Ministerial Mandate Letter Issued for Privacy Law Reform in Canada

Canadian Prime Minister Justin Trudeau has signaled his intent to overhaul data privacy within Canada

Prime Minister Trudeau has sent a Mandate Letter to Navdeep Bains, the Minister of Innovation, Science and Industry, containing a number of mandates with respect to data privacy.

The Mandate Letter states that Minister Bains is expected to work with the Minister of Justice, Attorney General of Canada and the Minister of Canadian Heritage to advance Canada’s Digital Charter and enhance powers for the Privacy Commissioner, in order to establish a new set of online rights, including:

  • data portability;
  • the ability to withdraw, remove and erase basic personal data from a platform;
  • the knowledge of how personal data is being used, including with a national advertising registry, and the ability to withdraw consent for the sharing or sale of data;
  • the ability to review and challenge the amount of personal data that a company or government has collected;
  • proactive data security requirements;
  • the ability to be informed when personal data is breached, with appropriate compensation; and,
  • the ability to be free from online discrimination including bias and harassment.

Additionally, the Mandate Letter calls for the creation of new regulations for large digital companies to better protect personal data and encourage greater competition in the digital marketplace. And it suggests a newly created Data Commissioner would oversee those regulations.

A few questions

The Mandate Letter raises a number of points of interest and questions. Here's a few of the main ones that come to my mind:

  • Not exactly clear how this new role of Data Commissioner would intersect / interact with existing Privacy Commissioner
  • Enhanced powers - particularly enforcement powers - for the Federal Privacy Commissioner are likely
  • Data portability and data deletion are on the table notwithstanding difficulties regulating in practice under GDPR
  • Breach notification is already a requirement under PIPEDA; this may seek to apply it to the Privacy Act as well
  • Reference to 'proactive' security safeguards is puzzling given existing requirement of 'appropriate' safeguards; suggests businesses will have to go further on security
  • Reference to withdrawal of consent for disclosure / sale of data signals alignment with the California Consumer Privacy Act (CCPA), but individuals already have the right to withdraw consent under PIPEDA for disclosures of information

Privacy pros in Canada will want to follow these developments closely this year. As I mentioned in my previous post, there is some urgency for Canada to update its privacy laws if it wants to maintain its adequacy standing with the EU for international data transfers.