What’s next for PIPEDA: Canada’s “Strengthening Privacy for the Digital Age” Discussion Paper
On 21 May 2019, the federal government released its discussion paper, entitled “Strengthening Privacy for the Digital Age” (Paper), outlining various proposals to amend Canada’s federal private sector privacy legislation. The impetus for these amendments are multi-faceted and, perhaps, not surprising given the stance taken by the Office of the Privacy Commissioner (OPC) in its report released pursuant to the investigation of Equifax Canada.
The government’s recent Paper, released in the context of its Digital Charter initiative, focuses on the modernization of the Personal Information Protection and Electronic Documents Act (PIPEDA) through four key areas. The first involves enhancing individuals’ control over their PII by utilizing such mechanisms as increased transparency, the right to data mobility and the right to request deletion of PII. Enabling innovation is the second area of focus, whereby the government proposed, among other measures, using data trusts as a mechanism to balance data usage with innovation. The next area revolves around enhancing the OPC’s enforcement powers, providing it with the power to make cessation and record preserving orders while also potentially extending the quantum and type of fines it can levy under PIPEDA. Clarifying PIPEDA rounds out the areas of focus, with the government considering extending the scope of the legislation to various non-commercial data collection activities. The government has also indicated that it intends to update and clarify PIPEDA’s application, including its treatment of transborder data flows.
With the release of the Paper has come the OPC’s suspension of its current Consultation on Transborder Data Flows, with the OPC planning to initiate a subsequent round of consultation pursuant to its review of the Paper. The Privacy Commissioner has indicated that, in the interim, organizations are not expected to alter their current transborder data flow practices. Legal experts speculate that these proposed amendments to PIPEDA reflect a growing trend to align Canada’s privacy regime with that of the European Union’s General Data Protection Regulation (GDPR). This is particularly true as Canada looks to maintain it’s adequacy ruling with the EU, which could be due for review in 2020.
In these uncertain times, it’s more important now than ever for organizations to review and utilize robust internal compliance mechanisms to avoid getting caught in the crosshairs of Canada’s evolving privacy regulatory web. A cyber liability insurance policy can help transfer some of the financial risks associated with not only privacy breaches, but also non-compliance with certain privacy laws. If the policy contains robust wording, it could respond to cover legal defence costs and insurable fines that may result from a regulatory investigation. If the insured should also face a claim or lawsuit resulting from a privacy breach that compromises third party PII in its care, custody or control, settlement and judgment amounts, as well as legal defence costs, could also benefit from coverage. In addition, a cyber policy could also respond to provide coverage for various first-party costs incurred ‘out-of-pocket’ by the insured to deal with the impact of a breach, including IT forensics, notification costs, call centre and credit/identify theft monitoring as well as expenses to hire a PR firm to mitigate the negative reputational impact of a breach.