Fifth Update Report on Developments in Data Protection Law in Canada

Report to the European Commission June 2019

Publication information

This publication is available online at www.ic.gc.ca/eic/site/113.nsf/eng/h_07666.html.

To obtain a copy of this publication, or to receive it in an alternate format (Braille, large print, etc.), please fill out
the Publication Request Form at www.ic.gc.ca/Publication-Request or contact:

Web Services Centre
Innovation, Science and Economic Development Canada
C.D. Howe Building
235 Queen Street
Ottawa, ON K1A 0H5
Canada

Telephone (toll-free in Canada): 1-800-328-6189
Telephone (international): 613-954-5031
TTY (for hearing impaired): 1-866-694-8389
Business hours: 8:30 a.m. to 5:00 p.m. (Eastern Time)
Email: ISED@canada.ca

Permission to Reproduce

Except as otherwise specifically noted, the information in this publication may be reproduced, in part or in whole and by any means, without charge or further permission from the Department of Industry, provided that due diligence is exercised in ensuring the accuracy of the information reproduced; that the Department of Industry is identified as the source institution; and that the reproduction is not represented as an official version of the information reproduced or as having been made in affiliation with, or with the endorsement of, the Department of Industry.

For permission to reproduce the information in this publication for commercial purposes, please fill out the Application for Crown Copyright Clearance at www.ic.gc.ca/copyright-request or contact the Web Services Centre mentioned above.

© Her Majesty the Queen in Right of Canada, as represented by the Minister of Industry, (2018).

Cat. No. Iu37-8/5-2019E-PDF

ISBN 978-0-660-31900-1

Aussi offert en français sous le titre Cinquième rapport d'étape sur les évolutions en matière de législation sur la protection des données au Canada.

PDF version

1.0 Introduction

1.1 In December 2001, the European Commission (EC) issued Decision 2002/2/EC, pursuant to Article 25(6) of Directive 95/46/EC. The Decision states that Canada is considered as providing an adequate level of protection of personal data transferred from the European Union (EU) to recipients subject to the Personal Information Protection and Electronic Documents Act (PIPEDA). The adequacy decision was reaffirmed in 2006.

1.2 In accordance with Article 2 of Implementing Decision (EU) 2016/2295, which amended Decision 2002/2/EC, the EC is required, on an ongoing basis, to monitor developments in the Canadian legal framework, including developments concerning access to personal data by public authorities, with a view to assessing whether Canada continues to ensure an adequate level of protection of personal data.

1.3 In May 2017, as part of an ongoing effort to assist the Commission in its monitoring obligation, Government officials provided the EC with the first in a series of biannual reports that outline key developments in Canada's data protection frameworkFootnote 1.

1.4 The EC's monitoring obligation was reaffirmed in May 2018 through the application of Article 45(4) of the General Data Protection Regulation (GDPR), which requires the Commission, on an ongoing basis, to monitor privacy-related developments in Canada that could affect the functioning of the existing adequacy decision. Recognizing that this monitoring activity continues, as part of the evaluation and review of the GDPR, which is to include an examination of existing adequacy decisions, which occurs every four years, beginning in May 2020, the present report outlines developments in Canada's data protection framework since the fourth update report prepared in December 2018.

2.0 Developments Related to Canada's Private Sector Privacy Law

Personal Information Protection and Electronic Documents Act (PIPEDA)

2.1 There are no statutory developments or amendments to the legislation since the last report.

Canada's Anti-Spam Legislation (CASL)

2.2 The CASL Performance Measurement Report 2017-2018 was recently completed and is available online.Footnote 2 This annual report provides an overview of the governance and compliance elements of CASL as well as statistical information from the Spam Reporting Centre. The new format and online availability of the report is in part, in response to a recommendation from Innovation, Science and Economic Development Canada (ISED)'s Audit and Evaluation Branch, which identified a need for greater coordination among CASL partnersFootnote 3 on education and outreach activities. This need was also reflected in a recommendation from the House of Commons Standing Committee on Industry, Science and Technology in its report on the statutory review of CASLFootnote 4. On April 1, 2019, the Government launched a revamped websiteFootnote 5 associated with the legislation, which includes a link to the CASL Performance Measurement Report, a revised online form to report unsolicited commercial electronic messages or other electronic threats to the Spam Reporting Centre, and other updates.

2.3 There are no statutory developments or amendments to the legislation since the last report.

3.0 Legislative Initiatives

Bill C-59, An Act respecting national security matters, 2017

3.1 In June 2017, the Government introduced legislation under Bill C-59, An Act respecting national security mattersFootnote 6 to enhance accountability mechanisms for national security agencies, and to modernize the powers provided to the Canadian Security Intelligence Service (CSIS) and the Communications Security Establishment (CSE). The Bill was passed by the House of Commons and the Senate, which adopted several amendments strengthening its provisions. Bill C-59 received Royal Assent on June 21, 2019, and is now known as the National Security Act, 2017.

Bill C-58, An Act to amend the Access to Information Act and the Privacy Act and to make consequential amendments to other Acts

3.2 On June 21, 2019, the legislation to amend thefederal Access to Information Act (ATIA) and make consequential amendments to the Privacy Act received Royal Assent. The Information Commissioner now has the power, following the investigation of a complaint, to make binding orders in relation to access to information requests, including ordering the release of government records. The order-making model includes checks and balances to ensure that the Privacy Commissioner has the power to provide input regarding the protection of personal information and to intervene if he or she considers it necessary. As well, the new legislation introduced new requirements for the proactive publication of a broad range of information that apply to over 260 federal government institutions, as well as the Prime Minister's Office, Ministers' offices, and administrative bodies that support Parliament and the courts.

Bill C-21, An Act to amend the Customs Act

3.3 In June 2016, the Government introduced Bill C-21, An Act to amend the Customs Act.Footnote 7 The Bill authorizes the Canada Border Services Agency (CBSA) to collect personal information on any person who is leaving, or has left, Canada at all land ports of entry. In addition, it requires that every person who is leaving Canada must, if requested to do so by an officer, present themselves to an officer and answer any questions the officer asks. The Bill amends the Customs Act to authorize the disclosure of customs information to an official of the Department of Employment and Social Development for the purpose of administering or enforcing the Old Age Security Act (in addition to the Employment Insurance Act). It also provides the legislative authority for the collection of personal information in accordance with section 4 of the Privacy Act and prescribes the retention period. Finally, the Bill amends the Customs Act to authorize officers to require that goods that are to be exported from Canada be reported and examined despite any exemption under the Act. After being referred to the Standing Senate Committee on National Security and Defence, Bill C-21 received Royal Assent on December 13, 2018.

Bill C-76, Elections Modernization Act, 2018

3.4 On April 30, 2018, the Government introduced Bill C-76, An Act to amend the Canada Elections Act and other Acts and make certain consequential amendments (Elections Modernization Act) in the House of CommonsFootnote 8. The Bill amends the Canada Elections Act to establish spending limits for third parties and political parties during a defined period before the election period of a general election held on a day fixed under that Act. It establishes measures to increase transparency regarding the participation of third parties in the electoral process. The Bill also amends the Act to provide for certain requirements with regard to the protection of personal information for political parties, including the obligation for the party to adopt a policy for the protection of personal information and to publish it on its Internet site. Furthermore, the Bill establishes measures to permit information sharing between the Minister of Citizenship and Immigration and the Chief Electoral Officer for the purpose of updating and maintaining the National Register of Electors and the National Register of Future Electors, by removing non-citizens and by adding youth citizens ages 14 to 17. The Bill received Royal Assent on December 13, 2018 and came into force six months after receiving Royal AssentFootnote 9.

4.0 Parliamentary Committee Activities

Study of Breach of Personal Information Involving Cambridge Analytica and Facebook

4.1 In March 2018, the Standing Committee on Access to Information, Privacy and Ethics (ETHI) adopted a motion to conduct a study of the privacy implications of platform monopolies and possible national and international regulatory and legislative remedies to assure the privacy of citizens' data and the integrity of democratic and electoral processes across the globe. The Committee issued an interim report in June 2018, and tabled its final report on its study of the breach of personal information involving Cambridge Analytica and Facebook in December 2018Footnote 10. The final report, titled Democracy Under Threat: Risks and Solutions in the Era of Disinformation and Data Monopoly contains 26 recommendations; 18 new recommendations plus 8 recommendations from the interim report. The list of recommendations cover themes related to privacy protection and political parties, regulation of social media, regulation of technology giants and "data‑opolies", cyber security, as well as research, digital literacy and public awareness.

4.2 The Government ResponseFootnote 11 to the Committee's report was tabled in the House of Commons on April 10, 2019. The Response reiterates the Government's intent to re-evaluate and modernize Canada's privacy protection framework for the private sector, including PIPEDA and Canada's anti-spam legislation. In particular, the Response noted that a variety of options for the reform of the consent and enforcement regimes will be examined to ensure that the Act maintains its intended balance between the individual's right to privacy and the legitimate needs of business with respect to personal information.

Study on Privacy of Digital Government Services

4.3 In 2018, the ETHI Committee agreed to undertake a studyFootnote 12 on the privacy implications and potential legal barriers relating to the implementation of digital government services in Canada, in order to make recommendations on how the Government could improve its services while also protecting Canadians' privacy and security. The Standing Committee issued its report on Privacy and Digital Government Services on June 18, 2019. The report contains eight recommendations. The recommendations cover themes such as the modernization of Canada's federal privacy laws, data minimization, shift to digital government, digital backbone for government services, and governance of Indigenous people's data.

Senate Report on Automated Vehicles

4.4 On July 27, 2018, the Government tabled its response to the Senate Committee's report, Driving Change: Technology and the Future of the Automated Vehicle, following a study on the regulatory and technical issues related to the deployment of connected and automated vehicles (CAVs). The Government ResponseFootnote 13 to the Committee's report largely concurred with the Committee's privacy-related recommendations such as assessing the need for privacy regulations specific to CAVs. It also indicated a commitment to work with stakeholders and partners, including the Office of the Privacy Commissioner, to develop an industry-specific code of best practices for privacy protection. In cooperation with federal and private sector partners, Innovation, Science and Economic Development Canada is launching the Data Privacy and Security Expert Sub-Group that will provide advice to the Vehicle of the Future Advisory GroupFootnote 14 on issues related to privacy and cybersecurity issues.

National Security and Intelligence Committee of Parliamentarians (NSICOP)

4.5 The National Security and Intelligence Committee of Parliamentarians (NSICOP) was established under the National Security and Intelligence Committee of Parliamentarians (NSICOP) Act in June 2017. The NSICOP serves as an independent review body of Canada's national security and intelligence organizations. It may review the legislative, regulatory, policy, administrative and financial framework for national security and intelligence, as well as any activity carried out by a department that relates to national security or intelligenceFootnote 15. The Committee's first annual reportFootnote 16 was tabled in Parliament on April 9, 2019. The report contains eleven findings and seven recommendations aimed at strengthening the accountability and effectiveness of organizations that conduct national security and intelligence activities in Canada and abroad. The Committee's stated intention for the report is to contribute to an informed debate on the challenges of providing security and intelligence organizations with the powers necessary to identify and counter threats to the nation, while at the same time ensuring that their activities continue to respect and preserve democratic rights.

4.6 The report also identifies upcoming NSICOP reviews for 2019 including a review of the national security intelligence activities of the CBSA, threats to national security from foreign interference, and a study of diversity and inclusion in Canada's security and intelligence community. The Committee will also undertake a fourth review of the collection, use, retention and dissemination of information on Canadian citizens by the Department of National Defence and the Canadian Armed Forces in the conduct of defence intelligence activities. It will submit its findings and recommendations in a Special Report to the Prime Minister and the Minister of National Defence in 2019.

5.0 Recent Court Decisions

Supreme Court of Canada

5.1 On February 14, 2019, the Supreme Court of Canada issued its decision in R. v. JarvisFootnote 17, which dealt with the element of the offense of voyeurism requiring that the circumstances give rise to a "reasonable expectation of privacy". The accused was a high school teacher who used a camera concealed inside a pen to make surreptitious video recordings of female students in common areas of the school. The accused was charged with voyeurism under section 162(1)(c) of the Criminal Code, which makes it an offense to surreptitiously observe or make a visual recording of another person in circumstances that give rise to a reasonable expectation of privacy, if the observation or recording is done for a sexual purpose. The Supreme Court unanimously agreed that the students' circumstances gave rise to a reasonable expectation that they would not be recorded in the manner they were. A majority of the Court further recognized that being in a public space does not automatically negate expectations of privacy for purposes of the offence, and whether observation or recording is seen as an invasion of privacy depends on a variety of factors.

6.0 Office of the Privacy Commissioner Activities

Online Reputation/Google

6.1 In October 2018, the Office of the Privacy Commissioner (OPC) filed a Notice of Application in Canada's Federal Court to seek clarity on whether Google's search engine service is subject to federal privacy law, PIPEDA. The Reference application asks whether Google's search engine service collects, uses or discloses personal information in the course of commercial activities when indexing webpages and presenting the search results in response to searches of individual's name. It also asks whether Google's search engine service is exempt from PIPEDA because its purposes are exclusively journalistic or literary. On March 1, 2019, the Federal Court issued an OrderFootnote 18, with respect to this Reference, dismissing a motion from media partiesFootnote 19 seeking to be added as parties to the Reference, or alternatively, seeking leave to intervene as if they were full parties. The Court concluded that the media parties ought not to be added as parties to the Reference, however, the Order provides for the media parties to reapply for intervenor status at a later date. The media parties have, by consent, discontinued their appeal of the Court's Order dismissing their motion to be added as parties to the Reference. On April 16, 2019, the Federal Court dismissed Google's challenge to expand the scope of the ReferenceFootnote 20 based mainly on the fact that only federal boards, commissions and other tribunals are allowed to refer questions to the Court, and that there is no mechanism by which the Court or a party to a reference might intervene to modify the scope of the reference questions. Google filed a notice of appeal of this decision on April 26, 2019.

Budget 2019 — Protecting the Privacy of Canadians

6.2 The Budget Implementation Act, No. 1 was tabled by the Government on March 19, 2019 proposes funding of CAN$22M over five years for the Office of the Privacy Commissioner to enhance the Office's capacity, including its ability to engage with Canadian individuals and businesses, address complaints, and respond to privacy issues as they occur.

Guidance for Federal Political Parties on Protecting Personal Information

6.3 On April 1, 2019, the OPC and Chief Electoral Officer of CanadaFootnote 21 issued guidance intended to assist federal political parties in complying with their new legal obligations relating to privacy policies. The Guidance for Federal Political Parties on Protecting Personal InformationFootnote 22 is in response to recent changes to the Canada Elections Act under Bill 76,Footnote 23 which require federal political parties to develop privacy policies, submit them to Elections Canada and publish them online by July 1, 2019. In addition to a list of the required legal obligations relating to privacy policies, the Guidance also encourages political parties to follow international privacy standards (fair information principles), which are outlined in the document.

Consultations on Transborder Data Flows under PIPEDA

6.4 On April 9, 2019, the OPC announced a public consultation on transborder dataflowsFootnote 24 under the Personal Information Protection and Electronic Documents Act (PIPEDA). The OPC issued a supplementary discussion document for its consultation on April 23, 2019, which provides further background and suggested questions for stakeholders. The Office is revisiting its 2009 position outlined in the OPC's Guidelines for Processing Personal Data Across BordersFootnote 25. On June 11, 2019, following the publication of Canada's Digital Charter and the release of a Government discussion paper on PIPEDA reform (see below), the Office announced a reframing of its consultationsFootnote 26, with the publication of a reframed discussion documentFootnote 27 which includes three additional questions for stakeholder input, and an extended deadline of August 6, 2019.

2018-19 Survey of Canadians on Privacy

6.5 On May 7, 2019, the OPC released the results of its biennial surveyFootnote 28 of Canadians' awareness, understanding and perceptions of privacy-related issues. The survey indicated that the vast majority of Canadians (92 per cent) are concerned about the protection of their privacy, especially with regard to certain online practices. The survey results also highlight that Canadians feel they lack control over how their personal information is being used by companies and government and want a say in how, and to whom, it is disclosed. For instance, the vast majority of Canadians (86 per cent) said companies should not be able to share their personal information for purposes other than to provide them with a service. The findings will be used to inform and guide the OPC's outreach efforts to Canadians.

7.0 Other Items of Interest

Canada's Digital Charter

7.1 On May 16, 2019, Prime Minister Trudeau delivered a keynote address at the VivaTech event in Paris where he announced that Canada would be launching a Digital Charter to guide the creation of a new, transparent and accountable digital policy. The following week, on May 21, 2019, the Minister of Innovation, Science and Economic Development, Navdeep Bains, launched Canada's new Digital Charter: Trust in a digital worldFootnote 29, which outlines elements to address issues such as universal access and hate online. The Digital Charter was informed by the Digital and Data Consultations, which took place from June to October 2018. The results of these public consultations have been published in a report, Canada's Digital Charter in Action: A Plan by Canadians, for CanadiansFootnote 30, which provides highlights of the engagement process and a summary of the feedback received.

7.2 Minister Bains also announced a set of actions that will serve to implement the Charter's ten principlesFootnote 31, including a set of proposals to modernize PIPEDAFootnote 32, and confirming its commitment to modernize the Privacy ActFootnote 33. The proposal to modernize PIPEDA, Strengthening Privacy for the Digital Age, outlines a series of policy considerations related to specific proposals that would serve to enhance consumer control, enable responsible innovation and enhance enforcement. Specifically, the Government is proposing clarifications under PIPEDA that detail what information individuals should receive when they provide consent; certain exceptions to consent; data mobility; deletion and withdrawal of consent; incentives for certification, codes, standards, and data trusts; enhanced powers for the Office of the Privacy Commissioner; as well as certain modernizations to the structure of the law itself and various definitions. The Government is also studying potential reforms to the Privacy Act, which governs the personal information handling practices of federal institutions, and plans to engage expert stakeholders to ask for their views and feedback on technical and legal considerations.

Open Banking Consultations

7.3 In 2018, the Government announced it would undertake a review of open banking and appointed an Advisory Committee on Open BankingFootnote 34. A public consultation paper was released in January 2019, and roundtable consultations were held to engage Canadians. Based on its findings, the Advisory Committee will deliver a report assessing the merits of open banking for Canada, with a strong focus on protecting consumer privacy, ensuring the security of financial transactions and maintaining the stability of the financial sector.

Artificial Intelligence

7.4 On March 4, 2019, the Government launched the Directive on Automated Decision-MakingFootnote 35. The Directive took effect on April 1, 2019 and applies to any automated decision system developed or procured after April 1, 2019. The Directive requires federal government departments to be transparent and accountable in their use of artificial intelligence. Appendix B of the Directive requires institutions to assess the impact of the decision on individual's rights, well-being, and economic interests, as well as sustainability of the ecosystem. If there is a high or very high impact, Appendix C requires mitigation measures such as human intervention during both the decision-making process and the final decision. Full departmental compliance is required by April 2020.

7.5 On May 14, 2019, Minister Bains announced the launch of the Advisory Council on Artificial Intelligence. The Council, which includes experts from industry and academia, will advise the Government on how to identify opportunities to create economic growth while ensuring that advancements in artificial intelligence reflect Canadian values such as promoting a human-centric approach to AI, grounded in human rights, transparency and openness. Specifically, the council will establish a working group on commercializing value from Canadian-owned artificial intelligence (AI) and data analytics, building on the work started by the Digital Industries Economic Strategy Table. It will also provide advice on how best to advance the goals laid out in the Canada-France Statement on Artificial Intelligence and will support Canada's participation in various international engagements such as the G7, the G20, the OECD and the World Economic Forum.

International Panel on Artificial Intelligence

7.6 Canada and France continue to work with the international community to create the International Panel on Artificial Intelligence (IPAI) to support and guide the responsible development of artificial intelligence that is grounded in human rights, inclusion, diversity, innovation, and economic growth. The Panel will bring together global AI experts acting as a global reference point on AI, fostering international collaboration and coordination on AI policy development. Expressions of interest on the IPAI have been received from Germany, Italy, India, Japan, the United Kingdom, New Zealand and the European Union.

7.7 On May 16, 2019, Minister Bains, together with Cédric O, France's Secretary of State for Digital Affairs, made public the Declaration of the International Panel on Artificial IntelligenceFootnote 36 and announced further details on the organizational structure of the Panel. The Declaration states that participants in the Panel will commit to a set of shared values on the development, use and adoption of AI.

7.8 The Panel will be formally launched later this year at the Biarritz Summit and will include a steering committee, and working groups, each focused on an identified topic related to AI, such as its technological development or impacts. The Panel will also convene an annual conference of international AI experts, called the Multistakeholder Experts Group Plenary.

Standards Council of Canada

7.9 In 2018, the Standards Council of Canada (SSC) established a national forum to help Canadian organizations better understand the GDPR. The Canadian Advisory Committee on the General Data Protection Regulation (CAC-GDPR) has a mandate to share relevant information and recommendations, and promote Canadian participation in standardization activities with respect to the GDPR. The Committee also serves as a forum to develop and relay consensus positions to influence the development of national, regional and international standards and conformity assessment schemes related to the GDPR, as well as data protection and privacy in general. The Advisory Committee was recently featured on the Standards Council of Canada website under its Flagship Programs.Footnote 37

7.10 In March 2019, the SCC held an initial meeting with subject matter experts from government and industry to assist in planning for the Canadian Data Governance Standardization Collaborative. This network will identify priority areas within data governance that could benefit from standardization, and over the coming year, deliver a comprehensive roadmap of standards that will benefit Canadian organizations and citizens.

International Engagement

7.11 Canada's free trade agreements (FTAs), including the Canada-European Union Comprehensive Economic and Trade Agreement (CETA), Canada-United States-Mexico Agreement (CUSMA), and the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP), include commitments that directly or indirectly relate to a Party's privacy law. For example, the CUSMA includes provisions whereby each Party will maintain a legal framework that provides for the protection of personal information (Article 19.8 and Article 32.8) and allows a natural person in its territory to obtain access to records held by the central level of government (Article 32.9). Furthermore, provisions within the CUSMA on the cross-border transfer of information by electronic means (Article 19.11) and location of computing facilities (Article 19.12) would apply to measures placed on commercial organisations when they transfer or process and store information, which may include personal information, while ensuring that legitimate privacy and security rights are protected. These provisions are consistent with Canadian access to information and privacy laws, including the Access to Information Act, the Privacy Act and the Personal Information Protection and Electronic Documents Act.

7.12 Canada continues to participate in international fora such as the Organisation for Economic Co-operation and Development (OECD) and the Asia-Pacific Economic Cooperation (APEC) that are actively engaged in initiatives aimed at improving and expanding the global interoperability of privacy frameworks. Canada is actively contributing to the review of the OECD Recommendation of the Council concerning Guidelines Governing the Protection of Privacy and Transborder Flows of Personal DataFootnote 38, and is a member of the OECD Privacy Expert Group, established to provide advice on the review of its implementation. With respect to APEC, Canada is a member of the Data Privacy Sub-Group that is updating the Cross-Border Privacy Rules (CBPR) System to reflect the updated APEC Privacy Framework (2015)Footnote 39. In addition, Canada is participating in APEC/EU discussions aimed at updating the 2014 Referential on Personal Data Protection and Privacy Requirements of BCR and CBPRFootnote 40 and exploring the concept of certification as it relates to the GDPR and the CBPR.

8.0 Contact Information

8.1 Further information about any aspect of this report may be requested from Charles Taillefer, Director, Privacy and Data Protection Policy Directorate, Marketplace Framework Policy Branch, Innovation, Science and Economic Development Canada at 235 Queen Street, Ottawa, Ontario, Canada K1A 0H5.

8.2 It is intended that future reports will be provided at regular intervals, approximately every six months.

jkjk
Date modified: