Emily Prieur is an IPilogue Writer and a 3L JD Candidate at Queen’s University Faculty of Law. This article was originally written as part of the IPilogue’s annual Year in Review but has instead been published as a standalone article.
2021 was a transformational year for Canadian privacy legislation. Following the changes made to the Federal reforms to PIPEDA in 2020, several provinces amended their privacy legislation to protect their constituents’ interests. The private sector may be less welcoming to changes in many provinces which expose companies to potential financial penalties, increased litigation and compliance costs. On the flip side, these proposed legislative changes will strengthen the privacy of Canadians in their everyday lives.
Provincial Legislative Changes
Quebec’s Bill 64 Passes Royal Assent
The most significant development in privacy legislation is Quebec’s Bill 64, An Act to modernize legislative provisions as regards the protection of personal information, which received royal assent on September 22, 2021. This legislation is significant because of its dramatic effects on the private sector. Starting September 2022, private sector organizations must inform the privacy regulator following any breach to compromised personal information that presents a “serious risk of injury” to affected individuals. To determine if there was a serious risk of injury to affected individuals, the province turns to the factors outlined in the “real risk of serious harm” section of the Federal Personal Information Protection and Electronic Documents Act (“PIPEDA”). As noted by IPilogue alumnus Imitaz Karamat, the gradual implementation of Bill 64 allows organizations the opportunity to update their processes and procedures to ensure compliance before September 2022. The Quebec legislation also takes inspiration from the European Union’s General Data Protection Regulation (“GDPR”), which has been touted as the “gold standard” privacy regime because of its strict privacy standards and its partiality towards consumers.
The omnibus bill included other legislative requirements such as changes to company websites, assignment of a Privacy Officer, completion of Privacy Impact Assessments, and requirements for consent, individual rights, and automated decision making. To date, the analysis of the legislation compares the provisions to the European GDPR.
Companies operating in Quebec are now required to publish their company privacy policies on their websites. Such privacy policies must describe how companies plan to use personal information.
In the event of privacy infringements that violate individuals’ private information, individuals will now have recourse through administrative monetary penalties, penal offenses, and private rights of action.
Finally, similarly to the GDPR, Quebec introduced consent requirements for collecting personal information, including express consent before using sensitive information and parental consent for minors under the age of 14.
Ontario Welcomes Consultations and Proposes Changes
Under the leadership of recently appointed Patricia Kosseim, the Office of the Privacy Commissioner pursued their goal of passing an equivalent piece of legislation in 2021. In response to an op-ed piece that argued against provincial legislation in fear of redundancy and duplication, Kosseim recently penned her opinions regarding the potential for new provincial legislation to “fill in the gaps” of what Federal privacy legislation cannot accomplish.
In keeping with Kosseim’s motivation to strengthen privacy laws in Ontario, the Government of Ontario released a White Paper along with calls for consultation in June 2021. The White Paper, titled “Modernizing Privacy in Ontario,” set out several proposals the Ministry is considering to strengthen privacy protection for Ontarians. To strengthen such protections, the Ministry has proposed making privacy a fundamental right in Ontario. Ontario has also included suggestions to protect youth privacy online, regulate automated decision-making, and require more informed consent and data transparency from private corporations.
The Ministry allowed the public to provide comments and feedback until August 2021. The Office of the Privacy Commissioner applauded the provincial government for taking a “principles-based, flexible, pragmatic, and proportionate approach” with its proposal.
BC’s PIPA Committee Releases their Final Report
The British Columbia Legislative Assembly also created a special committee to review the British Columbia Personal Information Protection Act (“PIPA BC”) in February 2020. The objective of this committee was to publish a report proposing amendments to PIPA BC, which the committee completed in December of 2021. In the report, the committee suggested aligning PIPA BC with PIPEDA and Europe’s GDPR. Like the recently passed Quebec legislation, the committee also suggested mandatory breach notifications if a breach surpasses the “real risk of significant harm” threshold as established in PIPEDA. The committee also recommended broadening the definition of personal information to address the potential issue of de-identification. Finally, the committee proposed that the Office of the Information Privacy Commissioner have greater enforcement powers.
Federal Legislative Changes
The Federal Office of the Privacy Commissioner (“OPC”) did not introduce any new legislation in 2021. The Office was engaged in issues surrounding Clearview AI as well privacy issues resulting from the COVID-19 pandemic, including privacy with respect to vaccine passports and the rise in reliance on video teleconferencing platforms like Zoom and Microsoft Teams. The Canadian OPC, along with privacy authorities in Australia, Gibraltar, Hong Kong SAR, China, Switzerland, and the United Kingdom, communicated by letter to the videoconferencing companies regarding their rapid expansion during the pandemic to query and confirm that these technology companies were using appropriate privacy safeguards. The letter led to a series of video calls between the signatories and representatives from the companies. Finally, the signatories published observations and suggestions to improve privacy going forward. Among the suggestions were the implementation of end-to-end encryption, the identification of secondary use data (as well as an opt-out system), and the option for users to choose where their data is stored.
New and amended privacy legislation continues to develop in Canada and worldwide. Follow the IPilogue and subscribe to our newsletter, the IPIGRAM, for any important legislative changes that emerge in 2022.