Editor's note: The IAPP is policy neutral. We publish contributed opinion and analysis pieces to enable our members to hear a broad spectrum of views in our domains.
What a week in Canada — King Charles came to town and opened the new Parliament.
It is not clear what lies ahead federally. Privacy was not mentioned in the Speech from the Throne, but there is now a Minister of Artificial Intelligence and Digital Innovation, Evan Solomon, and presumably, the Cross-Border Privacy Rules consultation is continuing.
At the provincial level, there is action. Quebec's data protection authority, the Commission d'accès a l'information du Québec, is ceasing publication of organizations that have reported data breaches. The CAI said the goal is to: minimize the risk of harm to citizens; avoid revealing the existence of vulnerabilities or cybersecurity issues; avoid interfering with the organization's management of the incident; and preserve the exercise of the commission's supervisory functions and powers, including ongoing and future investigations.
In a recent decision, the CAI concluded that the collection of video surveillance images over a 14-day period inside Crane Supply delivery trucks passed the necessity and proportionality tests, but the company has not sufficiently minimized collection. The CAI ordered the company to limit capturing to seconds before and after an incident, or failing that, to stop capturing the interior of the vehicles; stop rolling after the engine is shut down; and destroy footage unrelated to any incidents.
The CAI also recommended the company revise its dash cam policy to reflect that images captured can only be accessed in the event of an incident.
By the way, the IAPP Canada Privacy Symposium 2025 made it to the CAI's news page.
In Ontario, the newly enacted Digital Platform Workers' Rights Act, 2022 is coming into force on Canada Day, 1 July. As the gig economy continues to expand, the legislation provides additional access rights to gig workers on digital platforms — for example, Uber drivers — such as: how compensation is calculated; if and how tips and other gratuities are collected; recurring pay period and pay days as established by the operator; factors used to determine whether work assignments are offered to workers and a description of how those factors are applied; and information about the performance rating system, where applicable.
Gig workers' right to information is not new. It is already provided for under current privacy laws such as the Personal Information Protection and Electronic Documents Act. What may be a new obligation is that new types of information are prescribed. And there are fines — up to CAD500,000. For organizations that are still handling access requests manually, it may be worthwhile for the chief privacy officer to ask for a budget to implement self-service data subject access and gig worker requests. For organizations that already have automation in place, a change request may be in order.
As privacy and data rights continue to evolve, organizations should keep an eye on both federal and provincial developments.
Florence So, AIGP, is counsel at nNovation.
This article originally appeared in the Canada Dashboard Digest, a free weekly IAPP newsletter. Subscriptions to this and other IAPP newsletters can be found here.