This was the year an overhaul of federal private-sector privacy law died. But one expert says 2022 may be the year of private-sector privacy law upheaval — if Parliament and three provincial legislatures move fast.
“All of the signals suggest that we’re potentially going to see quite a bit of private sector data protection law reform at the federal and provincial levels next year,” Teresa Scassa, Canada Research Chair in Information Law and Policy at the University of Ottawa law school said in a year-end interview.
Depending on the provisions, legislation could have a significant effect on the data collection and protection practices of businesses.
–the federal minister of innovation, who is responsible for privacy legislation, told a news site that the government will introduce legislation to replace of Bill C-11 (the Digital Charter Implementation Act), which died when the fall election was called.
No date was given for the introduction of a new bill. Nor is it clear if the new legislation will radically or just slightly change C-11;
–a B.C. legislature committee this month released the results of a public consultation on updating the provincial private sector privacy law and made 34 recommendations. The next step is drafting new legislation;
–Alberta is reviewing the results of a public consultation, which finished in October, on updating its private sector law;
–Ontario released a white paper in June with a suggested outline of the province’s first private sector privacy law. One proposal: Up to a $25 million fine or five per cent of an organization’s global revenue for failing to report a breach of security safeguards, failing to abide by a compliance order or re-identifying personal information that had been de-identified.
The provincial government hasn’t committed to introducing a law. Scassa noted that the white paper’s outline was based on C-11; now that it no longer exists, Ontario may choose to wait until its replacement is introduced and/or passed before proceeding.
–Meanwhile Quebec is just starting a three-year implementation of provisions of Bill 64, an overhaul of its private sector privacy law. Starting in September 2022, organizations must begin notifying the privacy regulator and individuals regarding any breaches to compromised personal information that present a “risk of serious injury” to the affected individuals.
This year also saw the public pay more attention to the increased use of surveillance and facial recognition technologies by businesses and governments, Scassa said. In addition to the federal and three provincial privacy commissioners declaring the scraping of images from the internet by Clearview AI to be a violation of their respective privacy laws, there has been criticism about how far firms can go in monitoring employees working from home and higher education institutions can go in monitoring students taking exams.
Data governance issues were also more prominent this year, with the federal and provincial governments investigating data-sharing frameworks. C-11 and Quebec’s Bill 64, for example, have sections on ways to protect data shared by researchers. After creating the Ontario Health Data Platform for sharing data collected by the province for COVID-19 research, the province is wondering if the platform could be adapted when the pandemic ends for sharing other provincially-held data.
The loss of C-11 may not be mourned by many, but, Scassa said, “at least it showed what the federal government was thinking.”
And while it may not have had a lot of support in the business community, Scassa believes many companies “just want to get on with it [reform]”… “I think they could have lived with it.”
She does give the Liberal government credit for effectively re-writing the existing Personal Information Protection and Electronic Documents Act (PIPEDA). “That was a massive undertaking, to tackle many important areas from enforcement and order making-powers for the Privacy Commissioner, to the creation of new structures like the Data Tribunal, new rights to have data about you erased and attempts to balance privacy with the interests of those who want to use large quantities of data for research.
“That was one of the stumbling blocks of the bill — it just was trying to do a lot of different things, so it sparked a lot of controversy.”
Privacy Commissioner Daniel Therrien was “very critical,” she added, “which didn’t help”
Former Ontario Privacy Commissioner Ann Cavoukian, now executive director of the Global Privacy and Security By Design Centre, won’t miss C-11, which she called a “stupid bill … Hopefully they’re going to start all over again.”
Arguably the biggest privacy breach of the year in this country was the Newfoundland and Labrador health care network attack, the extent of which is still being withheld by the province. But it has acknowledged that patient, current and former employee information stretching back more than a decade was accessed by the attacker.
That breach is “sad and heartbreaking,” said Cavoukian.
In his annual report to Parliament, Privacy Commissioner Daniel Therrien noted his office fielded 309 allegations of violations of PIPEDA for the 12 months ending March 31.
Two court proceedings to note for 2022: Google will try to appeal a ruling from earlier this year that PIPEDA doesn’t apply to its search engine results because the search side of the company isn’t a commercial enterprise, and because search results are used for journalism. PIPEDA’s obligations don’t apply to journalistic endeavors.
However, a Federal Court judge ruled Google promotes its advertising business by highlighting the popularity of its search engine. The case could have ramifications for content publishers because it involves the so-called right to be forgotten.
Meanwhile Facebook and Therrien’s office continue to spar in court over the Privacy Commissioner’s findings in 2019 in the Cambridge Analytica scandal. Facebook refuses to implement recommendations, so Therrien has asked the Federal Court to impose a binding order requiring Facebook to follow those recommendations. Earlier this year, the Federal Court made procedural rulings. The two sides have yet to agree on a schedule for more hearings.
Finally, looking to 2022, Cavoukain worries that because of the continuing COVID-19 pandemic, businesses and governments are pushing practices that don’t take the privacy of personal data into account.
“COVID is making people think, ‘Let’s go back to the zero-sum model of ‘either or’ (privacy or safety, not both). We have a pandemic so we have to collect information, so for public safety versus privacy we have to vote in favour of safety.’
“No, you don’t. You don’t have to do one versus the other. The whole push with vaccine passports and everyone is expected to be vaccinated and show evidence of that to gain access to premises and to various activities — this is appalling. Your personal health information is the most sensitive information that exists. It shouldn’t have to be shared publicly, and it shouldn’t have to be recorded at places you go to where geolocation information is also available. The potential for tracking [people] is enormous. They’re calling it vaccine tracking, vaccine surveillance.
“I think it’s going to get worse before it gets better.”