By Esther Shainblum and Martin U. Wissmath

Privacy Commissioner Reacts to Proposed Reform Bill for Federal Privacy Law Regime

Canada’s federal privacy commissioner says proposed laws are heading in the right direction, but not far enough, according to a May 11, 2023 announcement on the Office of the Privacy Commissioner (OPC) website. Bill C-27 (the “Bill”), short titled as the Digital Charter Implementation Act, 2022, completed second reading on April 24, 2023 in the House of Commons and was referred to the Standing Committee on Industry and Technology. The Bill would enact the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act, and the Artificial Intelligence and Data Act, along with consequential and related amendments to other statutes. For an in-depth look at the Bill, reference can be made to the June 2022 Charity and NFP Law Update.

As noted above, one of the proposed statutes in the Bill is the Consumer Privacy Protection Act (the “CPPA”). If passed in its current form, the CPPA will replace the existing Personal Information Protection and Electronic Documents Act (“PIPEDA”). The Bill would also enact the Personal Information and Data Protection Tribunal Act, establishing the Personal Information and Data Protection Tribunal to adjudicate contraventions of the CPPA and have the power to impose administrative monetary penalties.

Philippe Dufresne, the Privacy Commissioner of Canada (the “Commissioner”), commented that the currently proposed reforms to the privacy regime are an improvement over PIPEDA and the former Bill C-11, which died on the Order Paper when Parliament was dissolved on August 15, 2021 for the last federal election. However, the Commissioner also stated that the Bill “can and must go further” in protecting privacy rights, balanced with supporting innovation in the tech sector.

The OPC provided 15 written recommendations to the House of Commons Standing Committee on Industry and Technology regarding the Bill on April 26, 2023. These recommendations were made in consideration of the Commissioner’s espoused “vision for privacy”, which is that privacy should be a right, support the public interest, and increase trust in public institutions and participation in civil society.

The recommendations are:

1. Recognize privacy as a fundamental right.
2. Protect children’s privacy and the best interests of the child.
3. Limit organizations’ collection, use and disclosure of personal information to specific and explicit purposes that take into account the relevant context.
4. Expand the list of violations qualifying for financial penalties to include, at a minimum, appropriate purposes violations.
5. Provide a right to disposal of personal information even when a retention policy is in place.
6. Create a culture of privacy by requiring organizations to build privacy into the design of products and services and to conduct privacy impact assessments for high-risk initiatives.
7. Strengthen the framework for de-identified and anonymized information.
8. Require organizations to explain, on request, all predictions, recommendations, decisions and profiling made using automated decision systems.
9. Limit the government’s ability to make exceptions to the law by way of regulations.
10. Provide that the exception for disclosure of personal information without consent for research purposes only applies to scholarly research.
11. Allow individuals to use authorized representatives to help advance their privacy rights.
12. Provide greater flexibility in the use of voluntary compliance agreements to help resolve matters without the need for more adversarial processes.
13. Make the complaints process more expeditious and economical by streamlining the review of the Commissioner’s decisions.
14. Amend timelines to ensure that the privacy protection regime is accessible and effective.
15. Expand the Commissioner’s ability to collaborate with domestic organizations in order to ensure greater coordination and efficiencies in dealing with matters raising privacy issues.

The Commissioner’s primary message was that reform of privacy law is “overdue and must be achieved”.

From the point of view of charities and not-for-profits, the OPC noted that the CPPA would reverse a problematic modification to the definition of “commercial activity” introduced in the former Bill C-11. As discussed in our Charity and NFP Law Bulletin No. 481, the definition of “commercial activity” in PIPEDA explicitly includes “the selling, bartering or leasing of donor, membership or other fundraising lists,” but this language was omitted from Bill C-11. We pointed out that the omission of that language could have led to a situation in which organizations would no longer be required to obtain consent for the creation and use of donor, membership and fundraising lists.  The OPC noted this potentially problematic outcome was avoided by reintroducing the words “including the selling, bartering or leasing of donor, membership or other fundraising lists” in the definition of “commercial activity” under the CPPA.

Although the federal legislative reforms do not directly apply to all charities and not-for-profits, except to the extent that they participate in commercial activity, they are of interest to all organizations that collect, use, and disclose personal information in Canada.

Political Parties Should Protect Right to Privacy, says Federal Commissioner

Even with swathes of sensitive personal information at their disposal, Canada’s political parties are still not subject to privacy laws, and that’s a problem, according to the Privacy Commissioner. On May 3, 2023, the OPC published an announcement after the Commissioner’s appearance that day before the Standing Senate Committee on Legal and Constitutional Affairs, where he stated that political parties should be subject to legislation which ensures they respect the privacy rights of Canadians. As not-for-profits, political parties are not held to account under PIPEDA, nor the federal Privacy Act. The Commissioner said:

Given the importance of privacy and the sensitive nature of the information being collected, Canadians need and deserve a privacy regime for political parties that goes further than self-regulation and that provides meaningful standards and independent oversight to protect and promote electors’ fundamental right to privacy.

The Commissioner’s remarks were spurred by amendments proposed in Bill C-47, the Budget Implementation Act. These proposals would allow political parties to collect, disclose, retain and dispose of the personal information of private individuals and use it in accordance with internal privacy policies.

In response, the Commissioner stated that the collection, use, disclosure, retention and disposal of personal information by political parties should be regulated by law. These laws, he stated, should be based on globally recognized privacy principles, which includes the ability for a neutral third party to enforce compliance with the law, and provide remedies in case of a data breach that jeopardizes sensitive personal information. 

​Read the Month Year Charity & NFP Law Update