Privacy Law Reform: the OPC 2018-2019 Annual Report

The Office of the Privacy Commissioner of Canada just published the 2018-2019 Annual Report to Parliament on the Privacy Act and the Personal Information Protection and Electronic Documents Act. Unlike other reports, this report’s focus was on privacy law reform. In fact, it was so titled as Privacy Law Reform – A Pathway to Respecting Rights and Restoring Trust in Government and the Digital Economy.

The Annual Report is a must read for everyone concerned about privacy including members of the general public and organizations whose privacy practices and compliance burdens would be significantly affected if some or all of the proposals were accepted and enacted into law.

The report includes the following proposals for reform.

  • That privacy be recognized as a fundamental human right.
  • The principles underlying PIPEDA should be enlarged from the two existing principles “to implement the fundamental right to privacy of all persons in the commercial context through robust data protection that ensures that the processing of data is lawful, fair, proportional, transparent and accountable, and respects the fundamental rights and freedoms of individuals”.
  • PIPEDA should be transformed from a consent based to a consent and a “rights based” law.  There would, for example be, a fundamental right to be free from “unjustified surveillance” by commercial entities. Use of technologies that are “incompatible” with “rights-based laws” “should not be permitted”.
  • There should be additional exceptions to the consent principle for socially beneficial purposes, but before any such exception could be relied upon several prior conditions would have to be met including that: “it is necessary to use personal information; it is impracticable to obtain consent; pseudonymized data will be used to the extent possible; societal benefits clearly outweigh any privacy incursions; a privacy impact assessment (PIA) was conducted in advance; the organization has notified the OPC in advance; the organization has issued a public notice describing its practices; and individuals retain the right to object.”
  • Public authorities including the OPC should have the right to prescribe “subsidiary binding rules” or “binding guidance through a succession of individual orders” giving effect to privacy principles in specific contexts.
  • The OPC should be able to unilaterally initiate on demand proactive investigations to ensure “demonstrable accountability”.
  • The OPC should have additional enforcement rights for “quick and effective remedies”.

Readers should carefully scrutinize the report and determine whether the proposals, individually or in the aggregate:

  • Do not go far enough, strike the right balance, or would go too far in seeking to balance the importance of privacy with other considerations.
  • Are both desirable and workable in practice.
  • Put insufficient, appropriate, or too much jurisdiction in the OPC. For example, would it be appropriate for a single regulator to have the right to: unilaterally make binding rules (essentially creating new privacy laws or rules binding on specific sectors); compel organizations, on demand, to demonstrate compliance with privacy laws without any evidence of non-compliance; investigate alleged breaches of privacy laws; and make enforcement orders and fine alleged offenders?

The reform of Canada’s privacy laws is also the subject of ISED’s proposals to modernize PIPEDA reflected in Strengthening Privacy for the Digital Age (May 2019). The OPC’s Annual Report is a clear statement from the Commissioner as to how the OPC would like to reshape privacy law in Canada.

These proposals all deserve close scrutiny to ensure that our laws evolve in effective, principled, and workable ways.



Print Friendly, PDF & Email

Leave a Reply

Your email address will not be published. Required fields are marked *

OPC consultation on trans-border data flows: my submission to the consultationOPC consultation on trans-border data flows: my submission to the consultation

Dear M. Therrien: Thank you for the opportunity to provide input into the consultation on whether consent is or should be required for transborder data flows for processing. Introduction By way of introduction, I am a senior technology lawyer with McCarthy Tétrault. I have significant experience in outsourcings of all ...

EU Commission proposes comprehensive reform of data protection rulesEU Commission proposes comprehensive reform of data protection rules

Yesterday, the European Commission proposed a comprehensive reform of the EU’s 1995 data protection rules to strengthen online privacy rights and boost Europe’s digital economy. Highlights of the reform plan are described by the Commission as follows: A single set of rules on data protection, valid across the EU. Unnecessary administrative requirements, such as ...

Computer and Internet Law Weekly Updates for 2010-04-18Computer and Internet Law Weekly Updates for 2010-04-18

IRMA/Eircom graduated response agreement found compatible with UK data protection legislation. # Text of ACTA to be made public following NZ meetings according to Joint statement # Debate: Graduated response to copyright infringement – Debatepedia # SSRN-Judicially Re(De)Fining Software Patent Eligibility: A Survey … # More on the High Court ...

%d bloggers like this: