It was the year a federal private sector privacy law overhaul died. But expert says 2022 could be the year of upheaval in private sector privacy laws – if Parliament and three provincial legislatures act quickly.
“All signals suggest that we are potentially going to see a major reform of the law on data protection in the private sector at the federal and provincial levels next year”, Teresa Scassa, holder of the Canada Research Chair in Law and information policy at the University of Ottawa. said the law school in an end-of-year interview.
Depending on the provisions, the legislation could have a significant effect on the data collection and protection practices of companies.
– the federal Minister of Innovation, who is responsible for privacy legislation, told a news site that the government would introduce legislation to replace Bill C-11 (An Act to implementation of the digital charter), which died when the fall elections were called.
No date has been given for the tabling of a new bill. It is also not clear whether the new legislation will change the C-11 drastically or just slightly;
– a British Columbia legislative committee this month released the results of a public consultation on updating the provincial law on the protection of personal information in the private sector and made 34 recommendations. The next step is to draft new legislation;
–Alberta is reviewing the results of a public consultation, which ended in October, on updating its private sector law;
– Ontario released a white paper in June with a suggested overview of the province’s first private sector privacy law. One proposal: up to $ 25 million in fines or 5% of an organization’s worldwide revenue for failing to report a security breach, failing to comply with a compliance order, or re-identify personal information that had been anonymized.
The provincial government has not made a commitment to introduce legislation. Scassa noted that the white paper’s plan was based on C-11; now that it no longer exists, Ontario can choose to wait until its replacement is introduced and / or adopted before proceeding.
– Meanwhile, Quebec is just beginning the three-year implementation of the provisions of Bill 64, an overhaul of its law on the protection of personal information in the private sector. Beginning in September 2022, organizations must begin notifying the privacy regulator and individuals of any breach of compromised personal information that poses a “risk of serious injury” to the individuals concerned.
No more problems
This year, the public has also paid more attention to the increased use of surveillance and facial recognition technologies by businesses and governments, Scassa said. In addition to federal and provincial privacy commissioners who have said Clearview AI’s Internet image scraping violates their respective privacy laws, there have been criticisms of the extent to which companies can go to monitor employees working at home and in higher education. institutions can monitor students taking exams.
Data governance issues were also more prominent this year, with federal and provincial governments investigating data sharing frameworks. C-11 and Quebec’s Bill 64, for example, contain sections on ways to protect data shared by researchers. After creating the Ontario Health Data Platform for sharing data collected by the province for COVID-19 research, the province is wondering if the platform could be adapted as the pandemic ends to share other data held by the province.
The loss of C-11 may not be mourned by many, but, said Scassa, “at least it showed what the federal government was thinking.”
And while he may not have had much support in the business community, Scassa believes that many companies “just want to keep going. [reform]”…“ I think they could have lived with that. ”
She credits the Liberal government for effectively rewriting the Personal Information Protection and Electronic Documents Act (PIPEDA). “It was a huge undertaking, to tackle many important areas, from enforcement and order-making powers for the Privacy Commissioner to the creation of new structures like the data tribunal. , new rights to erase data about you, and attempts to balance privacy with the interests of those who wish to use large amounts of data for research.
“That was one of the stumbling blocks of the bill – it was just trying to do a lot of different things, so it created a lot of controversy.”
Privacy Commissioner Daniel Therrien was “very critical”, she added, “which did not help”
Former Ontario Privacy Commissioner Ann Cavoukian, now Executive Director of the Global Privacy and Security By Design Center, will not miss the C-11, which she called ” stupid law… I hope they will start all over again ”.
Arguably the biggest privacy breach of the year in this country was the attack on Newfoundland and Labrador’s health care system, the scale of which is still held by the province. But he admitted that the attacker had accessed information on patients, current and former employees dating back more than a decade.
This breakup is “sad and heartbreaking,” Cavoukian said.
In his annual report to Parliament, Privacy Commissioner Daniel Therrien noted that his office had filed 309 allegations of PIPEDA violations for the 12 months ending March 31.
Two court cases to note for 2022: Google will attempt to appeal a ruling earlier this year that PIPEDA does not apply to its search engine results because the search side of the company is not not a commercial enterprise and because the search results are used for journalism. The obligations of PIPEDA do not apply to journalistic activities.
However, a Federal Court judge ruled that Google promotes its advertising business by emphasizing the popularity of its search engine. The case could have ramifications for content publishers as it involves the so-called right to be forgotten.
Meanwhile, Facebook and Therrien’s office continue to argue in court over the Privacy Commissioner’s 2019 findings in the Cambridge Analytica scandal. Facebook refuses to implement the recommendations, so Therrien asked the Federal Court for a binding order requiring Facebook to follow these recommendations. Earlier this year, the Federal Court issued procedural decisions. The two sides have yet to agree on a timetable for further hearings.
Finally, by 2022, Cavoukain fears that due to the continuing COVID-19 pandemic, companies and governments will encourage practices that do not take into account the confidentiality of personal data.
“COVID makes people think, ‘Let’s go back to the zero-sum model of’ either or ‘(privacy or security, not both). We have a pandemic, so we have to collect information, so for public safety versus privacy, we have to vote for safety.
“No, you don’t. You don’t have to play against each other. The whole push with vaccine passports and everyone should be vaccinated and show proof of that to gain access to premises and various activities – it’s appalling. Your personal health information is the most sensitive information there is. It shouldn’t have to be shared publicly, and it shouldn’t have to be saved in places you go where geolocation information is also available. The potential for follow-up [people] is huge. They call it vaccine monitoring, vaccine monitoring.
“I think it’s going to get worse before it gets better.”