skip to content

Canada privacy law reforms: What is changing and how does it affect you?


In recent years, information privacy has become a growing concern in Canada, prompting significant changes in how personally identifiable information (PII) is collected, stored, and used.

Canada has revamped its privacy laws to further strengthen privacy protections at the provincial and federal levels. The focus is on bringing Canada’s privacy and data protection laws in line with international data privacy laws, enhancing individuals' rights and protections, and implementing fines and penalties. But what are the triggers to overhaul them?

The existing privacy laws are undergoing updates for several reasons, including rapid technological advancements in artificial intelligence (AI), a complex third-party vendor landscape, heightened cybersecurity threats, increasing cross-border data flows, changing business requirements, and evolving international standards.

A notable example of this is the rapid growth of privacy-enhancing technologies (PETs) that focus on user trust and transparency.

Another example would be the ban of TikTok, a popular video-sharing social media application, across government-issued devices in the United States, Europe, India, and Canada, citing security threats and privacy concerns. It is part of a broader initiative by the governments to safeguard sensitive information and mitigate potential breaches of national security.

The shifting privacy landscape in Canada also reflects a growing recognition of the significance of safeguarding individuals’ personal information in an ever-expanding digital world.

In the last few years, the Canadian privacy landscape underwent substantial transformations, driven by the need for federal and provincial governments to align with demands in a data-centric world. Our Data Privacy and Protection team explores the privacy developments that have defined recent years.

Developments at the federal level

In June 2022, the Canadian federal government introduced Bill C-27, the Digital Charter Implementation Act, which contains newly proposed legislation relating to consumer privacy, data protection, and the first comprehensive laws governing AI systems in Canada.

The bill is before the Standing Committee on Industry and Technology and could be passed in 2024, replacing the existing Personal Information Protection and Electronic Documents Act (PIPEDA).

Should Bill C-27 receive approval, the introduced measures are poised to align Canadian privacy laws more closely with the European Union’s General Data Protection Regulation (GDPR) and Quebec’s privacy reforms introduced by the recently enacted Law 25.

This alignment is expected to bolster Canada’s adequacy status under the GDPR and position it as a similar jurisdiction under Law 25. Consequently, this alignment would permit Canadian businesses to transfer personal information from the EU and Quebec to Canadian provinces and territories outside of Quebec without additional data protection safeguard requirements.

The Act is expected to provide more powers to administrative tribunals and impose penalties and fines for privacy violations. It would also help to regulate the influence and impacts of AI in consumer applications.

Developments in Quebec

Quebec’s recent legislation, Law 25 (previously known as Bill 64, An Act to Modernize Legislative Provisions as Regards the Protection of Personal Information), brings substantial modifications to the privacy laws governing both the private and public sectors in the province. It is imperative for every organization processing personal information in Quebec to understand the novel requirements and establish suitable processes for compliance.

Law 25's legal impact is phased, with provisions becoming enforceable in a staged manner in September 2022, September 2023, and September 2024.

The following are the key obligations that came into effect in September 2022:

  • Appointing a privacy officer: Identify a person in charge of the protection of personal information and publish the contact details of that person or delegate this function to another person within the organization.
  • Mandatory breach reporting: In situations of critical breaches that pose a risk of serious injury to Quebec’s data protection authority, notify the impacted individuals, and keep a register of confidentiality incidents.
  • Biometrics: Notify Quebec’s data protection authority before using any biometric techniques to verify or confirm a person’s identity. Organizations are required to notify the data protection authority within 60 days of the creation of a database containing biometric characteristics and associated measures.

The following are the key obligations that came into effect in September 2023:

  • Privacy policy: Have a comprehensive privacy policy describing your data protection practices in clear and simple language. The privacy policy should be published on the company website.
  • Privacy impact assessments: Mandatory privacy impact assessments (PIAs) are required for the transfer of personal information outside of Quebec when creating or acquiring any digital systems.
  • Purpose, collection, and consent: Conduct a comprehensive review of existing practices to collect, store, and disseminate consumer information and make sure that the practices are in line with updated data subject rights.
  • Destruction of personal information: Implement a system to either destroy or anonymize personal information once the purpose for which it was collected has been achieved.
  • Right to be forgotten: Implement a system to fulfill requests from individuals who wish to stop their personal information from being disseminated.

And finally, the following key obligation will come into effect in September 2024:

  • Data portability: Implement the technology to be able to produce a digital copy of all personal information that you hold for any individual upon request.

Besides these phased requirements, Law 25 increases the fines for non-compliance with privacy legislation, with private sector entities subject to fines ranging from $15,000 to $25 million or an amount corresponding to 4% of worldwide turnover for the preceding fiscal year (whichever is greater).

By understanding and implementing processes to meet these requirements, businesses and organizations can ensure that they comply with Law 25 and are protecting the personal information of their customers and employees.

Developments in British Columbia

In November 2021, British Columbia introduced Bill 22, an amendment to the Freedom of Information and Protection of Privacy Act (FIPPA). The primary objective of this bill is to strengthen government accountability and transparency, enhance privacy safeguards within the public sector, facilitate enhanced information sharing with Indigenous communities, and mitigate the risks of harmful disclosures.

Bill 22 establishes guidelines for how provincial public bodies in British Columbia, encompassing entities like government ministries, agencies, municipalities, crown corporations, post-secondary institutions, school boards, health authorities, and self-governing bodies of professions handle the collection, use, disclosure, and retention of personal information.

Bill 22 introduces the following crucial amendments to FIPPA:

  • requiring each public body to develop a privacy management program;
  • requiring each public body to notify an affected individual and the Privacy Commissioner if a privacy breach could be expected to result in significant harm to the individual;
  • repealing the prohibition on the storage and access to personal information outside of Canada;
  • introducing new privacy offences and penalties that apply to individuals, service providers, and their employees and associates; and
  • allowing authorities to charge an application fee for access to information requests.

Top priorities for organizations

For most organizations, data, especially the personal information of clients and customers, is considered a pivotal asset influencing a massive portion of sales and marketing endeavours. However, this valuable resource also poses the highest level of risk. It is imperative for organizations to proficiently manage all processed personal information through the complete information management life cycle, spanning from data collection to ultimate disposal.

To comply with privacy and data protection regulations like Quebec’s Law 25, British Columbia’s Bill 22, and other international privacy and data protection obligations, organizations must commit to investing in data protection strategies such as:

  1. Establishing a privacy program: Organizations will need to establish a privacy program to ensure compliance with the new regulations. This program should include policies, procedures, and guidelines for protecting personal data, handling data subject rights, handling data breaches, and responding to privacy-related inquiries.
  2. Conducting privacy impact assessments (PIA): PIAs are a critical component of any privacy program. They involve an assessment of how an organization's activities, products, and services may impact individuals' privacy rights. Organizations may need to conduct PIAs to identify potential privacy risks and take steps to mitigate them.
  3. Appointing a privacy officer: The appointment of a privacy officer is another implication of new privacy regulations. The privacy officer is responsible for overseeing an organization's privacy program, ensuring compliance with regulations, and serving as a point of contact for privacy-related inquiries.
  4. Updating data handling and processing procedures: Organizations may need to update their data handling and processing procedures to align with the new privacy regulations. This may include implementing new data retention policies, obtaining explicit consent for data processing activities, privacy breach reporting processes, and providing individuals with greater control over their personal data.
  5. Training and awareness programs: The introduction of new privacy regulations may require organizations to provide training and awareness programs to employees. This training should cover the organization's privacy policies and procedures, as well as the new regulatory requirements. Training and awareness programs can help ensure that employees are aware of their responsibilities and help prevent data breaches or privacy violations.

How BDO can help

Our Data Privacy and Protection team provides a holistic strategy for privacy management, equipping you to navigate today’s complex privacy landscape.

We are committed to allocating the time and resources necessary to comprehensively grasp the intricacies of your business, personal information utilization, and overall data management.

Our team’s broad range of skill sets encompass cybersecurity, information life cycle management, and data analytics. With substantial experience in governance, operations, technology, compliance, and risk management, we address immediate privacy and data protection concerns while helping you maintain operational readiness.

Contact us to learn more:

Ziad Akkaoui
Partner and National Practice Leader, Risk Advisory
[email protected]

Dishank Rustogi
National Leader, Cyber Risk Management and Transformation
[email protected]

Chathurya Pandurangan
Manager, Cyber Risk Management and Transformation
[email protected]

Bobbi Birk
Manager, Risk Advisory Services
[email protected]

This site uses cookies to provide you with a more responsive and personalised service. By using this site you agree to our use of cookies. Please read our privacy statement for more information on the cookies we use and how to delete or block them.

Accept and close