11. Creating an enhanced compliance framework to address unresolved issues

CLOSED: This discussion has concluded.

The Privacy Commissioner could be provided with greater powers to more effectively address complaints and the matters for which individuals can seek legal remedies could be expanded

There are a number of reasons to revisit the Act’s compliance model. Comprehensive, efficient, and accessible legal remedies are essential for situations where compliance cannot be assured. Moreover, a stronger oversight model could better support new principles-based flexibility for novel scenarios involving personal information. Certain of these suggested changes would mirror amendments made to the Access to Information Act in 2019, which provided similar powers to the Information Commissioner of Canada. Aligning the powers of the two commissioners where possible would provide consistency in the processing of requests under both Acts, as well as in the complaint mechanisms for access requests. Proposed changes could include:

  • Giving the Privacy Commissioner the discretion to decline to investigate a complaint or to discontinue an active complaint investigation : The Privacy Commissioner could be provided with the discretion to decline to investigate a complaint in a number of circumstances, including where a complaint was vexatious, frivolous or made in bad faith, or where the Commissioner deems an investigation to be unnecessary. These could include cases where a complaint was already the subject of an investigation or had already been the subject of a report by the Privacy Commissioner.

  • Giving federal public bodies the discretion to decline to respond to vexatious or abusive requests for access to personal information : The Act could also authorize federal public bodies, with the Privacy Commissioner’s approval, to decline to process requests for access to personal information under the Privacy Act where the request is vexatious, made in bad faith, or otherwise an abuse of the right to make such a request. This would allow federal public bodies to direct resources away from vexatious or abusive requests.

  • Giving the Privacy Commissioner the power to audit the personal information practices of federal public bodies : Currently, section 37 of the Act gives the Privacy Commissioner the power to review compliance with the provisions of the Act that govern the collection, use, disclosure, and management of personal information. The Act could replace this with the power to audit the personal information management practices of a federal public body on reasonable notice.

  • Giving the Privacy Commissioner the power to collaborate with regulatory counterparts in Canada : The Act could provide the Privacy Commissioner with the power to collaborate with and share information confidentially, including personal information, with other data-protection regulators in Canada and other federal review bodies, where doing so is necessary to advance the Privacy Commissioner’s mandate in the public interest.

  • Requiring the Privacy Commissioner to consult with relevant oversight bodies : Before issuing findings in a complaint or an audit concerning federal public bodies regulated by other oversight entities, the Privacy Commissioner could be required to consult with relevant oversight bodies to ensure a coherent oversight approach and to avoid duplication of efforts.

  • Creating an impartial oversight process for complaints against the Office of the Privacy Commissioner of Canada under the Privacy Act: The Act does not currently contain an impartial process for complaints made against the Privacy Commissioner’s office itself under the Act. To address this legislative gap, the Act could set out a process for independent reviews of such complaints.

  • Providing the Privacy Commissioner with the power to enter into binding compliance agreements with federal public bodies : The Act could provide the Privacy Commissioner with the power to enter into compliance agreements with federal public bodies, consistent with his power to do so under the Personal Information Protection and Electronic Documents Act. This would be a strong tool to ensure a federal public body met commitments made to the Privacy Commissioner in the context of a complaint investigation, and the Privacy Commissioner could initiate court proceedings if a federal public body failed to comply with a compliance agreement.

  • Imposing clear statutory timelines for proceedings before the Privacy Commissioner : The Act could set out clear statutory timelines and other procedural rules to support the efficient resolution of complaints, the conducting of investigations, and the negotiation of compliance agreements.

  • Providing the Privacy Commissioner with the power to issue orders similar to those of the Information Commissioner : Where complaints relating to refusals of access to personal information could not be efficiently and effectively resolved through updated resolution mechanisms, the Act could grant the Privacy Commissioner the same order-making powers the Information Commissioner was recently provided with to resolve access complaints under the Access to Information Act. This would allow the Commissioner to address the bulk of complaints filed with the Office of the Privacy Commissioner.

  • Expanding the Federal Court’s de novo review jurisdiction : Currently, only refusals to provide access to personal information can be brought before the Court following an investigation by the Privacy Commissioner. The Act could be amended to empower the Federal Court to hear, in addition to refusals of access, matters relating to the collection, use, disclosure, retention or safeguarding of personal information where these could not be successfully negotiated or resolved through the Privacy Commissioner’s updated suite of processes and tools.

  • Adding new offences for serious intentional violations of the Act : The Act could include offences for wilful violations of the Act that result in harm to individuals. 

For additional details and a more in-depth discussion on the rationale for these potential changes to the compliance model under the Act, please consult our more detailed annex here.


Share on Facebook Share on Twitter Share on Linkedin Email this link

Consultation has concluded. Thank you for your contributions.

    <span class="translation_missing" title="translation missing: en-US.projects.forum_topics.show.load_comment_text">Load Comment Text</span>