Expect New Federal Privacy Laws For The Private-Sector

A modernized federal privacy law may be coming to the private sector. Now under debate in Parliament, Bill C-27 reintroduces the Consumer Privacy Protection Act (CPPA). The CPPA first appeared in 2020, but died on the order paper with the 2021 federal election. If the CPPA makes it into law this time, it will replace the 20-plus year-old Personal Information Protection and Electronic Documents Act (PIPEDA).

Privacy regulation will be different under the CPPA than under PIPEDA. The CPPA will subject Canadian businesses to new requirements and practices. Carrot and stick, it will create both opportunities and challenges for the private sector. Opportunities because it strives to align Canada with the European Union's General Data Protection Regulation (GDPR), the California Privacy Rights Act and Québec's new privacy Bill 64. Challenges because non-compliance may bite hard:

  • The requirement that every organization implement and maintain a privacy management program
  • The right to establish Codes of Practice and Certification Programs for organizations and entities
  • Data Mobility Frameworks under which individuals can ask for their personal information to be disclosed directly to other organizations, subject to regulations
  • New requirements for using de-identified information and prohibitions on re-identification
  • Use of data for Socially Beneficial Purposes without consent, under certain conditions
  • Administrative Monetary Penalties of up to $10,000,000 or 3% of an organization's gross global revenue for privacy contraventions
  • Fines of up to $25,000,000 or 5% of an organization's gross global revenue for offences
  • Specific provisions for the data of minors.

Bill C-27 would also introduce the Artificial Intelligence and Data Act (AIDA): Canada's first statute respecting how the private sector creates and uses artificial intelligence (AI), with financial consequences for non-compliance.[1]

Privacy Laws are Changing Across the Country

  • Québec's Bill 64 (or Law 25) came into force last September, with most provisions coming into force in 2023, and some in 2024. The law's new obligations range from privacy impact assessments to personal information frameworks. It also allows for exceptions to consent.
  • Ontario, British Columbia, and Alberta have signalled that privacy law reform may be coming. The British Columbia and Alberta governments have established special committees to review provincial privacy legislation.
  • Privacy Commissioners across Canada continue to take a joint approach to investigations, as seen in the 2022 Tim Horton's investigation.[2]

What You Can Do Now to Prepare

  • Know your current privacy compliance obligations and how they are being met. Several CPPA provisions build on PIPEDA obligations you already have.
  • Plan refresher privacy training to understand what's coming, how to prepare for it, the opportunities it may offer, and the risks it may pose.
  • Identify how the potential changes to the law may impact on present or future business models.
  • Consider whether to advocate for changes to the law via industry associations, since Parliament may soon establish a Committee to study Bill C-27.[3]

What This All Means for You

  • Be prepared to demonstrate compliance with Canadian privacy laws if operating in a province considered to have privacy legislation substantially similar to PIPEDA (i.e., British Columbia, Alberta, or Québec).
  • Ensure that your company is ready for the Bill 64 requirements coming into force in September 2023 on collecting, using, or disclosing the personal information of individuals in Québec.
  • Be proactive about data security. Amidst the epidemic of cybersecurity incidents (e.g., data theft, ransomware), privacy breach lawsuits are proliferating. While Ontario courts recently ruled out holding corporate victims of such incidents liable for privacy torts, other courts have left the issue open. And victims may still be liable in negligence or breach of contract for preventable breaches, as courts across Canada have noted.
  • Check in with the people responsible for privacy law compliance, consider the connection between privacy and security practices, and assess the impact on business activities of the upcoming regulations.
  • Review breach response plans. Consider breach response training. Update policies and procedures to align with changes to laws on confidentiality reporting or mandatory breach reporting.

Increasing Regulations Around Cyber Security[4]

  • Bill C-26, also before the House of Commons at present, would enact the Critical Cyber Systems Protection Act (CCSPA), imposing cyber security obligations on federally regulated companies, including those in the banking, energy, nuclear, transportation and telecommunications sectors. The CCSPA will require the organizations it covers to establish a cyber security program for "critical cyber systems", to include cyber security risk identification and mitigation, critical cyber systems protection, incident detection and impact minimization, and mandatory incident reporting.
  • Cyber Security Direction powers will also be available to the government, to direct compliance with protective measures for cyber security. The CCSPA has administrative monetary penalties for violations, with a maximum of $1,000,000 for individuals, and up to $15,000,000 in other cases.
  • Federally regulated financial institutions overseen by the Office of the Superintendent of Financial Information (OSFI) will also be preparing for its recent guideline Technology and Cyber Risk Management (Guideline B-13), which takes effect in January 2024.

Footnotes

1. See Fogler Rubinoff LLP / David Young Law, Table Comparing Canada's Proposed AIDA to EU's Proposed AI Act on Foglers.com here.

2. PIPEDA Findings #2022-001.

3. See Fogler Rubinoff LLP / David Young Law, How Canada's Proposed Private Sector Modernized Privacy Law and New AI Systems Law Will Impact Canadian Businesses, briefing to Council of Canadian Innovators on Bill C-27, on Foglers.com here.

4. See the discussion of cyber security laws in The Litigation Consequences of Cybersecurity Breaches by Ronald Davis, Alexander Evangelista and Teodora (Prpa) Obradovic, on Foglers.com here.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.