I spoke on a virtual panel this week about legislative changes coming down the pike. My focus was on what is happening federally with Bill C-27, and my co-panelist, Torys Partner Julie Himo, tackled what’s happening in Quebec. The discussion was moderated by my colleague at Vayle, CEO Shaun McIver, CIPM.

The audience was made up of members of the Investment Industry Regulatory Organization of Canada, which is the pan‑Canadian self‑regulatory organization that oversees all investment dealers and trading activity on Canada’s debt and equity marketplaces. They broker money, but also personal information!

Some folks weren’t aware that we are modernizing our private-sector regime in Canada. I think light bulbs went on when we talked about how large the fines can get. Under the proposed Consumer Privacy Protection Act — the law that will replace the privacy portion of PIPEDA — a fine can be up to 3% of global total revenue. And that’s just for a simple noncompliance finding. For more egregious violations, the fines can be up to 5% of global total revenue. For some organizations, that can potentially be in the hundreds of millions.

Another topic we discussed was how the law in Quebec is making it mandatory to perform privacy impact assessments in certain situations. I wonder if the parliamentarians reviewing the CPPA might also try and add something similar to what they’ve done in Quebec. Rumor has it that the bill will be sent to committee soon. It is currently in second reading.

What about you? Have you studied the new provisions yet — either the ones coming into effect in Quebec or the proposals at the federal level? What has caught your eye? Anything in there that might be difficult to actually operationalize? One thing that jumps out for me is the mechanism for data transfers outside of Quebec they recently introduced. I don’t see how that entire regime is going to work in practice — we’ll have to see. I’d love to hear your thoughts! Feel free to leave a comment below.

Have a great weekend.