The Personal Information Protection and Electronics Act (PIPEDA) was enacted in April 2000. Since then, there have been significant changes in global data protection and technological advancements, necessitating amendments to Canadian federal legislation.
The Digital Charter Implementation Act, 2022 (also known as Bill C-27) is the proposed update to PIPEDA. It is currently under consideration in the Senate. If enacted, the new law will require organisations to prepare for stricter regulations and increased enforcements.
Here, we talk to Ray Pathak, a former Privacy Officer with over 15 years of Canada privacy experience and MD of The DPO Centre Canada. He sheds light on some of the current challenges faced by Canadian organisations, keeping in mind the potential law changes and the evolving role of privacy professionals.
I’ve been in the privacy space for almost 20 years. From 2005-2015, I was a Privacy Officer, leading a wide variety of privacy programs. For the last 8 years, I have been leading and developing privacy solutions in the Privacy Tech sector.
I’m privileged to now lead The DPO Centre’s Canadian office, where I work with organisations to help guide them through the increasing complexities of local and international privacy regulations.
With so many evolving global privacy laws, organisations operating across multiple jurisdictions face ongoing challenges to keep up with the changes.
Canadian organisations must adapt to new legislation such as Quebec’s Law 25 and the potential federal changes, as and when Bill 27 passes.
In addition, emerging technologies, like AI have introduced new privacy challenges, including the risk of breach threats with sophisticated attacks and an increase in state sponsored attacks.
Law 25 is being implemented in stages.
Stage 1 came into effect on September 22, 2022, and covered the mandatory designation of a Privacy Officer and Privacy Impact Assessments (PIAs).
Stage 2 came into effect on September 22, 2023, focussing on AccountabilityPerhaps the most important GDPR principle, which requires controllers to take responsibility for complying with the GDPR and, document their compliance., ConsentAn unambiguous, informed and freely given indication by an individual agreeing to their personal data being processed., Transparency, Individual Rights, and other key principals of privacy management.
Stage 3 will come into effect on September 22, 2024, and deals with data portability rights.
Businesses should complete a gap assessment of their current programs and adapt their policies, procedures, and data handling practices to ensure they comply with the stricter obligations under Law 25. Key areas to address will be Consent, PIAs, and cross-border transfers.
With changes already in place in Quebec, and proposed changes to the Federal privacy law, I think it will only be a matter of time before the Alberta and British Columbia provincial laws are amended.
Also, the province of Ontario has been talking about introducing their own privacy legislation for some time, and I believe the introduction of this is inevitable in the next two to five years.
There is currently no single comprehensive law that deals specifically with AI in Canada.
The Artificial IntelligenceThe use of computer systems to perform tasks normally requiring human intelligence, such as decision-making, speech recognition, translation etc. and Data Act (AIDA) was introduced in June 2022 as part of Bill C-27, which advocates a risk-based approach to AI systems.
There are other sector laws that touch on AI within their domains, such as healthcare and finance, and PIPEDA can be applied to cover AI systems that collect, use, or disclose personal information. However, none of these laws are tailored to AI, and they fail to address the unique privacy challenges that come with these technologies.
PIPEDA is the overarching privacy law for private sector companies that collect, use, or disclose personal information in Canada.
However, when processing data in a province with its own privacy law, such as Alberta, British Columbia, or Quebec, the provincial law applies over the federal PIPEDA law.
Most organisations operate across multiple provinces and may need to comply with up to four privacy laws – three provincial laws and the federal regulation.
The good news is that provincial privacy laws have to be substantially similar to the federal privacy law, which ensures a certain amount of consistency for compliance. Although, there are still some significant differences, such as employee privacy, which is covered under provincial privacy laws for most private organisations, but not the current federal PIPEDA law.
The limited number of knowledgeable privacy professionals is a big challenge for organisations, especially if they only require part-time support. This can often lead to privacy being managed reactively, and as a secondary priority, by someone fulfilling another role within the company.
That’s one of the key reasons why I joined The DPO Centre. We have an incredible pool of talent and a commitment to excellence. We’ve worked with over 900 organisations globally since 2017, and we can offer unparalleled support to organisations, providing in-depth privacy knowledge and expertise.
The biggest misconception is that you can “complete” your privacy program, tick the box, and be done with it.
However, if an organisation processes and stores personal dataInformation which relates to an identified or identifiable natural person., there is a continual need for ongoing data management. It is one thing to adhere to a set of policies and another to truly safeguard data and ensure practices and processes are monitored and optimised.
Organisations with strong privacy governance and embedded privacy by design practices are better equipped to mitigate risks and build customer trust, loyalty and engagement.
Our Canadian team offer the same full-service privacy support that our clients benefit from the UK and EU offices, with the appropriate changes to accommodate Canadian privacy standards.
Canadian Data Privacy Officers are available to assess, remediate, and operate your privacy program on an ongoing ‘fractional’ basis, provide ad hoc consulting support as required, and complete mandatory documentation such as Privacy Impact Assessments (PIAs).
We also provide EU and UK GDPRThe UK General Data Protection Regulation. Before leaving the EU, the UK transposed the GDPR into UK law through the Data Protection Act 2018. This became the UK GDPR on 1st January 2021 when the UK formally exited the EU. representation for Canadian companies operating in the European Economic Area (EEA) and/or the UK. A GDPR Representative is a requirement for organisations that processA series of actions or steps taken in order to achieve a particular end. the personal data of EEA or UK individuals but do not have a physical office in those jurisdictions.
Many Canadian businesses are aiming for international growth, and privacy can be a significant roadblock as they expand.
The DPO Centre, has one of the largest teams of privacy experts available. Our DPOs are highly experienced privacy professionals, each with specialist industry sector knowledge and a deep understanding of global privacy laws.
Therefore, we help organisations ensure that privacy isn’t a barrier as they grow globally.
I think we’ll see a continuing shift towards regarding privacy, not merely as a legal obligation but also as a key aspect of customer service and relationship management.
We already work with organisations that understand privacy compliance is only a baseline requirement, especially in business-to-business industries. They recognize the potential for accelerated growth by leveraging excellent privacy practices that build trust, loyalty and engagement with their customers. It is therefore a crucial differentiator, helping them stand out from their competitors.
As Canada’s privacy regulations evolve, our commitment to delivering top-tier privacy services continues. Supporting and empowering organisations to navigate complex legislation with confidence and integrity.
If you would like to discuss how our outsourced privacy services can help support your organisation’s North American privacy governance, please contact The DPO Centre Canada team.
For any EU and UK data protection advice and support, please see our range of services, providing expertise to your organisation, wherever you are based.
Fill in your details below and we’ll get back to you as soon as possible