Canada
Canada
Abstract Shape Background
Canada

Canada

Canada

Senior management and organisation

 Please identify the authority’s senior management.

  • Daniel Therrien, commissioner;
  • Brent Homan, deputy commissioner (compliance);
  • Greg Smolynec, deputy commissioner (policy and promotion); and
  • Daniel Nadeau, deputy commissioner (corporate management).

For more on the organisational structure, see: www.priv.gc.ca/en/about-the-opc/who-we-are/organizational-structure/. Contact information for the OPC can be found at www.priv.gc.ca/en/contact-the-opc/.

When was the head of the authority appointed?

5 June 2014.

How long is their term of office?

Seven years.

What is the process for nominating the head of the authority?

The privacy commissioner of Canada is an agent of Parliament who is independent of the government and reports directly to Parliament. The commissioner is appointed by the governor in council after consultation with the leader of every recognised party in the Senate and House of Commons. Further information can be found at https://appointments.gc.ca/prflOrg.asp?OrgID=OPC&lang=eng.

What was the authority’s budget for the most recently-available financial year?

Our current budget is approximately C$24 million a year.

How many data protection/privacy-focused staff does the authority employ?

Approximately 180 staff.

Contacting the authority

How and where should companies or their advisers contact the authority to notify a data breach? Please specify individuals, email addresses, URLs for online forms, etc.

See “Report a privacy breach at your business” at www.priv.gc.ca/en/report-a-concern/report-a-privacy-breach-at-your-organization/report-a-privacy-breach-at-your-business/.

What other contact information should companies and their advisers be aware of?

See our website for all options: https://www.priv.gc.ca/en/contact-the-opc/.

Legal and enforcement framework

What are your investigative powers?

The OPC is mandated to conduct independent and impartial investigations into complaints involving businesses subject to PIPEDA. The commissioner may seek resolution of a complaint through negotiation, persuasion and mediation and may make recommendations to help prevent issues from recurring. The OPC does not have the authority to make orders or to issue fines. You may wish to have a look at our interactive ‘Enforcement of PIPEDA’ chart on our website. Should an organisation fail to comply with our recommendations, under PIPEDA the Commissioner can apply to the Federal Court to seek an order requiring the respondent to take action to correct its practices. The court may also award damages to a complainant.

Can you search premises or force the disclosure of information without having to approach the courts?

The Commissioner focuses on resolving complaints through negotiation and persuasion, and using mediation and conciliation if appropriate. However, if voluntary cooperation is not forthcoming, the Commissioner has the power to summon witnesses, administer oaths and compel the production of evidence. He also has the authority to receive evidence, enter premises where appropriate, and examine or obtain copies of records found on any premises.

What fines can you impose on companies that breach data protection rules?

The OPC is unable to issue orders or fines against an organisation that refuses to comply with recommendations made by the OPC following an investigation. Commissioner Therrien has repeatedly called for the power to make orders and issue fines for PIPEDA violations, powers many of his international counterparts already enjoy. (You can find more information related to calls for PIPEDA reform on our website.) PIPEDA does provide for court-imposed fines of up to C$100,000 per incident in the specific case where an organisation knowingly contravenes the Act’s reporting, notification and record-keeping requirements relating to breaches of security safeguards. The OPC can refer such violations to the attorney general of Canada, who would be responsible for any prosecution.

What other measures can you take against companies that breach data protection rules?

As mentioned above, under PIPEDA, a complainant or the OPC may apply for a hearing before the Federal Court of Canada in respect of any matter referred to in the commissioner’s report of findings following an investigation. The Federal Court may order an organisation to take action to correct its practices or award damages to the complainant. For more information, see ‘How to apply for a Federal Court hearing under PIPEDA’.

What emergency or interim measures can you take pending the full conclusion of your investigations?

In addition to the investigative powers described above, the OPC can make disclosures in the public interest during an investigation. It can also enter into a compliance agreement with an organisation as a means of bringing the organisation into compliance with PIPEDA, either as an alternative to an investigation, or as an alternative to going to court if the organisation has failed to follow one of the OPC’s recommendations at the conclusion of the investigation. The OPC is also authorised to disclose information it obtains during an investigation concerning the commission of an offence under federal or provincial law to the attorney general of Canada or of the relevant province for possible prosecution.

Priorities and the future

What are your enforcement priorities over the next year? For example, are you targeting any particular topics, or industry sectors?

There are a couple of high-profile investigations currently under way. One involves Facebook and AIQ and relates to the Cambridge Analytica matter that’s made global headlines.

On the public sector side, the OPC has opened an investigation after receiving complaints about Statistics Canada and its collection of personal information from private sector organisations. You can find out more about it on our website. Statistics Canada is Canada’s national statistical office. This investigation is under the Privacy Act.

Beyond that, we have made significant changes to our organisational structure in the last year that we believe will help us achieve better results for privacy.

We have streamlined our operations by clarifying programme functions and reporting relationships; and we have become more forward-looking by shifting the balance of our activities towards greater proactive efforts. Our objective is to have a broader and more positive impact on the privacy rights of a greater number of Canadians, which is not always possible when focusing most of our attention on the investigation of individual complaints.

Our work now falls into one of two programme areas: promotion or compliance. Activities aimed at bringing departments and organisations towards compliance with the law fall under the promotion programme; those related to addressing existing compliance issues fall under the compliance programme. We recently appointed two deputy commissioners to oversee these new sectors.

We know that a successful regulator is not one that uses enforcement as an initial or primary strategy to seek compliance. Thus, our first strategy under the promotion programme is to inform Canadians of their rights and how to exercise them; and to guide and engage with organisations on how to comply with their privacy obligations.

Guidelines and information will be issued on most key privacy topics, some of which are discussed below. We aim to make our information as practical and useful as possible, and to demystify new technologies and their impact on privacy. 

We’re also working with industry proactively and collaboratively in an advisory capacity, to the extent our limited resources allow. We want to better understand the privacy impacts of new technologies, and provide practical advice on how to use them in a privacy compliant way. Our Toronto office is now the hub for our business advisory directorate, which will perform two key functions.

First, businesses will be able to request an advisory consultation in which our team can provide advice before the launch of a new programme or service, or review overall privacy management practices.

Second, through proactive engagements, the OPC may approach businesses and industry sectors involved in activities or initiatives that may have a high impact on the privacy of Canadians. We want to help them better understand the privacy impacts of new technologies and business models, and innovate in a privacy compliant manner. 

Both services are voluntary and free of charge. It’s also important to keep in mind that our team will accept projects based on resource capacity and availability.

Under the compliance programme, our proactive enforcement actions will target systemic, chronic or sector-specific privacy issues which aren’t being addressed through our complaint system, and which we believe may inflict significant damage to the privacy rights of Canadians. 

Last spring, for instance, we announced our first proactive, industry-wide commissioner-initiated investigation into the privacy management practices of data and list brokers.

Preliminary inquiries into industry practices have raised a number of concerns about how databases of Canadians’ detailed personal information are being compiled and subsequently disclosed to marketers. Detailed profiles about individuals may be inaccurate, and could be accessed and used for purposes that individuals may know nothing about. 

As such, our investigation is looking at accountability, openness and transparency in the management of personal information collected, used and disclosed, as well as the means of consent obtained for the personal information collected, used or disclosed.

We believe that this industry can benefit from an investigation of this nature, and that Canadian consumers will welcome it.

What data protection/privacy-related guidelines have you issued to date?

We have a considerable amount of guidance for businesses on our website. We recently published our guidance on mandatory breach reporting, which will probably be of great interest to many businesses. Last spring we updated our guidance on consent. (See our Guidelines for obtaining meaningful consent and our Guidance on inappropriate data practices. You may also wish to look at our “For Businesses” section, which has a number of other guidance documents for organisations.)

Are you working on any further data protection/privacy guidelines or guidance, or on amending any of your current guidance? If so, what?

As noted above, we have made it a priority to regularly update and create new guidance for businesses. In our Report on Consent we have identified 30 issues for which we will try to produce information and advice for individuals and organisations. For ease of reference, the list includes:

  • consent (including forms of consent);
  • subsection 5(3) no-go zones;
  • de-identification;
  • big data, artificial intelligence and robotics;
  • genetic information;
  • the Internet of Things;
  • connected cars;
  • smart homes;
  • privacy-enhancing technologies;
  • surveillance technologies;
  • privacy at the border (smart borders);
  • necessity and proportionality in the public sector;
  • online reputation;
  • privacy and social media;
  • educational apps/platforms;
  • biometrics and facial recognition;
  • cookie-less tracking;
  • blockchain;
  • digital health technologies;
  • end-to-end encryption;
  • social engineering;
  • trans-border data flows and cloud;
  • open government;
  • the accountability maturity model;
  • breach notification;
  • data brokers;
  • fintech;
  • the sharing economy;
  • in-store tracking; and
  • behavioural economics.

Would you like to see further reforms to your laws (beyond GDPR implementation legislation, if applicable) or to your enforcement framework? If so, what?

For some time, Commissioner Therrien has spoken about the need to modernise both PIPEDA and the Privacy Act, which applies to the personal information handling practices of federal government institutions.

Following the tabling of our Annual Report to Parliament in September, he stated: “We can no longer keep up with the pace of technological change. We urgently need new legislative powers and additional resources if we are to have a real impact on protecting Canadians’ privacy in the 21st century.”

He has called for the power to make orders, issue fines and conduct inspections to ensure businesses respect the law – powers that many of his international counterparts already enjoy. In the wake of the Facebook/Cambridge Analytica matter, he has also called for political parties to be subject to privacy laws, which is not currently the case across Canada, except in the province of British Columbia.

You may wish to have a look at his remarks following the tabling of our last annual report and our Report on Consent, which outlines our recommendations to parliament, including those related to legislative reform.

He also spoke about these issues in the following appearances before parliament:

You can find more information about Privacy Act reform here.

In regard to the GDPR, Commissioner Therrien has said there are several excellent elements in the EU’s GDPR, but added that Canada should seek to develop an approach that reflects the Canadian context and values, including its close trading relationships within North America, with Europe and the Asia-Pacific region. You may wish to have a look at his recent remarks before a parliamentary committee studying the Facebook/Cambridge Analytica matter.

Get unlimited access to all Global Data Review content