Privacy Update ' New Laws And Cases Of Interest

• Jurisdiction: Canada
• Law Firm: Bereskin & Parr LLP
• Subject Matter: Litigation, Mediation & Arbitration, Privacy, Privacy Protection, Class Actions
• Author: Ms Melanie Szweras, William Audet, Prudence Etkin, Parnian Soltanipanah and Julia London
• Published date: 12 April 2023

Canada's privacy and data protection laws have undergone significant evolution, bringing them more in line with those of its international partners and advancing technology. Legislative reforms reflect a general trend towards stricter regulations for the use, collection and disclosure of personal information and higher penalties for non-compliance. The courts have tempered these advancements by establishing a higher bar for advancing claims under the tort of intrusion upon seclusion against database defendants in third-party cybersecurity attacks.

Legislative Reform

Law 25: The Privacy Legislation Modernization Act

Law 25 (formerly Bill 64), enacted by the Quebec government, made significant changes to Quebec's Act Respecting the Protection of Personal Information in the Private Sector (QC ARPPIPS). Law 25 applies to all organizations that are headquartered in Quebec or hold personal information of Quebec residents. While a number of the new provisions came into force September 22, 2022, the rest are set to come into effect September 2023 and 2024.

As of September 2022, organizations are required to identify a Privacy Officer and begin mandatory breach reporting to the Commission d'accès à l'information (CAI). By default, the person with the highest authority at the organization, such as the CEO, will be deemed the person in charge of the protection of personal information. However, they can choose to delegate, in writing, to any other person within the organization. The Privacy Officer's role is to oversee the protection of personal information and ensure compliance with Law 25. Mandatory breach reporting requires organizations to report "confidentiality incidents"¹ involving personal information that present a "risk of serious injury", to the CAI and affected individuals. Organizations must also keep a register of confidentiality incidents and demonstrate measures taken to prevent similar incidents from occurring in the future.

The amendments under Law 25 coming into effect September 2023 will require organizations to develop a detailed policy and practices plan, privacy impact assessments (PIAs), and prepare for new requirements regarding cross-border transfers, consent, outsourcing, retention and destruction, transparency, and increased penalties. PIAs help ensure continuous protection of personal information and will be mandatory: (1) when personal information is transferred outside Quebec; (2) when an organization outside of Quebec is entrusted with collecting, using, disclosing or retaining the personal information; (3) before communicating personal information without consent for research purposes; and (4) for any project to acquire, develop or redesign an information system or electronic service delivery system involving the collection, use, disclosure, destruction or retention of personal information. Law 25 also introduces new and more severe penalties for non-compliance. Organizations can be held liable for up to $10 million or 2% of their worldwide turnover in administrative monetary penalties (AMPs), and up to $25 million or 4% of their worldwide turnover for penal offences. Fines will double in the event of a subsequent offence. Additionally, Law 25 maintains a Private Right of Action for citizens whose privacy was breached or infringed upon intentionally, or from gross fault. Although these amendments will not be coming into force for some months, organizations should be mindful of these future policies when developing their long-term privacy strategy.

Lastly, in September 2024, organizations will have to start accounting for a user's data portability rights. This expands on users' right to access provisions and allows users to request that their personal information be communicated to them or an authorized third party in a commonly used technological format. Businesses will need to prepare for processing and responding to such requests come September 2024.

The Digital Charter...