As the new year begins, we thought we would focus on three laws (two laws and one bill, actually) and two decisions that will most certainly affect the privacy landscape for Canadian businesses in 2023.
1. Second Wave of Amendments to Québec’s Personal Information Protection Legislation
Law 25’s overhaul of Québec’s private and public sector personal information protection framework is to take effect over four years beginning last September. The most demanding stage for non-compliant entities, however, will be 2023.
As of September 2023, among other things, businesses will be required to:
- have appropriate policies and procedures in place for the collection, use, and communication of personal information;
- conduct privacy impact assessments (i) for any project to acquire, develop or overhaul an information system or electronic service delivery system involving the collection, use, communication, keeping or destruction of personal information, or (ii) before communicating personal information outside of Québec;
- have data processing agreements in place with all third-party service providers processing personal information on behalf of the business;
- operationalize new individual rights, such as the right to de-indexation and the right to re-indexation; and
- face severe administrative and criminal penalties of up to 4% of worldwide turnover for the preceding year or $25 million for non-compliance.
2. A Possible New Federal Privacy Law: the Consumer Privacy Protection Act
On June 16, 2022, the federal Minister of Innovation, Science and Industry tabled Bill C-27 in a second attempt to reform Canada’s Personal Information Protection and Electronic Documents Act (“PIPEDA”). Bill C-27 is intended to replace PIPEDA.
It has not yet passed second reading but if it becomes law, Bill C-27 will, among other things:
- create the Personal Information and Data Protection Tribunal to review decisions of the Office of the Privacy Commissioner and impose administrative penalties;
- impose severe financial penalties of up to 5% of global gross revenue or $25 million;
- introduce a private right of action;
- recognize the individual’s right to ask in writing that their information be disposed of; and
- clarify steps to follow to obtain legitimate consent.
3. New Standard Contractual Clauses for Personal Information Transfers from the EU
Any entity relying on standard contractual clauses (“SCCs”) for personal information transfers from the EU must now ensure that it is using the SCCs published by the European Commission on June 4, 2021 (“New SCCs”).
Until December 28, 2022, any entity that had entered into an agreement prior to September 27, 2021, could use the pre-June 4, 2021 SCCs, whereas any entity that had entered into an agreement on or after September 27, 2021 was required to use the New SCCs. The transition period is now over: all entities relying on SCCs must use the June 4, 2021 SCCs. Entities transferring personal information from the U.K., however, may still rely on the U.K. International Data Transfer Agreement and the New SCCs (“UK Addendum”).
4. “Sale of Personal Information” Interpreted Broadly by California AG in a Consumer Context
In a settlement reached August 23, 2022, concerning, among other things, the definition of “sale” under the California Consumer Privacy Act (“CCPA”), Sephora was fined $1.2 million (U.S.) for failing to honour a consumer’s right not to have their personal information sold.
Sephora argued that it was not selling consumer personal information but exchanging it with certain retailers that were allowed to install tracking devices on Sephora’s website and apps to track their products. The retailers would share the resulting analytics with Sephora. The California Attorney General held that although Sephora did not receive money from the retailers in question, the retailers’ analytics were sufficient to constitute a sale under the CCPA.
5. Consent and Market Dominance: A New European Court of Justice Ruling
Finally, the recent decision by the Advocate General of the European Court of Justice (“CJEU”) in the Meta Platforms v. Bundeskartellamt case should be taken seriously by entities in a position of market dominance that rely on consent as their sole basis for processing of personal information.
The Advocate General found that the fact an entity held a position of market dominance did not, in and of itself, vitiate free and enlightened consent. However, he also stated that market dominance: “
“…does play a role in the assessment of the freedom of consent […], which it is for the controller to demonstrate, taking into account, where appropriate, the existence of a clear imbalance of power between the data subject and the controller, any requirement for consent to the processing of personal data other than those strictly necessary for the provision of the services in question, the need for consent to be specific for each purpose of processing and the need to prevent the withdrawal of consent from being detrimental to users who withdraw it.”
Although the CJEU decision is still pending, a body of law is emerging that is questioning the validity of consent provided to an entity with weak or no competition.