with international trends, such as the European Union’s General Data Protection Regulation and the California Consumer Privacy Act of 2018.
Quebec’s National Assembly introduced Bill 64, An Act to modernize legislative provisions as regards the protection of personal information this summer, which caused alarm bells for some privacy lawyers who felt it could be the strictest in the world.
“It would definitely make Quebec the most stringent jurisdiction by far,” says Éloise Gratton, a privacy lawyer at Borden Ladner Gervais LLP in Montreal.
Gratton says restrictions on cross-border transfers could significantly hamper business in Quebec.
“I am hoping that [the federal reforms] will encourage the [Quebec] government to revisit the onerous and unrealistic cross-border requirements.”
Ontario has also embarked on a consultation on the possible enactment of a private sector privacy law.
“I still think there is a need for Ontario to have its own private sector privacy legislation to address the regulatory gaps between federal/provincial legislation,” says Lifshitz.
In Alberta and British Columbia, there are currently no legal reforms in the works, but with a new NDP majority in B.C., that could soon change.
“Before the provincial election, we had a statutory review of the private sector Privacy Act,” says Ryan Berger, a Vancouver lawyer who leads the privacy group at Lawson Lundell LLP. “And that came to an end as a result of the dissolution of the government. But I would expect that to pick back up and complete.”
Berger said he expects the federal bill will also help to pave the way for updates in the province.
“The new federal law highlights how B.C.’s law is an anachronism.”
James Swanson, a technology and intellectual property lawyer in Calgary, says that while his province has not indicated any intent to reform privacy laws, any changes in B.C. and federally will likely prompt Alberta to move.
“If you have a distinctly different legal regime than the province next door, whether it's east to west or other provinces with which you do business for that matter . . . that becomes a high compliance cost for Alberta business, and it acts as kind of a barrier to competitiveness,” he says.
Swanson also says there may be constitutional issues with the new federal bill about how far the law can go in regulating the private sector for organizations within a province that are not “federal works or undertakings.”
Kirsten Thompson, a partner and national lead of transformative technologies and data strategy group at Dentons in Toronto, says that whatever the final reforms look like, they need to be in the service of driving business and facilitating innovation, not a “knee-jerk reaction based on technophobia.”
“What I hear in my practice constantly and what we've experienced over the last few years of GDPR is companies saddled with compliance burdens that really dampens business and innovation,” Thompson says. “The trick is going to be in getting that balance right.”
Privacy Commissioner enforcement model
The proposed federal Consumer Privacy Protection Act includes the following provisions:
- The ability of the commissioner to force an organization to comply with requirements and to stop collecting data or using personal information
- The ability of the commissioner to recommend that the Personal Information and Data Protection Tribunal impose a fine
- Administrative monetary penalties of up to three per cent of global revenue or $10 million for non-compliant organizations
- Expanded range of offences for certain serious contraventions of the law, subject to a maximum fine of five per cent of global revenue or $25 million