Canadian Lawyer

March 2022

The most widely read magazine for Canadian lawyers

Issue link:

Contents of this Issue


Page 47 of 51

46 LEGAL REPORT DIGITAL CHARTER IMPLEMENTATION ACT PROVISIONS obtained consent, Scassa adds. "And so, there's a lot of discussion about how the rules can be adapted in data protection laws to give organizations more freedom to use data that they've already collected in new and innovative ways. That's another chal- lenge to consent," she says. "These things were controversial under C-11, and I think they're going to remain controversial. … It' ll be interesting to see what changes the government [might make to] any new bill we see in the winter." Bill C-11, like Quebec's new legislation, also aligned with the GDPR in imposing substantial monetary penalties on compa- nies. Concern over the proposed legislation is twofold, says Wendy Mee, co-chair of the privacy group at Blake, Cassels and Graydon LLP in Toronto. First, "there shouldn' t be significant consequences for non-compliance if you were trying to get it right and just didn't, because privacy is complicated." Second, "if we are going to have the possibility of significant financial conse- quences for companies, we have to have appropriate appeal and review procedures," says Mee. At present, if a privacy commis- sioner investigates a company for a data breach or other incident and releases a report which is then made public, "there isn't necessarily an appeal right [for the company on the findings] unless it goes to court, which is very rare." Provincial reform of privacy law In September, Quebec's Act to modernize legislative provisions relating to the protec- tion of personal information, or Bill 64, received royal assent after its adoption by the National Assembly of Quebec a day earlier. The new regulations will come into effect in three stages over three years. Beginning this September, organizations must notify the privacy regulator and indi- viduals of any breaches to compromised personal information that present a "risk of serious injury" to the affected individuals. Penalties for infractions are among the most stringent in the world. Administrative fines are $50,000 per individual and $10 million for corporations, or two per cent of global turnover from the previous year, whichever is higher. Criminal penalties can be $100,000 for individuals and $25 million, or four per cent of the prior year's global turnover, for corporations. Drafters modelled these penalties after those in the GDPR. "It seems there's a level of universal support to make our privacy legislation more robust, considering what's happening internationally," says Mee. Three other provinces have conducted public consultations as a preamble to updating (or creating) their private-sector privacy laws. In December, British Columbia's special committee to review its Personal Information Protection Act released 34 recommendations Meaningful consent Modernized consent rules would ensure the availability of plain-language information. Data mobility Individuals may direct the transfer of their personal information from one organization to another. Disposal of personal information and withdrawal of consent Individuals may ask organizations to dispose of their personal information and withdraw consent for its use. Algorithmic transparency Businesses must be transparent about how they use automated decision-making systems. De-identified information De-identified information may be used without an individual's consent only under certain circumstances. PRIVACY AND DATA "If we are going to have the possibility of significant financial consequences for companies, we have to have appropriate appeal and review procedures" Wendy Mee, Blake, Cassels and Graydon LLP Source: Innovation, Science and Economic Development Canada

Articles in this issue

Links on this page

Archives of this issue

view archives of Canadian Lawyer - March 2022