Closing the critical gaps to protect personal information

President and CEO of the IIAC says proposed legislation offers important guidepost in harmonizing rules across country

Closing the critical gaps to protect personal information

Despite the intensive public policy focus during the long-standing COVID-19 pandemic, the federal government has persevered to release proposed legislation to update and modernize Canada’s privacy laws and increase Canadians’ control over their data and personal information.

The proposed legislation builds on earlier legislative proposals and will replace the outdated long-serving Personal Information Protection and Electronic Documents Act (PIPEDA). Rapid advances of digitalization, automated or algorithmic decision-making, and recent testimony before the U.S. Congress on the misuse of personal information on the internet suggest much higher standards of regulation of personal information are long overdue.

The European Union law on data protection and privacy, the GDPR (General Data Protection Regulation), has become the path-breaking template for protecting personal information in many foreign jurisdictions. The Canada-EU Comprehensive Economic Trade Agreement (CETA) necessitates GDPR compliance (adequacy) for many Canadian businesses that offer goods or services to individuals in the EU.

The Investment Industry Association of Canada (IIAC), representing 115 Canadian investment dealers in the country, has been a strong advocate for renewal of the laws protecting privacy and personal information. Firms in our industry collectively administer 14 million client accounts with extensive personal data and information and, therefore, support comprehensive privacy legislation imposing uniform, transparent and high standards of protection for personal financial information across the country.

Close federal-provincial/territorial coordination is important to ensure the framework is streamlined and simplified to reduce the regulatory burden, minimize confusion and uncertainty, and ensure effective enforcement of standards. 

The draft privacy legislation requires valid consent from individuals to collect, use and disclose their personal information, with narrow exemptions, but the validity of the consent is now based upon information being provided in “plain language”, and consent has to be expressly obtained. It removes the burden of having to obtain consent when that consent does not provide any meaningful privacy protection. An organization is accountable for personal information that is “under its control”. As previewed earlier, new legislation grants individuals rights, including the right to access and amend their information, the right to dispose with their information, the right to transfer personal information among organizations, and the right to be informed of how predictions, recommendations or decisions are made by an automated decision-making system

The core obligation of the investment dealer firms under the proposed legislation is to implement a “privacy management program” that includes policies, practices and procedures respecting the protection of personal information; how inquiries and complaints are received and dealt with; the training and information provided to staff; and the development of materials to explain firms’ policies and procedures to fulfil their obligations. We anticipate the eventual regulations will be principles-based to enable broad applicability across the corporate sector.

Firms will be required to develop policies and procedures consistent with the sensitivity and volume of personal information under their control. Further, these policies and procedures will be subject to review and approval by the Office of the Privacy Commissioner and will be monitored against the approved compliance standard. The new legislation imposes substantial penalties for non-compliance under broader “order-making power” of the Privacy Commissioner, with the Commissioner and new Personal Information and Data Protection Tribunal to impose fines and penalties.

For the most cost-efficient regulatory outcome, investment dealers in the financial sector could request to operate under an approved certification program that includes “a code of practice that provides for substantially the same or greater protection of personal information as some or all of the protection provided under the Act”. The dealers would elect the recognized self-regulatory organization, the Investment Industry Regulatory Organization of Canada (IIROC), with its resources as the regulator of the business activities of the dealer, as the integral part of the certification program. IIROC, in conjunction with member firms, would develop the codes of practice and provide the compliance oversight of the privacy management program and other practices, given its regulatory infrastructure.

The proposed legislation promises an effective protection for personal information, an important guidepost for harmonized rules in the provincial/territorial statutes, and the features for a flexible and efficient regulatory structure. We are hopeful that, as coming discussions unfold, potential will be realized.

Ian Russell is President and CEO of the Investment Association of Canada