Several years after passing into law, the Canadian government has finally set an effective date for long-overdue data breach disclosure rules. The requirements were included in the Digital Privacy Act that was passed in 2015, but the accompanying regulations literally took years to finalize. Earlier this year, I argued that the failure to expedite security breach disclosure rules was an embarrassing failure for successive Conservative and Liberal governments, placing the personal information of millions of Canadians at risk and effectively giving a free pass to companies that do not adequately safeguard their customers’ information.
Post Tagged with: "pipeda"
No Longer Fit for Purpose: Why Canadian Privacy Law Needs an Update
Canada’s private sector privacy law was first introduced 20 years ago, coinciding with the founding of Google and predating Facebook, the iPhone, and the myriad of smart devices that millions of Canadians now have in their homes. Two decades is a long time in the world of technology and privacy and it shows. There has been modest tinkering with the Canadian rules over the years, but my Globe and Mail opinion piece notes the law is struggling to remain relevant in a digital age when our personal information becomes increasingly valuable and our consent models are little more than a legal fiction.
The House of Commons Standing Committee on Access to Information, Ethics and Privacy last week released the results of a comprehensive study into Canadian privacy law. The report, which features 19 recommendations, provides Innovation, Science and Economic Development Minister Navdeep Bains with a road map for future reforms (I appeared before the committee as one of 68 witnesses from across the policy spectrum).
Why the Canadian Privacy Commissioner’s Proposed Right to be Forgotten Creates More Problems Than it Solves
The right to be forgotten, which opens the door to public requests for the removal of search results that are “inadequate, irrelevant or no longer relevant”, has been among the world’s most controversial privacy issues since it was first established in Europe in 2014. My Globe and Mail op-ed notes that the new right responds to concerns with potential reputational harms from inaccurate or misleading information online, but faces the challenge of balancing privacy protections with the benefits of the Internet for access to information and freedom of expression.
The Privacy Commissioner of Canada waded into the debate on Friday with a new draft report concluding that Canadian privacy law can be interpreted to include a right to de-index search results with respect to a person’s name that are inaccurate, incomplete, or outdated. The report, which arises from a 2016 consultation on online reputation, sets the stage for potential de-indexing requests in Canada and complaints to the Privacy Commissioner should search engines refuse to comply.
Bell’s Latest Privacy Solution: Enhance Internet Privacy By Blocking Access to It
The Canadaland report on Bell’s plans to apply to the CRTC to create a website blocking agency unsurprisingly sparked immediate widespread concern. I provided further detail on the proposal, noting the danger of establishing a blocking system without court review of the block list and the very weak case Bell makes to justify it. A critical aspect of the Bell proposal is that it must convince the CRTC that website blocking would further Canada’s telecommunications policy objectives. Given that the CRTC has already ruled that the law prohibits blocking without its approval, that is a difficult standard to meet. I argue that the three justifications raised by Bell – that piracy “threatens the social and economic fabric of Canada”, that the telecommunications system should “encourage compliance with Canadian laws” and that website blocking “will significantly contribute toward the protection of the privacy of Canadian Internet users” – is very weak.
In fact, the privacy argument is not only weak, it is incredibly hypocritical. Bell is arguably the worst major Canadian telecom company on user privacy and its attempt to justify website blocking on the grounds that it wants to protect privacy is shameful. There are obviously far better ways of protecting user privacy from risks on the Internet than blocking access to sites that might create those risks. Further, with literally millions of sites that pose some privacy risk, few would argue that the solution lies in blocking all of them.
Into the Breach: How Canada’s Security Breach Disclosure Regulations Fall Short
With security breaches regularly affecting millions (or even billions) of people, effective security breach disclosure rules are an essential part of a modern privacy law framework. It may surprise many to learn that Canada still does not have mandatory security breach disclosure rules that require companies to notify affected individuals in effect. Rules were passed in 2015, but the accompanying regulations were puzzlingly slow to emerge. The government finally released proposed regulations late in the summer with a consultation that closed earlier this week. My submission, which focused on implementation, content of notices, and proposed “indirect” notification, is posted below.
Recent Posts
The Law Bytes Podcast, Episode 231: Sara Bannerman on How Canadian Political Parties Maximize Voter Data Collection and Minimize Privacy Safeguards 
The Law Bytes Podcast, Episode 230: Aengus Bridgman on the 2025 Federal Election, Social Media Platforms, and Misinformation 
The Law Bytes Podcast, Episode 229: My Digital Access Day Keynote – Assessing the Canadian Digital Policy Record 
Queen’s University Trustees Reject Divestment Efforts Emphasizing the Importance of Institutional Neutrality 
The Law Bytes Podcast, Episode 228: Kumanan Wilson on Why Canadian Health Data Requires Stronger Privacy Protection in the Trump Era
