Over the past year, legislative reform was the key focal point in the highly dynamic Canadian privacy arena. The Provinces of Québec and British Columbia enacted legislative amendments, while other Canadian jurisdictions were also active in legislative reform efforts. The new Québec privacy law — and what appears to be the inevitable amendment to the federal and provincial private sector privacy regimes — will expose companies across Canada to severe financial penalties, enhanced litigation risk and significant compliance costs. It is more important than ever for companies to have a thorough understanding of their personal information practices and their privacy obligations, all with a view to identifying and mitigating the expanding array of privacy, legal and reputational risks associated with the collection, use and disclosure, and other processing of personal information.
Here is how the privacy legislative arena is changing.
Québec: Bill 64 overhauls Canada’s first private sector privacy law
The most significant legislative development in the Canadian privacy arena occurred in the province of Québec. Bill 64, An Act to modernize legislative provisions as regards the protection of personal information, received royal assent on September 22, 2021, following its introduction at the Québec National Assembly on June 12, 2020 and subsequent amendments by the Committee on Institutions. The bill introduces sweeping changes to Québec’s existing privacy regime (the Québec Privacy Act), which was Canada’s first private sector privacy law, enacted in 1994.
It is more important than ever for companies to have a thorough understanding of their personal information practices and their privacy obligations, all with a view to identifying and mitigating the expanding array of privacy, legal and reputational risks associated with the collection, use and disclosure, and other processing of personal information.
One of the most notable additions to the Québec Privacy Act’s current framework is the creation under Bill 64 of a new enforcement regime. Within two years of Bill 64’s enactment, failure to comply with the Québec Privacy Act can expose organizations to fines of up to the greater of $25 million and the amount corresponding to 4% of worldwide turnover for the preceding fiscal year. Organizations can also be exposed to administrative monetary penalties of up to the greater of $10 million and the amount corresponding to 2% of worldwide turnover for the preceding fiscal year.
Organizations will also face increased costs arising from operational measures required to comply with Bill 64’s expanded and prescriptive requirements. These are the key changes introduced by Bill 64:
- Data governance: Organizations will be required to create an internal policy suite to address the lifecycle of personal information in their custody and control.
- Processing of personal information: Organizations will be required to conduct privacy impact assessments for any project involving the acquisition, development or overhaul of an information system or electronic service delivery system involving the processing of personal information.
- Stronger consent requirements: Bill 64 strengthens consent requirements and creates new exceptions to consent for personal information processing. Organizations will need to examine all collections, uses and disclosures of personal information, improve their consent notices, develop or enhance consent management practices and otherwise ensure the lawful processing of personal information.
- Data localization restrictions: Organizations will have to create an inventory of all cross-border disclosures and transfers (including transfers of personal information to other Canadian provinces) and conduct a privacy impact assessment prior to any disclosure of personal information outside Québec to ensure that the personal information will be “adequately protected” in the other jurisdictions. Under Bill 64, organizations will be prohibited from transferring or disclosing personal information outside the province of Québec in circumstances where such information will not receive “adequate protection,” determined in light of “generally recognized principles regarding the protection of personal information.”
- Security breach notification: Organizations will be required to review and enhance incident response protocols to comply with security breach reporting and notification requirements.
- “Confidentiality by default”: Under this novel requirement, organizations must implement the “highest level” of confidentiality by default with respect to public-facing products or services.
- Use of technology to collect personal information: Organizations collecting personal information from individuals using technology that allows those individuals to be identified, located or profiled must first inform the individual of such technology and of the means available to activate such functions.
Bill 64 also affords individuals in Québec several new data subject matter rights, including a right to be forgotten, a data portability right, and certain transparency and other rights with respect to automated decision making.
Bill 64’s coming into force is staggered across the next three years, but most of the provisions under Bill 64 (including monetary penalties, damages and new substantive requirements) will come into force on September 22, 2023.
Federal government: Privacy reform…