In 2021 and 2022 we saw a significant paradigm shift in the privacy scenario in Canada. A lot of changes has been made and new bills have been introduced.
Currently Canada has the Personal Information Protection Act (PIPEDA) since 2000 but it will soon be replaced by the Consumer Protection and Privacy Act (CPPA) as the Federal Law.
The Personal Information Protection and Electronic Documents Act (PIPEDA) is a federal law that applies to all businesses that operate in Canada and handle personal information that crosses national or provincial borders. Federally regulated organizations that conduct business in Canada, such as airports, banks, and telecommunications companies, are always subject to PIPEDA.
Under the PIPEDA, personal information includes any subjective or factual information about an identifiable individual. Examples include:
Name, age, income, ID numbers, blood type, or ethnic origin
Opinions, comments, evaluations, disciplinary actions, or social status
Employee files, loan records, credit records, intentions to change jobs or acquire goods, and the existence of disputes between consumers and merchants
The following events will be witnessed in 2023 with regard to Canada privacy scenario:-
Bill C-27: The Consumer Privacy Protection Act
In November 2020, the Canadian federal government introduced Bill C-11, which proposed repealing the personal information-related provisions of PIPEDA and replacing them with a new data and privacy legal framework. While Bill C-11 never made it into law, on June 16, 2022, the federal government resurrected it by introducing Bill C-27, the Digital Charter Implementation Act, 2022.
Bill C-27 retains Bill C-11’s core elements, including its proposals to:
Enact the Consumer Privacy Protection Act, which would replace Part 1 of PIPEDA
Enact the Personal Information and Data Protection Tribunal Act (PIDPTA), which creates an administrative tribunal
However, there are some differences between the two bills. For one, Bill C-27 is much more concerned with artificial intelligence (AI). Specifically, it proposes enacting the Artificial Intelligence and Data Act (AIDA) to regulate AI systems.
Under Bill C-27, noncompliant organizations are liable to a fine of up to 5% of their global revenue or $25 million Canadian, whichever is greater. There are also administrative monetary penalties of up to 3% of global revenue or $10 million Canadian for certain violations of the Consumer Privacy Protection Act.
Significant Changes in British Columbia FIPPA Act
The Provincial government has recently confirmed the latest in a series of long-anticipated and significant changes to BC’s Freedom of Information and Protection of Privacy Act (“FIPPA”).
As of February 1, 2023, two new sections of FIPPA and associated regulations will come into force. This will create two significant new requirements for all public bodies in this province:
Mandatory reporting requirements in the event of privacy breaches.
Requirement to develop and maintain a “privacy management program”.
Privacy Breach Notifications
Public bodies will be required to report any privacy breach that “could reasonably be expected to result in significant harm to the individual”. A “privacy breach” is broadly defined. It includes theft, loss, or any other unauthorized collection, use or disclosure of personal information.
Organizations will be expected to assess whether a breach could reasonably result in “significant harm”. FIPPA sets out several examples of harm meeting that threshold, including identity theft, physical or financial harm, reputational or relationship damage, and negative impact on credit rating or professional opportunities.
Notification will be required “without unreasonable delay” to any affected individual. The new regulations set out specific requirements for written notification, including descriptions of the breach, any containment steps taken, and steps the individual can take to reduce the risk of harm.
Public bodies will also be required to provide notice to the Office of the Information & Privacy Commissioner. Public bodies should keep in mind that the Privacy Commissioner has broad discretion to conduct its own investigations into privacy compliance.
These updates make BC the latest in a series of Canadian jurisdictions that have made privacy breach reporting mandatory. The upcoming amendments to FIPPA follow the introduction of similar requirements in Alberta, Quebec and under Federal privacy legislation. While each set of laws is unique, previous guidance from those jurisdictions may help public bodies in BC understand the scope of their new obligations.
The Personal Information Protection Act, which applies to BC’s private organizations, currently does not have similar requirements. However, the introduction of mandatory breach reporting for private organizations has been formally proposed on several occasions, including as part of the 2021 report of the Special Committee to Review the Personal Information Protection Act.
Privacy Management Program
In addition to reporting requirements, FIPPA will require all public bodies to develop and maintain a privacy management program. The Minister responsible for the act may establish specific requirements for privacy management programs, but no directions have been issued to date.
The BC Privacy Commissioner previously provided guidance for public bodies designing a privacy management program, including:
Maintaining an inventory of personal information held by the organization, and how that information is used and disclosed;
Establishing necessary policies to address collection of personal information from employees and third parties;
Conducting risk assessments and establishing security processes;
Managing external service providers and establishing standards for privacy and information security;
Designing breach and incident management response programs; and
Implementing training for employees responsible for privacy management.
Public bodies should take this opportunity to review their current privacy management programs, and be prepared to refresh and update those programs as necessary to meet the new requirements of FIPPA.
Quebec Bill 64 changes
On September 22, 2021, the Quebec government adopted Bill 64, An Act to modernize legislative provisions as regards the protection of personal information, enacting significant changes to the requirements governing the use and protection of personal information under various statutes, including notably the Act respecting the protection of personal information in the private sector (the “Private Sector Act”) and the Act respecting Access to documents held by public bodies and the Protection of personal information (the “Public Sector Act”).
The changes enacted by Bill 64 will come into force gradually — the first will take effect on September 22, 2022, one year after the Bill’s assent. The majority of the provisions of the Bill are set to come into force a year later, on September 22, 2023, with the final provisions effective on September 22, 2024.
Businesses that fail to comply with Bill 64 risk facing unprecedented penalties of up to $25 million (which exceed the maximum penalties available under the Competition Act, and the Canada’s Anti-Spam law (CASL)) — a great departure from the $50,000 maximum penalty under the current regime. In addition, individuals maintain a private right of action for injury resulting from the unlawful infringement of a right conferred by the Private Sector Act or sections 35 to 40 of the Civil Code of Québec. The Bill also introduces a minimum award of $1,000 in punitive damages where the infringement is intentional or results from a gross fault.
In light of the above consequences for failing to comply with the forthcoming privacy reform, companies operating in Quebec should consider the following:
Conducting an internal assessment of current processes (i.e. collection, use, maintenance and disclosure of personal information);
Identify any jurisdictions outside of Quebec where personal information may be transferred, and conduct a privacy impact assessment for each such jurisdiction;
Identifying the person best suited to be appointed the Privacy Officer and making delegation as deemed appropriate based on such identification;
Review and revise current privacy policies and practices (e.g. internal and external privacy policies; current physical, technological and cyber privacy safeguards; etc.);
Review current contractual obligations vis-à-vis the company’s processing of personal information;
Audit current data/consent practices and language; and
Review and revise current confidentiality incident reporting and access/data subject rights request practices, with a view to implementing appropriate policies and procedures (e.g. establish an incident analysis and reporting process, implement “right to be forgotten” accommodations, de-indexing hyperlinks, etc.).