It has been an eventful year for privacy law in Canada. In 2022, the Canadian privacy landscape saw significant changes, as stakeholders at all levels recognized the need to keep up with a data-driven world. This article summarizes the top five recent developments that businesses and stakeholders should be aware of.
1. Bill C-27 Attempts to Modernize the Federal Private Sector Privacy Legislation
On June 16, 2022, Bill C-27, An Act to enact the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Act and to make consequential and related amendments to other Acts, also known as the Digital Charter Implementation Act, 2022 (“Bill C-27” or the “Bill”), received its first reading in Parliament. Bill C-27 attempts to modernize and strengthen Canada’s private sector privacy legislation.
Bill C-27 was raised for debate at second reading in the House of Commons on November 4, 2022. In his opening address, Minister François Phillipe Champagne indicated the government’s intention to pass Bill C-27 swiftly “by Christmas.” Meanwhile, House members from other parties were united by their emphasis on slowing the process down to ensure that Bill C-27 is reviewed with appropriate time and attention. Bill C-27 received another debate at second reading on November 28, 2022. In response to concerns about rushing Bill C-27 to the Committee prematurely, the Speaker of the House made a ruling midway directing that the Artificial Intelligence and Data Act (discussed below) will be voted on separately from the other two Acts in the Bill.
If Bill C-27 is passed, the measures it introduces will bring Canadian privacy law into closer alignment with the European Union’s (the “EU”) General Data Protection Regulation (the “GDPR”), and Québec’s privacy reforms introduced by the recently-enacted Bill 64 (described below). By bringing our privacy legislation in line with the GDPR and Bill 64, Canada will likely be able to maintain its adequacy status under the GDPR and be considered a substantially similar jurisdiction under Bill 64. This will allow Canadian businesses to transfer personal information from the EU and Québec to Canada and provinces outside of Québec without additional data protection safeguards.
Any benefits Bill C-27 offers to Canadian businesses by making it easier to do business in the EU and Québec are matched by higher standards for privacy compliance and more severe penalties for non-compliance. Among the most significant changes, Bill C-27 would introduce a new Personal Information and Data Protection Tribunal (the “Tribunal”) to review decisions issued by the Office of the Privacy Commissioner of Canada (the “OPC”). Based on its findings, the Tribunal would be authorized to impose administrative monetary penalties of up to $10 million or three percent of the offending organization’s global gross revenues.
The most serious violations of the new legislation, such as knowingly using de-identified information to identify an individual, failing to maintain records of security breaches, or obstructing an investigation carried out by the OPC, would constitute offences punishable, upon prosecution, with a fine of up to $25 million or five percent of the organization’s gross global revenues. Notably, the Bill would also provide individuals who suffer a loss or injury due to an organization’s non-compliance with a right to bring an action for damages.
If Bill C-27 comes into effect, its heavy administrative penalties and fines will provide all the more reason for Canadian businesses to invest in protecting personal information and to ensure that their processes and procedures remain in compliance with Canadian privacy legislation. Possible non-compliance is not worth the risk.
For more information on the proposed Bill and new requiremen