In 2022, the Canadian privacy and cybersecurity law landscape continued to see significant transformation. As with previous years, to mark Data Privacy Day, we have summarized the big stories from last year to help you stay up to date on the latest developments.
FEDERAL GOVERNMENT PROPOSES NEW PRIVACY & CYBERSECURITY LEGISLATION
On June 16, 2022, Canada's Minister of Innovation, Science and Industry introduced Bill C-27, the Digital Charter Implementation Act, 2022. Bill C-27 is the successor to the federal government's earlier proposal, Bill C-11, which was introduced in 2020 but died on the order paper following the 2021 federal election. Like the 2020 proposal, Bill C-27 would, if passed:
- Repeal parts of the Personal Information Protection and Electronic Documents Act that regulate the processing of personal information and enact a new Consumer Privacy Protection Act (CPPA)
- Enact the Personal Information and Data Protection Tribunal Act, which establishes an administrative tribunal to hear appeals of certain decisions made by the Privacy Commissioner of Canada under the CPPA and impose penalties for contravention of certain of its provisions
- Introduce rules to regulate "high-impact" artificial intelligence systems under a new Artificial Intelligence and Data Act (AIDA)
Bill C-27 is currently at second reading in the House of Commons. We expect the bill will be sent to committee for further consideration in the coming months.
To learn more about Bill C-27 and AIDA, read our June 2022 Blakes Bulletins: Privacy Reform Redux: New Federal Bill Set to Reform Canada's Private-Sector Privacy Law and Federal Government Proposes New Law to Regulate Artificial Intelligence Systems.
On June 14, 2022, Canada's Minister of Public Safety introduced Bill C-26, which would impose a series of cybersecurity-related obligations on designated organizations in four key federally regulated sectors: telecommunications, finance, energy and transportation. At a high level, the bill would enact the Critical Cyber Systems Protection Act, which aims to protect critical cyber systems considered integral to Canadian infrastructure and public safety. Bill C-26 is currently at second reading in the House of Commons.
For more information about Bill C-26, read our June 2022 Blakes Bulletin: House of Commons Introduces Bill C-26: Proposed Federal Cybersecurity Legislation.
QUEBEC PRIVACY LAWS CONTINUE TO DEVELOP
September 2022 saw the first of a series of amendments to Quebec's Act respecting the Protection of Personal Information in the Private Sector (Quebec Act) made as a result of Bill 64. Organizations must now (among other things):
- Delegate in writing the role of the person in charge of the protection of personal information (PIC). If no such delegation is made, the person exercising the highest authority within the organization will be deemed to be the PIC.
- Notify the Commission d'accès à l'information du Québec and affected individuals of any "confidentiality incident" involving personal information that presents a risk of serious injury.
Read our August 2022 Blakes Bulletin: Quebec Privacy Law: Is Your Organization Ready for New Rules in Force this September? to review all of the new obligations that came into force in Quebec as of September 2022.
Most of the amendments made by Bill 64 will come into force on September 22, 2023. These amendments will impose significantly enhanced obligations on private sector organizations and provide for stronger enforcement powers, including administrative monetary penalties of up to C$10-million or, if greater, an amount corresponding to two per cent of the organization's worldwide turnover for the preceding fiscal year.
On December 12, 2022, the Government of Quebec tabled Bill 3, an Act respecting health and social services information and amending various legislative provisions before the National Assembly of Quebec. The bill addresses a legislative gap in Quebec's privacy infrastructure by introducing the first comprehensive legal framework specific to health and social services information with the stated purpose to better protect, use and manage health information. The bill proposes a framework similar to provincial health information privacy laws in other Canadian jurisdictions, but with obligations and penalties more aligned with recent amendments to Quebec privacy laws. The bill is expected to be debated at the national assembly.
ALBERTA PIPA STATUTORY REVIEW UNDERWAY
On March 25, 2022, the Alberta legislature passed Government Motion 29, referring Alberta's Personal Information Protection Act (PIPA) to the Standing Committee on Alberta's Economic Future for legislative review. As a next step, the committee passed a motion to invite a technical briefing on PIPA from the ministry responsible for administering PIPA and the Office of the Information and Privacy Commissioner of Alberta. A transcript of the committee's September 27, 2022, meeting can be found here.
ONTARIO'S EMPLOYEE ELECTRONIC MONITORING POLICY OBLIGATION COMES INTO FORCE
As of October 11, 2022, employers in Ontario with 25 or more employees are required to have a written policy on the electronic monitoring of employees and provide all employees with a written copy of the policy. The policy must describe (among other things) whether employees are electronically monitored, the methods used, the circumstances in which the monitoring will occur, and the information collected. For more information, read our October 2022 Blakes Bulletin: Ontario's Employee Electronic Monitoring Policy: October 11 Deadline Approaching.
ONTARIO COURT OF APPEAL LIMITS INTRUSION UPON SECLUSION CLAIMS IN CYBERSECURITY CASES
On November 25, 2022, in Owsianik v. Equifax Canada Co. (Owsianik), the Ontario Court of Appeal held that intrusion upon seclusion is not a viable cause of action against a defendant who has been the victim, rather than the perpetrator, of a cyberattack. Owsianik confirmed that a defendant's alleged failure to prevent a breach of privacy by an outside party will not give rise to a claim for intrusion upon seclusion. For more information, read our November 2022 Blakes Bulletin: Court of Appeal for Ontario Limits Intrusion Upon Seclusion Claims in Cybersecurity Cases.
PUBLIC SECTOR BREACH REPORTING REQUIREMENTS IN FORCE IN B.C.
As of February 1, 2023, public bodies in British Columbia will be required to report privacy breaches and have privacy management programs. These obligations stem from amendments made to B.C.'s Freedom of Information and Protection of Privacy Act in November 2021. For more information, read our January 2023 Blakes Bulletin: Mandatory Privacy-Breach Reporting Coming to B.C. Public Sector.
For permission to reprint articles, please contact the Blakes Marketing Department.
© 2020 Blake, Cassels & Graydon LLP.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.