On February 23, 2023, McCarthy Tétrault hosted our 13th Annual National Retail and Consumer Markets Summit – our annual client-focused event that canvasses a selection of the most timely and relevant developments facing the retail and consumer markets (“RCM”) industry.
Themes that emerged from Part 2 of the Summit focused on recent developments relating to new private sector privacy legislation, the use of location services data, electronic monitoring of employees and disconnecting from work policies. Speakers provided practical and insightful guidance relating to compliance with new nuances in both Canadian privacy law and employment law.
The following is Part 2 of a three-part series highlighting key takeaways and trends from this year’s Summit.
Coast-to-Coast Privacy Update
Businesses should be aware that privacy legislation differs across Canada.
Alberta, British Columbia and Québec have their own privacy laws. Provinces without their own private sector privacy legislation (including Ontario) are governed by the federal Personal Information Protection and Electronic Documents Act (“PIPEDA”).
Bill C-27: The Digital Charter Implementation Act:
Bill C-27, or The Digital Charter Implementation Act was first introduced in June 2022. This Bill will enact the Consumer Privacy Protection Act (the “CPPA”), to replace PIPEDA, as well as the Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Act. The Bill is still in the process of becoming law.
What will the CPPA do, if it becomes law?
Critically, the CPPA will implement monetary penalties for non-compliance. In fact, CPPA adds to our current name-and-shame regime with administrative fines of the greater of $10 million or 3% of the non-compliant organization’s global revenue and fines for specific offences of up to $25 million or 5% of global revenue.
Bill C-27 currently contemplates changes to the consent requirements, but there may be legitimate grounds to collect information without requiring consent and we can provide advice in this respect. Bill C-27 also adds provisions on the handling of personal information of minors. Notably, there are no proposed changes to cross-border data transfers. For further details on this topic, check out our Bill C-27 Blog Post series here.
Effective tools can enable internal teams to ensure privacy law compliance and reduce cyber-security risks. Businesses should consider conducting a Privacy Impact Assessment (“PIA”) any time they are implementing new software or practices which touch on privacy. This includes due consideration to reduce the scope of data the organization has in its possession when cyber-security risks emerge.
Key features of the Canadian private sector privacy regime include:
- Individuals do not have an absolute right to demand the erasure or reduction of data held, but individuals can withdraw consent from the collection or processing of their personal information.
- Businesses are expected to have procedures in place to routinely destroy data.
- Fines can be significant and federal and provincial fines may overlap.
- Businesses are expected to dedicate sufficient time and resources to ensure they are compliant.
- Privacy commissioners’ key enforcement approach is to name-and-shame those found to be non-compliant. There is also risk that class actions will emerge in instances of non-compliance and upon being named-and-shamed by the Commissioner.
- Businesses are expected to have resources available and capable of recovering data lost by data breaches.
Key features of the Québec (Bill-64) Regime:
Bill-64 introduced a significant overhaul of Québec’s provincial private sector privacy law that apply to both consumers and employees.
Bill-64 will enter into force over three years: 2022, 2023 and 2024. For a 360 view on the implications of Bill-64 on business, check out our Blog Post: Bill-64: An Overhaul of Québec’s Privacy Law Regime – Implications for Business.
Highlights of the 2022 reforms include:
- A requirement to have a Chief Privacy Officer (“CPO”). If a CPO is not designated in writing, the person with the highest authority is deemed to hold this title.
- New breach notification requirements to be provided to the Commission d’accès à l’information and the individuals whose data has been impacted.
- Requirement to keep an incident register.
- Requirement to declare the existence of any biometric database and any use of biometric information. This declaration must be made at least 60 days before the creation of the database, as applicable.
Highlights of the 2023 reforms include:
- Privacy by design requirements – Any organization that offers a technological solution that offers privacy settings to the public (e.g. location services or location sharing features) must ensure that those privacy settings are deactivated by default. The same solutions may allow individuals to toggle privacy settings on and off, if and when they choose to do so. In addition to placing limits on businesses using localization data, Bill-64 intends to restrict the profiling of consumers (e.g. use of behavior and preferences) in similar ways. Note: The privacy by default requirements include a specific carve out for website cookies.
- Introduction of a requirement to conduct PIAs in certain circumstances. Québec is the first Canadian province to introduce this requirement for private sector organizations.
- Destruction of Data – Organizations will be required to destroy or anonymize data once it is no longer required for a specific and legitimate purpose.
The key feature of the reform to be rolled out in 2024 is the introduction of a right to data portability.
With amendments to the Private Sector Act now in effect, and heavy penalties for non-compliance coming into force on September 22, 2023, businesses should have mechanisms in place to ensure they are compliant. Businesses should also continue to assess their governance practices to ensure governance practices align with Bill-64’s new requirements and as additional requirements take effect through 2023 and 2024.
Feel free to contact us if you require any assistance with demonstrating your organization’s compliance with applicable privacy laws.
New Trends and Hot Topics in Employment Law
Patrick Pengelly (McCarthy Tétrault, Partner), Myriane Le Francois (McCarthy Tétrault, Partner), and Marco Fimiani (McCarthy Tétrault, Associate) discussed emerging trends and hot topics in the employment law space. This overview addresses those most relevant to the retail sector as a whole in both Ontario and Québec.
Legislative Updates in Ontario:
- Electronic Monitoring Policy
Employers with 25 or more employees on January 1st of each year are now required to have a written policy in place regarding “electronic monitoring” of employees by March 1st of that same year. The Working for Workers Act, 2022 amended the Employment Standards Act, 2000 (the “ESA”) to create this requirement.
See our blog here for a discussion of the Government of Ontario’s guidance for employers on electronic monitoring policies.
- Disconnecting from Work Policy
Ontario’s Working for Workers Act, 2021, amended the ESA to include a requirement for employers with 25 or more employees to have a written workplace policy with respect to disconnection from work. Ontario is the first province to implement the requirement to have a policy of this nature though it is possible that other provinces may follow Ontario’s lead. See our blog here for a discussion of this statutory amendment.
Legislative Updates applicable throughout Canada:
The Competition Act was recently amended making it a criminal offence for unaffiliated employers to enter into agreements to fix salaries, wages or terms and conditions of employment, or to refrain from soliciting or hiring each other’s employees. See our blog here for a discussion of these amendments to the Competition Act.
Legislative Updates in Québec:
- Québec’s Charter of the French Language
The Québec’s Charter of the French Language was amended in order to strengthen French language obligations in the workplace and cover federally-regulated employers.