Adam Kardash, Michael Fekete, Maryna Polataiko
Dec 13, 2021
Over the past year, legislative reform was the key focal point in the highly dynamic Canadian privacy arena. The Provinces of Québec and British Columbia enacted legislative amendments, while other Canadian jurisdictions were also active in legislative reform efforts. The new Québec privacy law — and what appears to be the inevitable amendment to the federal and provincial private sector privacy regimes — will expose companies across Canada to severe financial penalties, enhanced litigation risk and significant compliance costs. It is more important than ever for companies to have a thorough understanding of their personal information practices and their privacy obligations, all with a view to identifying and mitigating the expanding array of privacy, legal and reputational risks associated with the collection, use and disclosure, and other processing of personal information.
Here is how the privacy legislative arena is changing.
Québec: Bill 64 overhauls Canada’s first private sector privacy law
The most significant legislative development in the Canadian privacy arena occurred in the province of Québec. Bill 64, An Act to modernize legislative provisions as regards the protection of personal information, received royal assent on September 22, 2021, following its introduction at the Québec National Assembly on June 12, 2020 and subsequent amendments by the Committee on Institutions. The bill introduces sweeping changes to Québec’s existing privacy regime (the Québec Privacy Act), which was Canada’s first private sector privacy law, enacted in 1994.
One of the most notable additions to the Québec Privacy Act’s current framework is the creation under Bill 64 of a new enforcement regime. Within two years of Bill 64’s enactment, failure to comply with the Québec Privacy Act can expose organizations to fines of up to the greater of $25 million and the amount corresponding to 4% of worldwide turnover for the preceding fiscal year. Organizations can also be exposed to administrative monetary penalties of up to the greater of $10 million and the amount corresponding to 2% of worldwide turnover for the preceding fiscal year.
Organizations will also face increased costs arising from operational measures required to comply with Bill 64’s expanded and prescriptive requirements. These are the key changes introduced by Bill 64:
- Data governance: Organizations will be required to create an internal policy suite to address the lifecycle of personal information in their custody and control.
- Processing of personal information: Organizations will be required to conduct privacy impact assessments for any project involving the acquisition, development or overhaul of an information system or electronic service delivery system involving the processing of personal information.
- Stronger consent requirements: Bill 64 strengthens consent requirements and creates new exceptions to consent for personal information processing. Organizations will need to examine all collections, uses and disclosures of personal information, improve their consent notices, develop or enhance consent management practices and otherwise ensure the lawful processing of personal information.
- Data localization restrictions: Organizations will have to create an inventory of all cross-border disclosures and transfers (including transfers of personal information to other Canadian provinces) and conduct a privacy impact assessment prior to any disclosure of personal information outside Québec to ensure that the personal information will be “adequately protected” in the other jurisdictions. Under Bill 64, organizations will be prohibited from transferring or disclosing personal information outside the province of Québec in circumstances where such information will not receive “adequate protection,” determined in light of “generally recognized principles regarding the protection of personal information.”
- Security breach notification: Organizations will be required to review and enhance incident response protocols to comply with security breach reporting and notification requirements.
- “Confidentiality by default”: Under this novel requirement, organizations must implement the “highest level” of confidentiality by default with respect to public-facing products or services.
- Use of technology to collect personal information: Organizations collecting personal information from individuals using technology that allows those individuals to be identified, located or profiled must first inform the individual of such technology and of the means available to activate such functions.
Bill 64 also affords individuals in Québec several new data subject matter rights, including a right to be forgotten, a data portability right, and certain transparency and other rights with respect to automated decision making.
Bill 64’s coming into force is staggered across the next three years, but most of the provisions under Bill 64 (including monetary penalties, damages and new substantive requirements) will come into force on September 22, 2023.
Federal government: Privacy reform remains a priority
The federal government’s Digital Charter Implementation Act, 2020 (DCIA or Bill C-11) died on the order paper on August 15, 2021, when the federal election was called. Tabled on November 17, 2020, Bill C-11 aimed to modernize Canada’s current federal private sector privacy legislation, the Personal Information Protection and Electronic Documents Act (PIPEDA), by drawing on the principles established in Canada’s Digital Charter. Passage of Bill C-11 would have enacted two new statutes, the Consumer Privacy Protection Act (CPPA) and the Personal Information and Data Protection Tribunal Act (PIDPTA).
Privacy legislative reform apparently remains a priority for the Liberal government, but the precise timing is unclear as to when a new bill replacing PIPEDA will be tabled in Parliament. Many observers expect the Liberal government to introduce a bill that is a slightly revised version of Bill C-11 by spring of 2022.
Through the CPPA, the federal government sought to introduce significant reforms to PIPEDA. These included establishing a new enforcement regime backed by significant administrative monetary penalties (up to the greater of 5% of the organization’s gross global revenue or C$25 million). In addition, the CPPA would have created a private right of action for losses or injuries arising from contraventions of the CCPA, and would have given the Office of the Privacy Commissioner of Canada (OPC) order-making powers. Meanwhile, the PIDPTA created a Personal Information and Data Protection Tribunal to which decisions, orders and recommendations of the OPC could be appealed.
Other key features of the CPPA included internal privacy management program requirements, strengthened consent requirements, enhanced statutory transparency obligations and new data subject matter rights, including personal information “disposal” and data mobility (portability) rights.
Ontario: Continued efforts to develop private sector privacy law
In 2021, the Ontario Government continued its efforts to develop a provincial private sector privacy law. Following consultations in 2020, the Ontario Ministry of Consumer and Government Services launched a second consultation and issued a white paper outlining its plans, as well as proposed provisions, on June 17, 2021.
The Province of Ontario is contemplating greater regulatory oversight and enforcement powers for the Office of the Privacy Commissioner of Ontario, including order-making powers, investigations and audits. Also proposed are significant administrative monetary penalties (for individuals, a maximum of $50,000; for organizations, the greater of $10 million or 3% of the preceding year’s gross global revenue) and statutory offences (for organizations, a maximum of the greater of $25,000,000 or 5% of the preceding year’s gross global revenue).
Given the pending election this spring in the province of Ontario, it seems unlikely that a bill setting out a private sector privacy legislative scheme will be introduced in the short term.
British Columbia: Public and private sector reform
In February 2020, a special committee was struck by the British Columbia Legislative Assembly to review the British Columbia Personal Information Protection Act (PIPA BC). The Information and Privacy Commissioner for British Columbia issued a briefing for the special committee in June 2020, making high priority recommendations to enact breach reporting requirements, as well as to grant the Commissioner the authority to impose administrative monetary penalties, to initiate investigations and to make orders. The Committee initiated consultations the same month through a consultation portal, which closed in August 2020.
The special committee is scheduled to publish a report regarding proposed amendments to PIPA BC to the Legislative Assembly by December 8, 2021.
The Government of British Columbia passed a bill making material amendments to its public sector privacy and access legislation, the Freedom of Information and Protection of Privacy Act (FOIPPA). Bill 22 includes a rewrite of FOIPPA’s data residency provisions, mandatory privacy breach reporting and a fee for non-personal freedom of information requests.
Although Bill 22 removes data residency rules for access and storage, a public body will be authorized to disclose personal information outside of Canada only if the disclosure is in accordance with regulations. The regulations require that the head of a public body undertake a privacy impact assessment “with respect to each of the public body’s programs, projects and systems in which personal information that is sensitive is disclosed to be stored outside of Canada.”
Bill 22 also expands pre-existing data location rules in respect of metadata and the duration of processing. It remains to be seen how these rules will be interpreted and whether they will impact the ability of public bodies in British Columbia to engage domestic or foreign service providers.
Alberta: Private sector legislative reform on the horizon
In late November 2020, Alberta’s Information and Privacy Commissioner wrote a letter to the Minister of Service Alberta, proposing amendments to Alberta’s Personal Information Protection Act (Alberta PIPA).
The Commissioner proposed that the Office of the Commissioner be granted authority to levy administrative monetary penalties (which should be consistent with those of other jurisdictions) and that it be required to create rules for such penalties. She also recommended that fines for offences be increased to mirror those in other Canadian jurisdictions.
Other key proposed amendments include privacy management program requirements, as well as provisions addressing de-identified personal information (defining the concept, addressing permitted uses and creating offences for attempted de-identification). Also proposed is an expansion of the scope of Alberta PIPA to include all non-profit organizations and political parties, and the recognition of data portability rights. The Commissioner also encouraged the Alberta Government to engage in consultations regarding the right to erasure and de-indexing and to examine the possibility of incorporating a concept of “data trust” into a legislative scheme similar to the model under Ontario’s health privacy regime.
This past summer, the Ministry of Service Alberta solicited feedback on privacy legislative reform, but it is unclear when the Province of Alberta is likely to introduce a bill reforming Alberta PIPA.
Continued major changes to the Canadian federal and provincial privacy landscape are likely forthcoming next year. We encourage all companies to proactively consider these pending changes and plan for their likely implementation.