A wave of new laws, legislative proposals and public consultations are taking Canadian private-sector privacy laws through a sharp turn, introducing EU General Data Protection Regulation-level, multimillion-dollar fines and enhancing individual rights. This article seeks to guide us through this move by describing the various reforms and strategies to implement them.
The reforms
Privacy law reforms relevant to the private sector are now law in Quebec and British Columbia, while a bill to amend the federal Personal Information Protection and Electronic Documents Act makes its way through the Parliament of Canada. It is fair to expect it will be adopted in 2023 with very little change.
Quebec
“An Act to modernize legislative provisions as regards the protection of personal information,” SQ 2021, c. 25, introduced as Bill 64, amends, among other things, the act respecting the protection of personal information in the private sector and was adopted unanimously Sept. 22, 2021. The first provisions came into force Sept. 22, 2022. The bulk of the act comes into force Sept. 22, 2023, leaving the right to portability to come into force on Sept. 22, 2024.
The following obligations focusing on changes most impactful to organizations came into force Sept. 22, 2022:
- The “person in highest authority” in an organization, presumably the CEO or equivalent, is responsible for internal compliance. The responsibility may be delegated, in writing, to “any person” (Section 3.1).
- Breach reporting to Quebec’s data protection authority, Commission d’accès à l’information du Québec, and notification to individuals are now mandatory when data breaches present "a risk of serious injury” (Sections 3.5, 3.6 and 3.7) and cases must be recorded (Section .3.8) akin to the existing regime everywhere else in Canada, except British Columbia.
- Privacy impact assessments are required to transfer personal data for research, studies and statistics (Section 21 and following).
Coming into force Sept. 22, the provisions most relevant to risk management are those introducing administrative penalties for noncompliance of up to CA $10M or 2% of global turnover (Section 90.1 and 90.12) as well as fines of up to CA$25 M or 4% of global turnover (Section 91).
The other most impactful provisions will require:
- Adopting a privacy program according to prescribed requirements (Section 3.2).
- Establishing a process to perform a privacy impact assessment before adopting technology that processes personal information (Section 3.3) and transferring personal information outside Quebec (Section 17).
- Updating privacy notices to meet enhanced transparency requirements (Section 8), including transparency in relation to automatic decision-making systems (Sections 8.1 and 12.1).
- Reviewing consent mechanisms according to more stringent conditions (Section 12), including new provisions on minors’ consent (Sections 4.1 and 14).
- Reviewing data anonymization to demonstrate it is performed for “serious and legitimate reasons" and according to “generally accepted best practices" (Section 23).
- Akin to the GDPR, organizations that disseminate information must prepare to respond to a “right to be forgotten" in the form of a right to deindexation (Section 28.1).
British Columbia
In British Columbia, the Freedom of Information and Protection of Privacy Amendment Act, 2021 (Bill 22), amends the province’s public-sector privacy law and makes a critical change for the private sector. The prohibition of public institutions disclosure of personal information outside of Canada, which excluded so many organizations from public procurement in British Columbia, has been replaced by a provision allowing such disclosure in accordance with regulations (Section 33.1). In practical terms, the data residency requirement is removed.
Federal
Bill C-27, the Digital Charter Implementation Act 2022, was tabled June 16, 2022 and referred to Committee Nov. 4, 2022. It seeks to amend the Personal Information Protection and Electronic Documents Act and other acts, as well as enact the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Act.
Like the Quebec Act, the CPPA creates an enforcement regime. The Office of the Privacy Commissioner of Canada may issue compliance orders (Section 93 (2)) and recommend to the Personal Information and Data Protection Tribunal to impose penalties (Section 94 (1)) reaching the higher of CA$10 million and 3% of the organization’s gross global revenue in its previous financial year (Section 95 (4)). Certain violations of the act constitute an indictable offence leading to a fine not exceeding the higher of CA$25 million and 5% of the organization’s gross global revenue in its previous financial year (Section 128).
The OPC would acquire new powers, in addition to the ability to recommend the imposition of penalties, including the abilities to:
- Access to an organization's privacy program and ability to recommend “corrective measures" (Section 10).
- Approve, upon request, an entity's code of practice or certification program (Sections 76 and 77) as well as monitor the implementation of an approved program (Section 81a) and revoke it (Section 81e).
- Conduct inquiries after investigating complaints (Sections 88-89) or suspecting noncompliance with compliance agreements (Section 90) which may result in the issuance of compliance orders (Section 90 (1)).
Like the Quebec Act, Bill C-27 introduces more stringent consent and transparency requirements, including the obligation to provide a “general account of the organization’s use of any automated decision system to make predictions, recommendations or decisions about individuals that could have a significant impact on them” (Section 62 (2c)). A “legitimate interest” exception is created to collect and use personal information without consent under certain conditions, including performing assessments and documenting how organizations meet the prescribed conditions (Section 18 (3), (4), (5)).
Individual rights have been broadened to include the right to dispose of one’s personal information under specific conditions (Section 55(1)) and the right to mobility ensuring the portability of the personal information that the organization has collected from the individual (Section 72). As questions arise around the application of the right to mobility of observed and inferred data, it is relevant to note its scope is limited to personal information collected “from” the individual rather than “about” the individual.
Bill C-27 also introduces the Artificial Intelligence and Data Act, which would govern the use of AI in “high impact systems” (Section 4b), a notion to be defined through regulation. The objective is not merely to protect the right to privacy but also to protect against discrimination by regulating against “biased outputs."
Other Canadian jurisdictions
While Alberta has indicated it will not be left behind, British Columbia and Ontario are the only provinces with concrete policy directions on private-sector privacy law publicly discussed. In British Columbia, a Special Committee to Review the Personal Information Protection Act released recommendations on modernizing the act Dec. 6, 2021. On June 17, 2021, Ontario issued “Modernizing Privacy in Ontario,” a white paper consulting Ontarians on the adoption of a provincial private-sector privacy law.
Getting ready
Since Sept. 22, 2022, organizations should have already designated a privacy officer and reviewed their data breach response plan to ensure they can meet the new mandatory breach reporting requirements in Quebec.
Commonalities between the Quebec Act and CPPA point to priorities for preparing organizations, including:
- Updating privacy programs keeping in mind, when the CPPA comes into force, the OPC will have the right to access them.
- Developing wording for transparency on automated decision-making, including tracking and profiling.
- Adopting a privacy impact assessment process that can be applied to meet both the Quebec Act requirements for assessments — before adopting new technology, transferring data for research and transferring data outside Quebec — and the proposed CPPA exception to consent based on an assessment of the balance between the legitimate interests of an organization and the impact on individual privacy.
- Adapting consent mechanisms as necessary and implementing a consent management system to verify and demonstrate compliance.
- Updating retention schedules to ensure all retention times meet the requirement to retain the information for no longer than necessary.
- Documenting anonymization processes to demonstrate their purpose and effectiveness in irreversibly removing the possibility to relate the information to an identifiable individual.
- Reviewing and, as needed, updating contracts with service providers to ensure compliance as the contracting organization remains responsible through the supply chain.
Work should also start on the operational requirements to eventually meet the requirements in data mobility.
Success strategies
The experience of implementing Article 25 of the GDPR brings out key success strategies. They have these elements in common:
- A person is designated to oversee the privacy compliance update and has a clear mandate to do so.
- That person acts as an early warning system, keeping abreast of legislative developments, regulators' guidance and court decisions, to identify the necessary compliance measures with enough time to implement them.
- The specific impact of the proposed legislation on the organization is clearly identified, so a focused action plan and critical path guide the implementation of the necessary changes.
- Sufficient resources are specifically directed to the effort.
- The whole organization is involved and consulted on the operational impact of the changes to get buy-in.
Specifically for 2023, organizations should identify the common impacts of the Quebec Act and the CPPA to implement one set of measures to comply with both regimes.