As 2023 is still relatively fresh, we are focusing on three laws (two laws and one bill, actually) and two decisions that will most certainly affect the privacy landscape for Canadian businesses in the year ahead
1. Second Wave of Amendments to Québec’s Personal Information Protection Legislation
Law 25’s overhaul of Québec’s private and public sector personal information protection framework is to take effect over four years beginning last September. The most demanding stage for non-compliant entities, however, will be 2023.
As of September 2023, among other things, businesses will be required to:
- have appropriate policies and procedures in place for the collection, use, and communication of personal information;
- conduct privacy impact assessments (i) for any project to acquire, develop or overhaul an information system or electronic service delivery system involving the collection, use, communication, keeping or destruction of personal information, or (ii) before communicating personal information outside of Québec;
- have data processing agreements in place with all third-party service providers processing personal information on behalf of the business;
- operationalize new individual rights, such as the right to de-indexation and the right to re-indexation;
- and face severe administrative and criminal penalties of up to 4% of worldwide turnover for the preceding year or $25 million for non-compliance.
2. A Possible New Federal Privacy Law: the Consumer Privacy Protection Act
On June 16, 2022, the federal Minister of Innovation, Science and Industry tabled Bill C-27 in a second attempt to reform Canada’s Personal Information Protection and Electronic Documents Act (“PIPEDA”). Bill C-27 is intended to replace PIPEDA.
It has not yet passed second reading but if it becomes law, Bill C-27 will, among other things:
- create the Personal Information and Data Protection Tribunal to review decisions of the Office of the Privacy Commissioner and impose administrative penalties;
- impose severe financial penalties of up to 5% of global gross revenue or $25 million;
- introduce a private right of action;
- recognize the individual’s right to ask in writing that their information be disposed of;
- and clarify steps to follow to obtain legitimate consent.
3. New Standard Contractual Clauses for Personal Information Transfers from the EU
Any entity relying on standard contractual clauses (“SCCs”) for personal information transfers from the EU must now ensure that it is using the SCCs published by the European Commission on June 4, 2021 (“New SCCs”).
Until December 28, 2022, any entity that had entered into an agreement prior to September 27, 2021, could use the pre-June 4, 2021 SCCs, whereas any entity that had entered into an agreement on or after September 27, 2021 was required to use the New SCCs. The transition period is now over: all entities relying on SCCs must use the June 4, 2021 SCCs. Entities transferring personal information from the U.K., however, may still rely on the U.K. International Data Transfer Agreement and the New SCCs (“UK Addendum”).
4. “Sale of Personal Information” Interpreted Broadly by California AG in a Consumer Context
In a settlement reached August 23, 2022, concerning, among other things, the definition of “sale” under the California Consumer Privacy Act (“CCPA”), Sephora was fined $1.2 million (U.S.) for failing to honour a consumer’s right not to have their personal information sold.
Sephora argued that it was not selling consumer personal information but exchanging it with certain retailers that were allowed to install tracking devices on Sephora’s website and apps to track their products. The retailers would share the resulting analytics with Sephora. The California Attorney General held that although Sephora did not receive money from the retailers in question, the retailers’ analytics were sufficient to constitute a sale under the CCPA.
5. Consent and Market Dominance: A New European Court of Justice Ruling
Read the final decision that will affect privacy in 2023 at Stikeman.com
Danielle Miller Olofsson is a senior associate in the Corporate Group. Her practice focuses on all matters relating to privacy, data protection, and cyber security. Danielle advises clients on compliance requirements and cyber security best practices. She frequently acts as a breach coach to clients that have been the object of cyber-attacks and other malevolent activity affecting their data and personal information. Having practiced law in Europe, Danielle is also called to advise on the increasingly complex requirements surrounding international data transfers and multi-jurisdictional data incidents. Danielle is particularly interested in personal information protection as it relates to artificial intelligence, smart objects, blockchain and the health industry. She is frequently called upon to speak and publish on these topics. Danielle lectures at the Université de Montréal’s Law Faculty on technology, law and data protection.