2021 was another productive year for privacy law reform efforts across Canada. Although the highly anticipated Bill C-11 died on the order paper when the federal election was called in September, both Quebec and British Columbia (B.C.) made significant amendments to their data protection regimes. To mark Data Privacy Day, we highlight these key developments and provide a look ahead at what may be coming in 2022.
In September, the Quebec National Assembly adopted Bill 64, An Act to modernize legislative provisions as regards the protection of personal information and became the first Canadian jurisdiction to significantly reform its privacy law regime by amending various laws related to the protection of personal information. Of particular note, Bill 64 makes significant amendments to Quebec’s private sector privacy legislation, including requiring organizations to develop privacy governance policies and practices and publish summaries of those policies and practices on the organization’s website, undertake mandatory privacy impact assessments in certain circumstances, and to ensure that default settings on technology products or services are set to provide the highest level of confidentiality, among other requirements (see Privacy Update: Quebec’s Bill 64 Receives Royal Assent | Blakes). The Bill also provides for significant fines and new administrative monetary penalties. Most of these amendments will come into force in September 2023, with a few provisions coming into force in 2022 or 2024. Notably, on September 22, 2022, the requirement to take certain steps in response to a “confidentiality incident”, including to notify the Commission d’acces a l’information (CAI) and affected individuals of a “confidentiality incident” that presents a risk of serious injury and keep a register of any such incident, will come into force.
BRITISH COLUMBIA UPDATE
In November, the B.C. Legislative Assembly passed Bill 22, which amended the Freedom of Information and Protection of Privacy Act (FIPPA) which governs the collection, use and disclosure of personal information by public bodies. Bill 22 introduced a requirement that public bodies develop a privacy management program, report privacy breaches to the Office of the Information and Privacy Commissioner for British Columbia and affected individuals where the incident could reasonably be expected to result in significant harm, and introduced new offences, including where a person willfully collects, uses or discloses personal information except as authorized by FIPPA. Key for entities who provide services to the B.C. public sector, Bill 22 also eliminated the prohibition on disclosing, storing and allowing access to personal information outside of Canada.
In December 2021, the Quebec National Assembly tabled Bill 19, An Act respecting health and social services information and amending various legislative provisions, which, if passed, would establish a framework to govern the collection, use and disclosure of health and social services information. The Bill is intended to “modernize and decentralize” how health data is shared in the province and, importantly, would create new obligations on private health facility operators, including fertility clinics, community laboratories, private seniors’ residences and entities that enter into agreements with health care providers. New obligations also include breach reporting obligations and special rules for researchers who use health information. Bill 19 is expected to be sent to committee and receive further review by the National Assembly this year. The Special Committee of the B.C. Legislature appointed to review the province’s Personal Information Protection Act (PIPA) also released its report with recommendations, including aligning PIPA with provincial, federal and international privacy legislation; explicit protections for sensitive information such as biometric data; mandatory notification of privacy breaches; and enhancing the enforcement powers of the Information and Privacy Commissioner. Although amendments to PIPA have not yet been tabled, new legislation is expected to be introduced soon.
Also in December, the Prime Minister provided a mandate letter to the Minister of Innovation, Science and Industry for the new legislative sessions which included a commitment to “introduce legislation to advance the Digital Charter, strengthen privacy protections for consumers and provide a clear set of rules that ensure fair competition in the online marketplace.” It is widely expected that Minister Champagne will table a new private sector privacy reform bill in 2022 that is similar (but not identical) to Bill C-11. Despite initial progress with Bill C-11, it may take several months for this new federal effort to take shape. However, organizations operating in Canada should anticipate proposals similar to Bill C-11 and begin to prepare for enhanced obligations and penalties. Further, even if the proposed federal reforms align with the new requirement’s mandated under Quebec’s Bill 64, organizations that may fall under the purview of both acts should be cognizant of any deviations and tailor enhancements to their privacy practices accordingly.
Earlier in 2021, the Ontario government unexpectedly released a white paper outlining proposals for standalone private sector privacy legislation in the province in response to perceived short comings in Bill C-11. The proposals, if ultimately introduced as law, would represent a significant change to the privacy obligations of businesses that collect, use and disclose personal information in Ontario. However, with a provincial election scheduled for June 1, 2022, and new federal privacy legislation expected shortly, it seems unlikely that the Ontario government will table its bill in the near future.
Finally, in August 2021, the Minister of Finance released the Advisory Committee on Open Banking’s final report. The Committee recommended that the government implement a hybrid, made-in-Canada approach to open banking and provided the government with an 18-month plan to implementing open banking in Canada. Given the proposed sectoral approach to data portability under Bill C-11, we anticipate that the federal government will move forward with the recommendations from the Committee’s final report on open banking in tandem with its proposals to reboot its privacy law reform initiatives.