Canada’s national DPA to step up enforcement
Privacy Commissioner of Canada, Daniel Therrien, is recommending legislative amendments to provide for order-making powers and the ability to impose administrative monetary penalties in line with some of Canada’s provinces and many other jurisdictions.
The Commissioner said that his office will not wait for legislative changes but will begin to act immediately to improve privacy protections for Canadians. These steps include:
- Shifting towards a proactive enforcement and compliance model, rather than a complaints-based ombudsman model of privacy protection because the Office of the Privacy Commissioner may be better placed than individuals to identify privacy problems related to complex new technologies;
- Updating key guidance on online consent to specify four key elements that must be highlighted in privacy notices and explained in a user-friendly way;
- Developing new guidance which would specify areas where collection, use and disclosure of personal information is prohibited, for example, situations that are known or likely to cause significant harm to the individual.
Commissioner Therrien said that Canadians do not feel protected by a law that has no teeth and businesses held to no more than non-binding recommendations. He declared that he will initiate investigations ‘focused on chronic or sector-specific problems’, and use the new proactive enforcement model to require organizations to demonstrate their accountability.
Accountability is a key concept in the EU General Data Protection Regulation. Canada currently benefits from an EU adequacy decision for international transfers, but all existing adequacy decisions will be under review.