2023 was a year of significant change for Canadian privacy and data protection law. As in previous years, to mark Data Privacy Day, we’ve summarized the most important developments from the previous year and provide a look ahead to what may be coming next.
Quebec Privacy Law Amendments Now in Force
On September 22, 2023, the second set of amendments to Quebec’s Act respecting the protection of personal information in the private sector (Quebec Privacy Act) made by Bill 64 (now Law 25) came into force.
See our September 2023 Blakes Bulletin: New Quebec Privacy Law Obligations Coming: Is Your Organization Ready? for more information.
Organizations subject to the Quebec Privacy Act must now (among other things):
- Establish and implement internal governance policies and practices in respect of the protection of personal information.
- Conduct privacy impact assessments before any project of acquisition, development and redesign of an information system, or electronic service delivery involving the collection, use, communication, keeping or destruction of personal information.
- Before communicating personal information outside of Quebec, conduct a privacy impact assessment that takes into account factors such as the sensitivity of the information being shared, the purposes for which it is to be used, the protection measures that will apply to the information and the legal framework of the jurisdiction to which the information will be communicated.
- If the organization collects personal information using technology that allows an individual to be identified, located or profiled, such as through non-essential cookies, the organization must inform the individual of the use of such technology and the means available to activate those functions.
- If the organization offers technological products or services to the public, it must ensure that the privacy parameters of such products or services are set to provide the highest level of confidentiality without any intervention by the individual.
In addition to existing enforcement powers under the Quebec Privacy Act, Law 25 introduced a scheme for monetary administrative penalties (AMPs). The maximum AMP for a corporation is C$10-million or 2% of worldwide turnover for the preceding fiscal year, whichever is greater. A framework has been published by the Commission d'accès à l'information du Quebec (CAI) to shed light on how AMPs will be imposed. As of January 2024, the CAI has not published any enforcement decisions related to the new amendments.
Certain more egregious violations of the Quebec Privacy Act constitute offences. A court may impose fines for these offences of up to C$25-million or 4% of worldwide turnover for the preceding fiscal year, whichever is greater. These limits are doubled in the case of a subsequent offence. Notably, directors and officers may also be liable.
Quebec CAI Guidance Updates
In October 2023, the CAI published its Consent Guidelines, with detailed guidance on the criteria for the validity of consent under the Quebec Privacy Act. These guidelines are not binding. However, they provide best practices for obtaining meaningful consent and should be consulted by organizations subject to the legislation.
To help businesses and public sector entities comply with the changes to the Quebec Privacy Act, the CAI significantly updated its website with new guidance (available in French only).
See our September 2023 Blakes Bulletin: Quebec Privacy Regulator Releases New Guidance for more information.
These updates include a guide to privacy impact assessments, including a generic template, and a new guide to preparing privacy policies.
B.C.’s Intimate Images Protection Act Coming Into Force
British Columbia’s Intimate Images Protection Act (Act) and Intimate Images Protection Regulation (Regulation) will come into force on January 29, 2024. While distributing an intimate image without consent is a criminal offence under the Criminal Code, the Act and Regulation provide a civil remedy for those whose intimate images have been distributed without consent or threatened with distribution. The Act provides individuals with a cause of action for civil damages and an expedited process to have their intimate images deleted, taken down or de-indexed. The Act affects organizations that host or index third-party content through an online platform, defined as internet intermediaries. Since this encompasses most social media platforms, video hosting platforms, websites and search engines, all internet intermediaries should be aware of the new Act and Regulation.
See our January 2024 Blakes Bulletin: B.C.’s Intimate Images Protection Act Coming Into Force for more information.
Ontario’s new PHIPA Penalty Regime
In November 2023, Ontario published a new regulation under the Personal Health Information Protection Act, 2004 (PHIPA) establishing the criteria and amounts for AMPs determined by the Information and Privacy Commissioner (IPC) for a contravention of PHIPA or its regulations. Effective January 1, 2024, the maximum amount of an AMP under PHIPA is C$50,000 for a natural person and C$500,000 for other legal entities, including medical professional corporations and operators of groups of health care practitioners. However, the IPC may increase the amount of an AMP by an amount equal to the economic benefit the person acquires as a result of the contravention.
The IPC has published guidance on these new powers stating that it will not use AMPs as the default response to violations of PHIPA. AMPs will generally only be used as an enforcement option for more severe violations of PHIPA, not in cases involving unintentional errors or one-off mistakes.
See our January 2024 Blakes Bulletin: Update on Ontario’s PHIPA: Administrative Monetary Penalties Now in Force for more information.
Federal Voluntary Code of Conduct for Generative AI
The past year saw rapid expansion and adoption of generative artificial intelligence (AI) capabilities. In response to these developments, and a slow-moving proposal to introduce the Artificial Intelligence and Data Act (AIDA), the Government of Canada announced a consultation on a proposed Code of Practice for generative AI.
See our September 2023 Blakes Bulletin: Government of Canada Requests Comments on Code of Practice for Generative AI for more information.
This consultation led to the publication of a Voluntary Code of Conduct on the Responsible Development and Management of Advanced Generative AI Systems. In undertaking this voluntary commitment, developers and managers of advanced generative systems commit to working to achieve the following outcomes:
- Accountability. Firms understand their role regarding the systems they develop or manage, put in place appropriate risk management systems, and share information with other firms as needed to avoid gaps.
- Safety. Systems are subject to risk assessments, and mitigations needed to ensure safe operation are put in place prior to deployment.
- Fairness and Equity. Potential impacts regarding fairness and equity are assessed and addressed at different phases of development and deployment of the systems.
- Transparency. Sufficient information is published to allow consumers to make informed decisions and for experts to evaluate whether risks have been adequately addressed.
- Human Oversight and Monitoring. System use is monitored after deployment, and updates are implemented as needed to address any risks that materialize.
- Validity and Robustness. Systems operate as intended, are secure against cyber attacks, and their behaviour in response to the range of tasks or situations to which they are likely to be exposed is understood.
As of January 2024, 22 Canadian organizations and businesses have adopted this voluntary code.
Uncertainty Around Bill C-27
The federal government’s proposal to reform the Personal Information Protection and Electronic Documents Act (PIPEDA), which also seeks to regulate AI through the introduction of AIDA, remains stuck in the legislative process.
First introduced in June 2022, the Digital Charter Implementation Act, 2022 (Bill C-27) was sent to the Standing Committee on Industry and Technology in April 2023, where it received significant debate and attention over the course of 15 meetings throughout the fall. This process included the proposal of significant amendments by the government to the draft of AIDA, significantly changing the regulatory framework.
See our June 2022 Blakes Bulletin: Privacy Reform Redux: New Federal Bill Set to Reform Canada’s Private-Sector Privacy Law for more information.
Further, on January 15, 2024, the EU Commission announced the conclusion of its review of Canada’s adequacy decision, finding that, for the purposes of Article 45 of the EU’s General Data Protection Regulation (GDPR), data processed in accordance with the GDPR can be subsequently transferred from the EU to Canada without requiring additional data protection safeguards (for example, standard contractual rules) or authorization to transfer the data. Therefore, data can continue to flow freely from the EU to the Canadian private sector. Whether the EU Commission would continue to recognize PIPEDA’s adequacy was a major motivation for Bill C-27’s PIPEDA reform. Now that the adequacy review has concluded with no change, it remains uncertain whether this reform effort remains a priority for the federal government.
For further information, please contact:
or any member of the Privacy & Data Protection group.
Blakes and Blakes Business Class communications are intended for informational purposes only and do not constitute legal advice or an opinion on any issue. We would be pleased to provide additional details or advice about specific situations if desired.
For permission to republish this content, please contact the Blakes Client Relations & Marketing Department at [email protected].
© 2024 Blake, Cassels & Graydon LLP