Canadian privacy laws are changing – here are some practical steps to help businesses adapt to Quebec's Law 25 and proposed federal Bill C-27.
On April 24, 2023, Bill C-27, also known as the Digital Charter Implementation Act, 20221, passed its second reading at the House of Commons and was referred to the Standing Committee on Industry and Technology (the "Committee") for further study. As Bill C-27 progresses towards becoming law, businesses must make strategic and tactical plans for complying with new privacy, data protection, and cybersecurity requirements.
This article highlights key changes to Canada's federal privacy laws introduced by Bill C-27, briefly compares these changes to some new rules imposed by Quebec's Act respecting the protection of personal information in the private sector ("Quebec Private Sector Act")2 as amended by Law 253— most of which came into force in September 2023 — and provides a checklist of practical tips to assist you in making your business' practices compliant.
ENHANCED PRIVACY REQUIREMENTS OF BILL C-27: WHAT'S NEW
Bill C-27 was introduced by the federal government on June 16, 2022 with the aim to implement three new pieces of federal legislation: (1) the Consumer Privacy Protection Act ("CPPA"), (2) the Personal Information and Data Protection Tribunal Act ("PIDPTA"), and (3) the Artificial Intelligence and Data Act ("AIDA").
This article focuses on privacy compliance, but as we have reported in other publications and articles, AIDA is a crucial piece of legislation and is the first attempt to specifically regulate artificial intelligence in Canada. Much is uncertain about AIDA's practical consequences at this time, and AIDA will certainly not be finalized in isolation, but Canada's "Voluntary Code of Conduct on the Responsible Development and Management of Advanced Generative AI Systems" was published on September 27, 2023, and offers some guidance to businesses as Bill C-27 progresses. By contrast, compliance under the CPPA is considerably clearer in terms of what businesses can expect, as discussed below.
The CPPA is intended to repeal the privacy provisions of the Personal Information Protection and Electronic Documents Act ("PIPEDA")4 and replace them with a new legislative framework governing the collection, use, and disclosure of personal information for commercial activity in Canada. The CPPA applies to the same organizations that are currently subject to PIPEDA. This means, from a jurisdictional perspective, that provincial privacy law applies to organizations in the same circumstances as under PIPEDA (the provinces of Quebec, Alberta and British Columbia have their own privacy laws and several other provinces have privacy laws limited to health data). Similar to PIPEDA, the CPPA will also apply only to "commercial activities."5
In many cases, the CPPA holds the line while adding clarity with respect to certain aspects of PIPEDA, such as accountability. For example, under the CPPA, organizations will need to designate an individual responsible for ensuring their compliance with legislated obligations and for implementing a privacy management program that includes designated information.6 Additionally, each organization will be accountable for handling all the personal information it "controls," whether it is handled by the organization itself or a service provider acting on its behalf.7 These requirements will be newly codified in the CPPA but they already existed in principle under PIPEDA through less detailed obligations and guiding principles.8
At the same time, the CPPA introduces key changes in several areas, including enforcement. More severe penalties for violations of the CPPA and its regulations will be enforced, including administrative monetary penalties of up to $10 million or 3% of global revenue, and fines of up to $25 million or 5% of global revenue. Notably, the PIDPTA creates a new administrative tribunal to enforce penalties under the CPPA and hear appeals of orders by the Privacy Commissioner.
The CPPA also introduces new rules around consent. It adds exceptions allowing for the collection, use and disclosure of personal information without consent9 and identifies information to be used when obtaining valid consent from consumers, which must be presented in understandable plain language.10
Other notable changes under the CPPA include:
- adding provisions to help protect the privacy of minors, such as recognizing all personal information belonging to minors as "sensitive" information,11
- giving individuals the right to request disposal12 and transfer of their personal information,13
- requiring transparency around the use of algorithms in decision-making,14
- adding a private right of action allowing individuals to bring claims against organizations for damages due to non-compliance,15 and
- enhancing the Privacy Commissioner's authority to oversee compliance.16
MORE ANTICIPATED CHANGES
More recently, at the end of September 2023, the Minister of Innovation, Science and Industry outlined additional expected amendments to Bill C-27 in a letter to the Committee that has been studying the Bill. The letter sets out several planned amendments to the CPPA and AIDA. The amendments to the CPPA include explicitly recognizing Canadians' fundamental right to privacy in the purpose section of the CPPA, requiring organizations to consider the special interests of children with respect to their personal information, and granting more flexibility to the Privacy Commissioner in relation to compliance agreements with non-compliant organizations, including the ability to impose financial penalties. The changes to AIDA include specifying distinct obligations for generative AI systems, like ChatGPT, and aligning AIDA with regulations for artificial intelligence in the European Union.
COMPARING BILL C-27 AND QUEBEC'S LAW 25
Bill C-27 should not be confused with Quebec's Law 25 (formerly known as Bill 64). Law 25 amends the Quebec Private Sector Act. Most of which came into force in September 2023. The Quebec Private Sector Act applies to the collection, use and communication of personal information that takes place in Quebec. Consequently, any organization conducting business in Quebec should be mindful of its implications.
Both Law 25 and Bill C-27 aim to modernize Canadian approaches to privacy laws and, as a result the new frameworks they introduce contain some similarities related to accountability and transparency, with some nuances however. For example, Law 25 implements new rights for individuals that are similar to those discussed above, including the right to be informed of automatic processing and the right to data portability (in the latter case, this provision will come into force on September 22, 2024).
Both regimes require appointment of a designated person responsible for privacy compliance. However, the Quebec Private Sector Act requires this person to be the person with highest authority in the organization (unless another person is specifically appointed in writing), and also requires that the organization make their title and contact information public.17 Additionally, both frameworks require organizations to ensure their service providers effectively protect personal information, but the Quebec Private Sector Act sets out specific contractual provisions that must be included in service provider agreements.18 The Quebec Private Sector Act also includes the additional obligation of conducting privacy impact assessments in certain cases, including when personal information is transferred or processed outside Quebec.19
Notably, Bill C-27 and Law 25 take slightly different approaches to consent.20 For example, the Quebec Private Sector Act permits organizations to rely on implied consent to collect and use personal information, under certain conditions, in accordance with the disclosed purposes for which it was collected. However, express consent is always required in cases of sensitive information or in the case of profiling (e.g. in the case of cookies). Bill C-27 sets express consent as the starting point and permits reliance on implied consent "where it is appropriate," taking into account reasonable expectations and the sensitivity of the information.21 Other differences of note relate to their respective schemes for enforcement and penalties for non-compliance as well as notification requirements in instances of data breaches, among others.
PRIVACY LAW COMPLIANCE CHECKLIST FOR BUSINESSES
These developments in Canada's approach to privacy provide businesses with the opportunity to take stock and review their own privacy practices for compliance with both the current obligations that will be carried over from PIPEDA to the CPPA and other changes brought on by Bill C-27 and Law 25 (where applicable).
Broadly speaking, businesses will want to review and update their internal practices and public-facing policies regarding the collection, use, disclosure and storage of personal information. You may wish to consider the following questions as part of your business's compliance planning (as a start and keeping in mind that other questions will need to considered as well):
Does Quebec's Private Sector Act apply to your business?
Consider if the Quebec Private Sector Act is applicable to how your business handles personal information and whether your policies or procedures should be updated for compliance.
Do your business's consent procedures need to be updated?
Review and update your business's consent procedures, including policies regarding whether exemptions apply, when new consent must be obtained, and how revocations of consent are handled.
Is the language in your privacy policy clear?
Ensure the language in your business's privacy policy and requests for consent is understandable and contains appropriate disclosures to meet transparency obligations.
Do contracts with service providers need to be updated?
Determine in what cases you may be a controller of personal information or a service provider. Review and update contracts with service providers to meet accountability obligations and appropriately disperse legal risk.
Do you have a privacy management program?
Appoint an individual in charge of privacy compliance and develop a privacy management program. That individual should at least conduct a data mapping exercise as well as update or establish the required privacy policies and procedures.
Do you have safeguards in your data storage and retention policies?
Review and update your business's data storage and retention policies to ensure appropriate safeguards are implemented to protect personal information and personal information is not held longer than permitted.
Is your staff appropriately trained to handle personal information?
Ensure staff handling personal information have received up-to-date training regarding use of safeguards, reporting data breaches, record keeping and handling requests from individuals.
Conduct audits to ensure staff compliance with policies and procedures.
Footnotes
1. Bill C-27, An Act to enact the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Act and to make consequential and related amendments to other Acts, 1st Sess, 44th Parl (second reading April 24, 2023).
2. CQRL, c P-39.1.
3. An Act to modernize legislative provisions as regards the protection of personal information, SQ 2021, c 25.
4. Personal Information Protection and Electronic Documents Act, SC 2000, c 5.
5. CPPA, s 6.
6. CPPA, s 9.
7. CPPA, ss 7 and 11.
8. PIPEDA, s 5, Schedule 1.
9. CPPA, s 18-52.
10. CPPA, s 15(4).
11. CPPA, s 2(2).
12. CPPA, s 55.
13. CPPA, s 72.
14. CPPA, s 63.
15. CPPA, s 107.
16. CPPA, s 76-129.
17. Quebec Private Sector Act, s 3.1.
18. Quebec Private Sector Act, s 18.3.
19. Quebec Private Sector Act, s 3.3 and 17.
20. For more information regarding the validity of consent in Quebec, please see these guidelines published by the Quebec regulator on October 31, 2023 (in French only).
21. CPPA, s 15(5).
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
