Skip to main content
|

Add a bookmark to get started

Bookmarks info
  • Home
  • Insights
  • OPC releases key recommendations regarding federal private sector privacy law overhaul
Abstract view of building
8 May 20224 minute read

OPC releases key recommendations regarding federal private sector privacy law overhaul

Written by:David SpratleyTyson GrattonJoshua Sved

The Office of the Privacy Commissioner of Canada (“OPC”) recently published several recommendations for a new federal private-sector privacy law that will replace the current Personal Information Protection and Electronic Documents Act (“PIPEDA”). The government has indicated that it intends to introduce a new bill this year and the OPC’s submissions suggest that deliberations on the new bill are underway. This is the federal government’s second attempt at replacing PIPEDA with a modern regulatory framework that will bring Canada more in line with regulatory regimes in Europe and California. The first attempt was Bill C-11, the Digital Charter Implementation Act, 2020, which died on the order paper when the federal election was called in August 2021. For more information on Bill C-11, please see our prior article on the subject.

The recently published recommendations reiterate the essence of the OPC’s submission on Bill C-11 in May 2021. In that submission, the OPC described Bill C-11 as “a step back” for privacy protection and proposed 30 recommendations to ensure that the new law would provide stronger privacy protection for Canadians while enabling greater flexibility for businesses. These new recommendations re-emphasize the OPC’s aim to develop a new federal private-sector privacy law that “would enable responsible digital innovation within a legal framework that recognizes privacy as a fundamental human right.”

The OPC’s recommendations are grouped into the following key themes:

  • Enabling responsible innovation: Key recommendations here include introducing a legitimate commercial interests exception to consent — which would be a leap towards bringing Canadian privacy law more in line with the GDPR — as well as clarifying the use of de-identified information by businesses and revising the socially beneficial purposes clause.
  • Adopting a rights-based framework: The OPC argues for the legislation to recognize both the fundamental right of privacy and the legitimate need of organizations to process information for appropriate purposes by enshrining certain individual and processor rights. This would mark a shift away from PIPEDA’s entirely consent-based model. We expect this shift would introduce a variety of new individual privacy rights, including rights of data portability, rights to contest automated decisions, rights to request deletion of personal information, rights to de-indexing, and disclosure rights regarding automated decision making processes.
  • Increasing corporate accountability: The OPC suggests prescribing an objective standard for accountability, privacy by design and the obligation to undertake privacy impact assessments for high-risk activities. The OPC also recommends that the OPC itself have additional powers, including the authority to perform proactive audits to ensure compliance. Another key recommendation is to limit the purposes for which personal information may be collected to only purposes that are “specific, explicit and legitimate”.
  • Adopting quick and effective remedies: Under PIPEDA only certain and narrow violations are subject to monetary penalties. The OPC recommends making all violations subject to administrative penalties while broadening the list of factors to consider before penalties are imposed, in order to enhance transparency. The OPC also recommends adopting the UK enforcement notice scheme, strengthening the compliance agreement scheme, and rewriting the criminal prosecution scheme “so that sanctions are actually possible”.One of the key changes proposed in Bill C-11 was the creation of a new privacy tribunal that would hear appeals from OPC decisions. The OPC again argues that such a tribunal is unnecessary and would incentivize organizations to “play things out” if there is an investigation, rather than seek a negotiated settlement with the OPC, thus increasing costs and delaying enforcement. The OPC also calls for an expanded private right of action be included; to ensure that consumer are not left without remedy.
  • Giving the OPC tools to adopt a risk-based approach while being transparent: The OPC also requests new tools and wider discretion to investigate compliance, including enabling the OPC to adopt procedural rules for approving codes of practice as well as granting the OPC a degree of cost recovery.

In general, the OPC’s recommendations aim to enhance the protection of privacy rights in Canada and ensure that Canada’s federal privacy regulatory regime does not fall behind other jurisdictions, both internationally and at a provincial level in Canada.

Please watch this space for a more detailed analysis of the OPC’s recommendations, which will be discussed in a future article. For details regarding Québec’s recent amendments to its provincial private sector privacy law, please see our article on the topic here.

 

This article provides only general information about legal issues and developments, and is not intended to provide specific legal advice. Please see our disclaimer for more details.

Related Capabilities

Intellectual Property
Print
Legal noticesPrivacy policyCookie policyModern slaveryFraud AlertSitemap

DLA Piper is a global law firm operating through various separate and distinct legal entities. For further information about these entities and DLA Piper's structure, please refer to the Legal Notices page of this website. All rights reserved. Attorney advertising.

© 2025 DLA Piper