Legal news and trends for Canadian in-house counsel and c-suite executives
Issue link: https://digital.canadianlawyermag.com/i/1365049
8 www.canadianlawyermag.com/inhouse PRIVACY Proposed Canadian privacy legislation includes enforcement powers for regulators Ontario's potential private-sector legislation, Quebec's Bill 64 and the federal Bill C-11 all include stronger enforcement regimes STRENGTHENING PRIVACY LEGISLATION was a priority for governments across Canada in 2020 and organizations must keep an eye on the continued evolution in 2021. In particular, new or amended private-sector privacy legislation has been proposed at both the federal and provincial level. One longstanding criticism of Canadian privacy legislation is the lack of enforcement powers for the regulators. Ontario's potential private-sector legislation, Quebec's Bill 64 and the federal Bill C-11 all include stronger enforce- ment regimes, including the introduction of monetary penalties and the ability for commis- sioners to make orders. Quebec: Bill 64 In June 2020, the Government of Quebec tabled Bill 64, An Act to modernize legisla- tive provisions as regards the protection of personal information, which would update the existing legislation applicable to the protection of personal information. In particular, Bill 64 includes new notification and record-keeping requirements relating to data breach inci- dents, as well new data subject rights such as the right to data portability, the right to be forgotten and various rights related to auto- mated processing and decision-making. Bill 64 would also give the Commission d'accès à l'information the power to impose administrative monetary penalties of the greater of $10 million or 2% of worldwide turn- over in the previous fiscal year. In the case of penal proceedings for violations of the Private Sector Act, fines could be the greater of $25 million or four per cent of worldwide turnover in the previous fiscal year. Ontario: consultation on private sector privacy legislation In August 2020, the Government of Ontario released a discussion paper and held a consultation seeking input on private sector privacy law reform in the province. The discus- sion paper includes a series of proposals the government is exploring to consider a "made- in-Ontario" privacy law. These proposals are largely in line with other Canadian privacy laws and include the requirement for clear consent provisions and increased transparency to provide individuals with more detail about how their information is being used. The discussion paper further proposes over- sight, compliance and enforcement powers for the Information and Privacy Commissioner, which would include the ability to impose financial penalties. The discussion paper notes that a proactive approach to compliance will be preferred; however, empowering Ontario's enforcement regime will be crucial to modern- izing privacy protections and will help to support the public's confidence that enforce- ment is meaningful. Federal Bill C-11 In November 2020, the federal government introduced Bill C-11, the Digital Charter Implementation Act, 2020, which enacts the Consumer Privacy Protection Act and the Personal Information and Data Protection Tribunal Act. Like the Personal Information Protection and Electronic Documents Act, the CPPA would apply to private-sector organizations that collect, use or disclose personal information in the course of commercial activity. Bill C-11 would repeal the privacy provisions of PIPEDA and introduce new obligations for organizations, including an obligation to implement a privacy management program that includes policies, procedures and training of its employees, as well as the requirement to provide a user with certain information, in plain language, at the time consent is sought. The CPPA includes a stronger enforce- ment regime. Under PIPEDA, the Privacy Commissioner of Canada does not have the power to issue orders against organizations. The CPPA would give the commissioner various order-making powers including, for example, the ability to make orders requiring organizations to take measures to comply with the CPPA or to stop doing something that contravenes the CPPA. After completing an inquiry, the commissioner may recommend to the newly created Personal Information and Data protection Tribunal that a monetary penalty be imposed. The maximum amount is the higher of $10 million or three per cent of the organization's gross global revenue for the prior financial year. Other contraventions of the CPPA carry even higher fines. For example, failing to report a breach to the Office of the Privacy Commissioner of Canada could result in a fine of up to $25 million or five per cent of global annual revenue. Key takeaways In preparation for the potential changes to Canada's private-sector privacy landscape, organizations should take this opportunity to review their privacy policies and practices, including reviewing customer-facing privacy poli- cies to ensure they are drafted in clear and plain language, implementing or updating internal privacy compliance programs (including policies, procedures and training for employees) and creating or updating breach response plans and record-keeping requirements. Amanda Branch is an associate at Bereskin & Parr LLP with extensive experience in privacy law, including cybersecurity and data breach. Her practice focuses on marketing and advertising law, cannabis law, consumer protection, regulatory and privacy law. She also advises on legal issues related to the internet and digital media, including social media and other online platforms.