Canada’s private sector privacy law is more than 25 years old and there is broad consensus that a modernization is long overdue. Bill C-36, tabled on Monday, is the government’s third attempt at updating the law, following the failed efforts with Bill C-11 in 2020 and Bill C-27 in 2022. My first post on the new bill focused on what I think remains both the most important development and the biggest mistake: the decision to push the Privacy Commissioner of Canada out of private-sector privacy and to place the file with an overloaded digital safety commission. For years, privacy critics have argued that, given the absence of order-making powers or serious penalties, Canada’s biggest shortcoming has been weak enforcement. Yet just as the government adds much-needed new rights and penalties to the privacy law framework, it undermines enforcement once again by introducing a new regulator that will take years to establish. The consequence is that, rather than updating the law for 2027, it is updating it for 2030 or later.
Post Tagged with: "pipeda"
Canada’s Digital Super-Regulator: Bill C-36 Pushes Out the Privacy Commissioner and Hands Private Sector Privacy to an Overloaded Commission
In the last act of an incredibly intense digital policy stretch, the government today tabled new private sector privacy legislation in the form of Bill C-36, the Protecting Privacy and Consumer Data Act. It is a big bill, and my initial take will be divided into two: this post will focus on the seismic shift the bill creates for privacy administration and enforcement, and a second post (hopefully tomorrow) will discuss the substantive changes and additions. I start with the enforcement side because the most consequential feature of C-36 is the question of who will administer the rules. The bill firmly cements the Digital Safety Commission as a new digital super-regulator in Canada, stripping the Privacy Commissioner of authority over private sector privacy law and handing it instead to the same five-member commission the government created a few days ago to police online harms. I believe the approach is unprecedented among peer countries and will have negative repercussions for Canada’s standing in the privacy world. Indeed, removing an Agent of Parliament from private-sector privacy enforcement after decades isn’t something you tuck into a lengthy bill, but rather requires extended public consultation and analysis on how best to ensure Canada has effective privacy enforcement. This is a stunning abrogation of good policy development and a poorly conceived vision of the breadth and importance of privacy.
Privacy as a Fundamental Right? The Government’s Terrible Privacy Track Record Suggests Virtue Signalling Over a Genuine Commitment
The government is set to introduce its long-promised privacy reform legislation early this week, with the recognition of a fundamental right to privacy expected to serve as a foundational element of the bill. Establishing privacy as a fundamental right would be a welcome and long-overdue development, one that many have called for and that was set to be added to Bill C-27, the prior attempt at privacy reform. Yet the framing is difficult to square with the government’s actual record on privacy, which over the past year has involved a steady stream of privacy-invasive measures that leave the fundamental rights rhetoric feeling more like virtue signalling than a genuine commitment. Simply put, the government cannot credibly claim to treat privacy as a fundamental right while actively undermining that right through a series of other bills and efforts to sideline the Privacy Commissioner of Canada.
The Law Bytes Podcast, Episode 200: Colin Bennett on the EU’s Surprising Adequacy Finding on Canadian Privacy Law
A little over five years ago, I launched the Law Bytes podcast with an episode featuring Elizabeth Denham, then the UK’s Information and Privacy Commissioner, who provided her perspective on Canadian privacy law. I must admit that I didn’t know what the future would hold for the podcast, but I certainly did not envision reaching 200 episodes. I think it’s been a fun, entertaining, and educational ride. I’m grateful to the incredible array of guests, to Gerardo Lebron Laboy, who has been there to help produce every episode, and to the listeners who regularly provide great feedback.
The podcast this week goes back to where it started with a look at Canadian privacy through the eyes of Europe. It flew under the radar screen for many, but earlier this year the EU concluded that Canada’s privacy law still provides an adequate level of protection for personal information. The decision comes as a bit of surprise to many given that Bill C-27 is currently at clause-by-clause review and there has been years of criticism that the law is outdated. To help understand the importance of the EU adequacy finding and its application to Canada, Colin Bennett, one of the world’s leading authorities on privacy and privacy governance, joins the podcast.
The Law Bytes Podcast, Episode 168: Privacy Commissioner of Canada Philippe Dufresne on How to Fix Bill C-27
It has taken many months, but Bill C-27, the government’s long overdue effort at privacy reform finally is headed to committee for review. Philippe Dufresne, the Privacy Commissioner of Canada, has been patiently waiting for this moment, armed with a comprehensive review of the bill and a wide range of recommendations for amendments that include a more explicit framing of privacy as a fundamental right.
Dufresne was appointed as Canada’s privacy commissioner nearly one year ago and in months since has made numerous committee appearances, issued high profile findings involving companies such as Home Depot, battled Internet companies in the courts, and worked on the privacy implications of AI. He joins the Law Bytes podcast to reflect back on his first year in the position and to outline his proposals to strengthen Canada’s best shot at a modernized privacy law.
Recent Posts
Midnight Madness: The Government Rushes Lawful Access Bill Through the House Without Debate or a Recorded Vote 
One Step Forward, Two Steps Back: Bill C-36 Modernizes Canada’s Privacy Law, Then Delays It to 2030 
Gary Anandasangaree’s Vic Toews Moment Shows the Government Has Lost Its Way on Lawful Access 
Government Moves to Shut Down Lawful Access Hearing In Order To Fast Track Passing the Bill This Week 
Canada’s Digital Super-Regulator: Bill C-36 Pushes Out the Privacy Commissioner and Hands Private Sector Privacy to an Overloaded Commission
