Modernizing Canada’s Privacy Act: What We Heard Report

Justice Canada’s Preliminary Technical Engagement on Privacy Act Modernization

Summer and Fall 2019

Key Opportunities and Challenges Going Forward

Allowing Innovative, but Responsible, Uses of Personal Information for Public Good

According to many stakeholders, a modern Privacy Act will need to incorporate principles and requirements that protect individual privacy, while also allowing for reasonable and responsible uses of personal information for public benefit. One issue the Government will need to further consider is the appropriate accountability, transparency and oversight framework for such greater flexibility in the use and sharing of personal information.

Interoperability With Other Regimes

The Act cannot be modernized in a vacuum. In a world of increasingly important and valuable data flows, modern data protection laws should aim to ensure a certain measure of interoperability with other regimes, whether domestically or internationally. Some were of the view that the Privacy Act should be interoperable with not only PIPEDA, but with other Canadian provincial privacy regimes and other international examples such as the GDPR. As the Privacy Act modernization initiative progresses, the Government will need to consider how to reflect internationally recognized data protection principles in the Act, and look to approaches in other countries, provinces and territories, and other specific pieces of legislation like PIPEDA and the GDPR.

What Should be Legislated, and What Should be Left to Policy

While the Privacy Act is a fundamental source of legal obligations for federal institutions, other legal and policy instruments can help provide a measure of flexibility in the methods institutions choose to meet their privacy obligations. Given their more flexible nature, there may be a role for regulations, or Government-wide policy and directives, to address specific mechanisms or standards institutions should be considering in order to meet their privacy obligations.

Addressing Fears of Hacking, Privacy Breaches and Misuse of Personal Information

Many respondents were supportive of including requirements to safeguard personal information and to report privacy breaches in certain contexts. Others, such as the OPC, mentioned adding offences to the Act to address deliberate misuse of personal information, or attempts at re-identifying personal information without due cause.

Ensuring the Perspectives of Indigenous Peoples are Taken into Account

This targeted engagement was a starting point in understanding the perspectives of Indigenous Peoples that will need to be considered in modernizing the Privacy Act. As many changes to the Act may have a unique impact on Indigenous Peoples, the Government will be seeking further engagement opportunities with Indigenous groups.