In recent years, information privacy has become a growing concern in Canada, prompting significant changes in how personally identifiable information (PII) is collected, stored, and used.
Canada is currently revamping its privacy laws to further strengthen privacy protections both at the provincial and federal levels (e.g., Quebec’s Law 25, British Columbia’s Bill 22, and the Federal Government’s Bill C-27). The focus is on bringing Canada’s privacy and data protection laws in line with international data privacy laws, enhancing individuals' rights and protections, including fines and penalties. But what are the triggers to overhaul them?
Rapid technological advancements, increased adoption of outsourcing, rising cybersecurity threats, increasing cross-border data flows, and changes in international standards are some of the top reasons to make updates to the existing Canadian privacy laws. A case in point would be the ban on the popular video-sharing social media application, TikTok from being installed on all government-issued devices amid global concerns surrounding privacy, cybersecurity, and misinformation. This follows similar movements by the European Union, the United States, and India. Furthermore, this move was part of a wider effort by the Canadian government to protect sensitive information and prevent potential breaches of national security. Overall, the changing privacy landscape in Canada reflects a growing recognition of the importance of protecting individuals’ personal information in an increasingly digital world.
With such significant changes for the Canadian privacy landscape in 2022—driven by the need for both provincial and federal governments to keep up with a data-driven world—our experts have outlined and described these developments that defined such an eventful year.
Developments at the federal level
In June 2022, the Canadian federal government introduced Bill C-27, the Digital Charter Implementation Act, which contains newly proposed legislation relating to consumer privacy, data protection, and the first comprehensive laws governing artificial intelligence (AI) systems in Canada.
If Bill C-27 is passed, the measures it introduces will bring Canadian privacy law into closer alignment with the European Union’s (the “EU”) General Data Protection Regulation (the “GDPR”), and Quebec’s privacy reforms introduced by the recently enacted Law 25 . This alignment will likely allow Canada to maintain its adequacy status under the GDPR and be considered a substantially similar jurisdiction under Law 25. In turn, this will allow Canadian businesses to transfer personal information from the EU and Québec to Canada and provinces outside of Québec without additional data protection safeguards.
Developments in Quebec
The new legislation in Quebec, Law 25 (previously Bill 64, An Act to modernize legislative provisions as regards the protection of personal information) brings significant changes to Quebec’s private and public sector privacy law. Every organization operating in Quebec that processes personal information must understand the new requirements and implement adequate processes to ensure compliance. Law 25's legal effect is staggered, with provisions being enforceable in phased approach in September 2022, September 2023, and September 2024.
The following are the key obligations that are in effect from September 2022:
- Appointing a privacy officer: Identify a person in charge of the protection of personal information and publish the contact details of that person or delegate this function to another person within the organization.
- Mandatory breach reporting: Critical breaches that pose a risk of serious injury to Quebec’s data protection authority, notify the impacted individuals, and keep a register of confidentiality incidents.
- Biometrics: Notify Quebec’s data protection authority before using any biometric techniques to verify or confirm identity of a person. Organizations are required to notify the data protection authority within 60 days of the creation of a database containing biometric characteristics and associated measures.
The following are the key obligations that will come into effect in September 2023:
- Privacy impact assessments: Mandatory privacy impact assessments (PIAs) are required for the transfer of personal information outside of Quebec when creating or acquiring any digital systems.
- Purpose, collection, and consent: Conduct a comprehensive review of existing practices to collect, store and disseminate consumer information and make sure that the practices are in line with updated data subject rights.
- Destruction of personal information: Implement a system to either destroy or anonymize personal information once the purpose for which it was collected has been achieved.
- Right to be forgotten: Implement a system to fulfill requests from individuals who wish to stop their personal information from being disseminated.
And finally, the following key obligation comes into effect in September 2024:
- Data portability: Implement the technology to be able to produce a digital copy of all personal information that you hold in respect to any individual upon request.
Besides these phased requirements, Law 25 increases the fines for non-compliance with privacy legislation, with private-sector entities subject to fines ranging from CAD $15,000 to $25 million or an amount corresponding to four percent of worldwide turnover for the preceding fiscal year (whichever is greater).
By understanding and implementing processes to meet these requirements, businesses and organizations can ensure that they are in compliance with Law 25 and are protecting the personal information of their customers and employees.
Developments in British Columbia
British Columbia introduced Bill 22 - Freedom of Information and Protection of Privacy Act (FIPPA) in November 2021. The stated purpose of Bill 22 was to strengthen government accountability and transparency, enhance public sector privacy protections, and increase information sharing with Indigenous peoples while limiting harmful disclosure. This bill regulates how provincial public bodies in British Columbia (e.g., provincial government ministries and agencies, municipalities, crown corporations, post-secondary institutions, school boards, health authorities, and self-governing bodies of professions) collect, use, disclose and retain personal information.
The following are the key changes to FIPPA brought in by Bill 22:
- requiring each public body to develop a privacy management program;
- requiring each public body to notify an affected individual and the Privacy Commissioner if a privacy breach could reasonably be expected to result in significant harm to the individual;
- repealing the prohibition on the storage and access to personal information outside of Canada;
- introducing new privacy offences and penalties that apply to individuals, service providers, and their employees and associates; and
- allowing authorities to charge an application fee for access to information requests.
Top priorities for organizations
For most organizations, data is regarded as the key asset, in particular the personal information of clients and customers that drives much of sales and marketing activity. It is also data that carries the greatest risk. Organizations must ensure that all personal information processed is effectively managed through the entire information management lifecycle—from data collection to final disposal. To comply with privacy and data protection regulations like Quebec’s Law 25, and British Columbia’s Bill 22 as well as other global privacy and data protection obligations, organizations will need to invest in data protection strategies such as:
- Establishment of a privacy program: Organizations will need to establish a privacy program to ensure compliance with the new regulations. This program should include policies, procedures, and guidelines for protecting personal data, handling data subject rights, handling data breaches, and responding to privacy-related inquiries.
- Conducting privacy impact assessments (PIA): PIAs are a critical component of any privacy program. They involve an assessment of how an organization's activities, products, and services may impact individuals' privacy rights. Organizations may need to conduct PIAs to identify potential privacy risks and take steps to mitigate them.
- Appointment of a privacy officer: The appointment of a privacy officer is another implication of new privacy regulations. The privacy officer is responsible for overseeing an organization's privacy program, ensuring compliance with regulations, and serving as a point of contact for privacy-related inquiries.
- Updating data handling and processing procedures: Organizations may need to update their data handling and processing procedures to align with the new privacy regulations. This may include implementing new data retention policies, obtaining explicit consent for data processing activities, privacy breach reporting processes, and providing individuals with greater control over their personal data.
- Training and awareness programs: The introduction of new privacy regulations may require organizations to provide training and awareness programs to employees. This training should cover the organization's privacy policies and procedures, as well as the new regulatory requirements. Training and awareness programs can help ensure that employees are aware of their responsibilities and help prevent data breaches or privacy violations.
How BDO can help
How your business operates and uses personal information are the starting points for how we will work with you. We are committed to investing time and resources into understanding your whole business, how you use personal information, and how that data is managed throughout the organization.
BDO’s Data Privacy and Protection team offers a comprehensive approach to privacy management to help you rise to the challenge of today’s privacy landscape. Our broad range of skills and expertise include cybersecurity, information lifecycle management, and data analytics. We also have extensive experience across governance, operations, technology, compliance, and risk management, enabling us to focus on immediate privacy and data protection concerns while maintaining operational readiness.
Contact us to learn more:
Partner and National Practice Leader, Risk Advisory
National Leader, Cyber Risk Management and Transformation
Manager, Cyber Risk Management and Transformation
Senior Consultant, Risk Advisory Services