Canadian Privacy Law Reform and the GDPR: Keeping up with the Johans*

//by Else Khoury//

Since the introduction of the GDPR in 2018, countries around the world have scrambled to update their privacy laws. The obvious reason for doing so is to ensure that their own privacy laws are equivalent to the strict provisions of the GDPR, but a second reason may be less obvious to an outside observer. For several years, Canadians have expressed their concerns about their personal privacy vis a vis an annual survey by the Privacy Commissioner of Canada This survey is a good indicator of how Canadian’s view their own personal privacy, the role of governments and business in relation to privacy rights, and more. In the last survey, conducted in 2020, two-thirds of Canadians indicated that they have a good or very good understanding of their privacy rights, and over half indicated that they have a good or very good understanding of how to protect their privacy rights. Significantly, almost half of Canadians surveyed acknowledged that they do not understand how new technologies might affect their personal privacy, more than half felt that they do not have enough information about how their personal information is handled by business and government.

It is perhaps inevitable that the introduction of the GDPR, and the pivotal privacy events which preceded it (unprecedented data breaches, the Snowden revelations) would lead to broader public interest in the protection of personal privacy. In Canada, that interest has resulted in amendments to privacy law at various levels of government, in both the public and private sector. Canada’s privacy landscape is divided and complex: there is a federal Privacy Act which applies to federal public sector organizations, while the Personal Information Protection and Electronic Documents Act (PIPEDA) applies to private sector organizations. In some cases, provincial private sector privacy legislation, like those in Alberta, British Colombia and Quebec, supersede PIPEDA. Additionally, every province/territory has some manner of freedom of information and privacy legislation, which usually apply to provincial and municipal levels of government. Finally, several provinces have health information privacy act, which apply most often to institutions that collect, use and disclose personal health information.

What we have seen over the past few years since the introduction of the GDPR is an attempt to refresh the existing Canadian privacy law framework. Most of the legislation listed above was enacted in the 1980s and 1990s, well before privacy hot button issues like biometrics, surveillance, and the prevalence of social media became a part of our lives. Significant changes to PIPEDA occurred in 2018 and included the mandatory reporting of data breaches to the Office of the Privacy Commissioner of Canada – and the individual(s) affected – if certain risk thresholds were met. Additionally, organizations that fall under the purview of PIPEDA must ensure that security breaches are properly documented. Since the introduction of these amendments, the Privacy Commissioner has evaluated compliance in an annual report (, with mixed results. However, it is important to note that the OPC is technically an Ombudsman and as a result may not issue fines or make orders (a power which provincial Information and Privacy Commissioners do have). The result being that the position is a kind of paper tiger, unable to impose any serious consequences for those who violate compliance. More recently, attempts have been made to strengthen federal private sector privacy law in the form of Bill C-11, or the Digital Charter Implementation Act, which has since been retracted. It is unlikely that this will be the end of the road for PIPEDA reform: many in the Canadian privacy community expect that a different version of C-11 will be presented in the coming year, and will likely include significant penalties for transgressions, a la GDPR.

Meanwhile, in other areas of the country, privacy reform has been slow but steady. In 2021, Quebec passed Bill 64, legislation that includes GDPR- inspired penalties for non-compliance of up to 8% of annual worldwide turnover for repeat offenders. Bill 64 also includes breach notification requirements similar to those introduced for PIPEDA in 2018, and a consent framework that in some ways mirrors that of the GDPR: consent should be “clear, free, and informed and […] given for specific purposes,”, wording that is reminiscent of the GDPR’s description of consent. Coming into force in 2022, Bill 64 in many ways represents a higher standard for privacy in Canada than PIPEDA.

Ontario is Canada’s most populous province and the hub of most commercial and financial activity. No surprise then, that the spirit of reform which led to PIPEDA amendments have trickled down to the provincial level. Focused on commercial activities, the Ontario governments’ white paper entitled: Modernizing Privacy in Ontario was released in 2021 and focuses on enhancing the public’s trust in Ontario’s digital economy. Changes would enhance current privacy provisions in various legislation, with a focus on the following principles:

  • A rights-based approach to privacy

  • The safe use of automated decision making

  • Enhanced consent and lawful uses of personal data

  • Data transparency for Ontario residents

  • Protections for children and youth

  • A fair, proportionate and supportive regulatory regime, and

  • Support for Ontario innovators

Finally, recent changes to British Colombia’s Freedom of Information and Protection of Privacy Act (FOIPPA) represent significant steps to move this law into the 21st century, including:

  • Potential for the disclosure of personal information outside Canada (previously prohibited)

  • Requiring public bodies to have a privacy management program

  • Mandatory privacy breach reporting

  • Requirements for conducting Privacy Impact Assessments

While the privacy framework in Canada is in many cases grossly outdated and not reflective of modern privacy concerns, the fractured nature of privacy laws in Canada along the public/private sector and federal/provincial lines makes meaningful reform challenging. Factoring in the 4-year election cycle and the competing priorities of various political parties, it’s no surprise that change to privacy reform has been slow. But the GDPR has set a new standard in privacy standards, and Canadians have spoken: our privacy is not for sale.

*“Keeping up with the Johans” is a play on the idiom “Keeping Up With The Joneses”, which refers to the practice of comparing oneself to one´s neighbours (i.e. The metaphorical Jones family)

Else Khoury, Privacy Officer, City Of Hamilton Public Health. Privacy Consultant, Author, Instructor.