Provinces moving to update private-sector security framework
Proposed privacy law lags in Parliament
As the Liberal federal government’s proposed overhaul of private-sector privacy law stalls in Parliament, Canada’s four largest provinces are working on their own rules for how companies use people’s personal information. Privacy lawyers warn a patchwork of provincial rules could increase compliance burdens for startups and make Canada a less attractive market for digital services.
In November 2020, then-innovation minister Navdeep Bains introduced Bill C-11 to replace the existing Personal Information Protection and Electronic Documents Act (PIPEDA). The legislation would give consumers new rights to move their data between service providers, as well as require companies to tell customers in plain language how they use their personal information and to explain any decisions that affect them made by algorithms.
Alberta, British Columbia and Quebec have their own private-sector privacy laws that the federal government considers “substantially similar” to PIPEDA, and that typically apply to organizations’ data-related commercial activities within provincial borders. Policy-makers in all three provinces are considering updates.
A fourth is moving to establish its own jurisdiction. In June, the Ontario government released a white paper with dozens of potential elements in legislation the Progressive Conservatives might introduce this fall.
Ross Romano, Ontario’s minister of government and consumer services, took direct aim at the federal Liberals in an interview with The Logic. “We need this legislation in this area, because unfortunately, the federal government has not hit the mark on ensuring that we’re protecting people’s rights of privacy,” he said.
Privacy lawyers say the introduction of distinct provincial rules could create compliance challenges for startups, small firms and businesses operating across internal borders. “If those legislations are not aligned, it makes things more complicated and more costly, because you ... have to ensure compliance with all those frameworks,” said Elisa Henry, Montreal-based partner and national co-chair of the privacy practice at Borden Ladner Gervais, speaking shortly after the federal government unveiled Bill C-11 last November.
Companies often choose to ensure their contracts, policies and processes meet the most stringent requirements rather than recreating them for every jurisdiction; it’s why some multinationals have applied the EU’S GDPR standard to customers around the world. Quebec’s proposals go further than the federal ones, according to Henry, so companies could focus on satisfying those rules. But “it would be easier if we only had one framework to work with, given the size of our population,” said Henry. “Our country is big, but we’re not a huge market in terms of number of consumers.”
Federal privacy commissioner Daniel Therrien has called Bill C-11 a “step back” from current privacy rules, saying it lowers organizations’ consent requirements, grants them too many exemptions and too much room to self-regulate. He and other policy advocates have also criticized the legislation for failing to recognize privacy as a fundamental human right.
“If the Liberal government will not do their job, we will do it for them. And we will do it right,” Romano said, noting that the province intends to establish the “the fundamental right to privacy” for residents. Children, for instance, likely need more privacy protection than adults, and that could mean requiring that parents consent before companies collect data on their kids.
“With my son being upstairs, they’re playing a video game where they download an app on the ipad, and then they click ‘Yes, I agree,’” said Romano. “Do they know what they have agreed to? Do I, as a parent, know what my child in the household has agreed to?”
Another section of Ontario’s white paper considers rules for using algorithms to make decisions with personal data. Such technology can “help both people and businesses by making decisions involving large volumes of data more efficient,” it says. But those uses are also often opaque to the people whose lives are being affected, and a badly trained algorithm can mean discrimination and unfairness. The paper proposes letting those affected get detailed information about how automated decisions were made and insist on reviews by live humans.
Bill C-11 includes a similar explainability requirement, though no appeal mechanism. The Ontario white paper also uses practically identical language to the federal legislation on data mobility.
Other provinces are exploring updates to existing privacy legislation. In July, Alberta’s United Conservative Party government launched a public consultation on the provincial Personal Information Protection Act (PIPA), including new rights such as data portability, requirements including plain-language privacy statements, and oversight of new technologies.
“Our legislation is just badly out of date,” said Service Alberta Minister Nate Glubish. “It is not equipped to protect Albertans in the context of a modern digital economy and all of the technology that we [use] on a daily basis.”
Glubish acknowledged Ottawa’s proposals for updated privacy rules, but noted there are “many instances where the federal government and the provincial governments will have legislation touching on a similar topic.” He said his department is monitoring developments in other jurisdictions, although he hasn’t yet discussed them with his ministerial counterparts.
In Quebec, a bill to update that province’s private-sector privacy rules is moving very slowly through the National Assembly. Introduced in June 2020, Bill 64 was last debated that October; a legislative committee is due to take it up again in September.
Bill 64 goes further than the federal and Ontario proposals, and would require anyone “carrying on an enterprise” in Quebec to have a specific person responsible for protecting personal information, for instance, and to name that person publicly.
The legislation would also put up obstacles to transferring personal information outside Quebec, requiring organizations to assess how comparable privacy protections are in the other jurisdiction and get the written permission of the person affected.
Meanwhile, British Columbia’s legislature has struck a committee to review its own PIPA. It’s due to report back by December.
The governments of Manitoba, the Northwest Territories, Prince Edward Island, Newfoundland and Labrador and Yukon — which do not have their own private-sector privacy laws — are not considering introducing such legislation, spokespeople told The Logic. Nova Scotia is in an election campaign where access to public information has been an issue, but not privacy legislation for the private sector. Saskatchewan’s government said it’s monitoring the situation, and Nunavut and New Brunswick did not respond.
The Ontario and Alberta ministers say they’re not worried about creating a patchwork of data-use laws that will make it more difficult for tech and other firms to operate across the country.
“I don’t believe that it would be an impediment, but I certainly will be ensuring that we take into consideration every angle, every lens, to ensure that we’re building the best possible privacy regime for the people of (Ontario),” said Romano. “And for the people of this country, quite frankly, because I do expect that Ontario will once again lead the charge.”
IF THE (LIBERALS) WILL NOT DO THEIR JOB, WE WILL DO IT FOR THEM.