A Year in Review 2022 - Top Five Privacy Developments in Canada

It has been an eventful year for privacy law in Canada. In 2022, the Canadian privacy landscape saw significant changes, as stakeholders at all levels recognized the need to keep up with a data-driven world. This article summarizes the top five recent developments that businesses and stakeholders should be aware of.

1. Bill C-27 Attempts to Modernize the Federal Private Sector Privacy Legislation

   On June 16, 2022, Bill C-27, An Act to enact the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Act and to make consequential and related amendments to other Acts, also known as the Digital Charter Implementation Act, 2022 (“Bill C-27” or the “Bill”), received its first reading in Parliament. Bill C-27 attempts to modernize and strengthen Canada’s private sector privacy legislation.

   Bill C-27 was raised for debate at second reading in the House of Commons on November 4, 2022. In his opening address, Minister François Phillipe Champagne indicated the government’s intention to pass Bill C-27 swiftly “by Christmas.” Meanwhile, House members from other parties were united by their emphasis on slowing the process down to ensure that Bill C-27 is reviewed with appropriate time and attention. Bill C-27 received another debate at second reading on November 28, 2022. In response to concerns about rushing Bill C-27 to the Committee prematurely, the Speaker of the House made a ruling midway directing that the Artificial Intelligence and Data Act (discussed below) will be voted on separately from the other two Acts in the Bill. 

   If Bill C-27 is passed, the measures it introduces will bring Canadian privacy law into closer alignment with the European Union’s (the “EU”) General Data Protection Regulation (the “GDPR”), and Québec’s privacy reforms introduced by the recently-enacted Bill 64 (described below). By bringing our privacy legislation in line with the GDPR and Bill 64, Canada will likely be able to maintain its adequacy status under the GDPR and be considered a substantially similar jurisdiction under Bill 64. This will allow Canadian businesses to transfer personal information from the EU and Québec to Canada and provinces outside of Québec without additional data protection safeguards.

   Any benefits Bill C-27 offers to Canadian businesses by making it easier to do business in the EU and Québec are matched by higher standards for privacy compliance and more severe penalties for non-compliance. Among the most significant changes, Bill C-27 would introduce a new Personal Information and Data Protection Tribunal (the “Tribunal”) to review decisions issued by the Office of the Privacy Commissioner of Canada (the “OPC”). Based on its findings, the Tribunal would be authorized to impose administrative monetary penalties of up to $10 million or three percent of the offending organization’s global gross revenues.

   The most serious violations of the new legislation, such as knowingly using de-identified information to identify an individual, failing to maintain records of security breaches, or obstructing an investigation carried out by the OPC, would constitute offences punishable, upon prosecution, with a fine of up to $25 million or five percent of the organization’s gross global revenues. Notably, the Bill would also provide individuals who suffer a loss or injury due to an organization’s non-compliance with a right to bring an action for damages.

   If Bill C-27 comes into effect, its heavy administrative penalties and fines will provide all the more reason for Canadian businesses to invest in protecting personal information and to ensure that their processes and procedures remain in compliance with Canadian privacy legislation. Possible non-compliance is not worth the risk.

   For more information on the proposed Bill and new requirements, see our blog post, Proposed Privacy Bill Introduces Fines and New Requirements for Private Organizations.

2. First Round of New Québec Privacy Requirements Imposed Under Bill 64 Came into Force

   The Act to Modernize Legislative Provisions respecting the Protection of Personal Information (“Bill 64”) made significant amendments to Québec’s private sector law, the Act Respecting the Protection of Personal Information in the Private Sector (the “Act”). Bill 64 was given royal assent on September 22, 2021. The amended Act applies to Québec-based private sector organizations and out-of-province companies that do business involving the use of personal information of Québec residents. The most significant amendments introduced by Bill 64 are arguably the new enforcement mechanisms.

   Bill 64 introduced three different enforcement mechanisms to ensure compliance with the amended Act: (1) administrative monetary penalties (“AMP”), (2) penal offences, and (3) a private right of action. Under the AMP regime, companies that contravene certain provisions of the amended Act may be liable for up to $10 million or two percent of worldwide turnover from the previous year. For more severe violations, Bill 64 introduced several new penal offences with fines of up to $25 million or four percent of worldwide turnover from the previous year, whichever is greater. Meanwhile, the private right of action recognizes the possibility for individuals to claim punitive damages when their privacy rights are violated. 

   Given the seriousness of the enforcement mechanisms, businesses must ensure compliance with the new requirements brought by Bill 64. The new requirements set out under Bill 64 are scheduled to come into force in three increments. The first set of these privacy requirements (which include the appointment of a privacy officer and mandatory breach reporting) came into force on September 22, 2022. The remaining requirements will come into force in two remaining increments, in September 2023, and September 2024.

   We will briefly discuss the two requirements that came into force this year:

• Appointment of a Privacy Officer. Bill 64 creates an obligation for organizations operating in Québec to designate a privacy officer by September 22, 2022. If the organization does not designate, by default, the person with the highest authority in the organization (such as the CEO) is designated the “person in charge of the protection of personal information”. There are no specific qualifications for this role, other than that the person named should be familiar with the requirements of the Act. Organizations may delegate the role to a member of the organization or to a third party, provided the delegation is made in writing.
• Mandatory Breach Reporting. Regarding breach reporting, the amended Act imposes new requirements on companies to “promptly” notify the Commission d’accès à l'information (the “CAI”) and affected individuals of any privacy violations that present a “risk of serious injury.” Further, according to the proposed Regulation Respecting Confidentiality Incidents that accompanies Bill 64, companies will be required to maintain records of confidentiality incidents for five years after the date on which the company became aware of the violation.

3. Attempt at New Cybersecurity Compliance Regime for Federally Regulated Private Industries

   On June 14, 2022, the first reading of Bill C-26 (“Bill C-26”) took place in the House of Commons. Bill C-26 was raised for debate at second reading in the House of Commons on December 1, 2022.

   Bill C-26 makes several amendments to the Telecommunications Act, including establishing order-making powers for the Governor-in-Council and the Minister of Industry to request actions from Canadian telecommunications systems to secure against possible threats of interference, manipulation, or disruption.

    Bill C-26 also establishes a new cybersecurity compliance regime for federally-regulated private industries, including the Canadian telecommunications system, banking systems, and energy and transportation industries. In particular, Bill C-26’s significant new enforcement powers would allow the Governor-in-Council to impose consequences for contravention or non-compliance, including fines of up to $15 million and potential imprisonment.

   For more information on the proposed Bill and related recommendations, see our blog post, Legislative Update: Bill C-26 Introduces New Requirements for Federally Regulated Industries.

4. Canada’s First AI Act

   On June 16, 2022, the Artificial Intelligence and Data Act (the “AI Act”) was introduced as part of the first reading of Bill C-27. The AI Act would apply to organizations that design, develop, deploy, or manage AI systems. The focus of the AI Act is to prevent biased output (relating to prohibited grounds of discrimination set out in the Canadian Human Rights Act) and harm to individuals, which is defined broadly as encompassing psychological or physical harm, as well as property damage or economic loss. The legislation will be geared towards “high-impact” AI systems that have the potential to cause the greatest harm.

   The AI Act would impose assessments for organizations to determine whether their systems are classified as “high-impact” and put in place requirements that relate to the transparency, anonymization of data, and obligations to report to the Minister. The AI Act would be enforced through Federal Court orders and administrative monetary penalties that could rise to the greater of $25 million or five percent of the organization’s global gross revenues from the previous fiscal year. Further, the AI Act would prohibit certain practices involving data and AI systems that could result in serious harm to individuals. 

   For more detailed information about the proposed AI Act, see our related blog entry, Canada’s First AI Act Proposed.

5. Third-Party Data Breaches Do Not Constitute an Intrusion Upon Seclusion

At the beginning of this year,  the Ontario Superior Court rendered its decision in the case of Winder v. Marriott International, Inc. (“Winder”). Winder involved a class action brought against the Marriott after its hotel reservation database was hacked. The court considered whether the Marriott, as the victim of the hacker, could be liable for the tort of intrusion upon seclusion.

The plaintiff argued that Marriott had obtained confidential personal information from class members under ”false pretenses” and, as a result, was a “constructive intruder.” Justice Perell of the Ontario Superior Court ultimately determined that the tort of intrusion upon seclusion would remain restricted to defendants who are “intruders,” and not apply to “constructive intruders.”

On November 25, 2022, the Ontario Court of Appeal (the “Court of Appeal”) upheld the lower court’s decision as part of a trilogy of cases that would firmly reject the pleading of the tort of intrusion upon seclusion by plaintiffs who advance proposed class actions against companies that suffer a third-party data breach. Alongside two other cases—Owsianik v. Equifax Canada Co. and Obodo v. Trans Union of Canada, Inc.—the Court of Appeal’s decision in Winder precludes the certification of class actions in cases where a third party has accessed stored personal information of customers, but there is no evidence of resulting harm to those customers.

Using the test under 5(1)(a) of the Ontario Class Proceedings Act, 1992, the Court of Appeal determined that it was plain and obvious in each of the three cases that the claim for intrusion upon seclusion could not succeed on the pleaded facts, because it was the hacker’s conduct in illegally obtaining the stored information, not the company’s alleged failure to protect it, that constituted the “intrusion.” A company’s recklessness with respect to the storage of the information, for example, would not satisfy the conduct requirement of the tort of intrusion upon seclusion. Finally, the Court of Appeal noted that refusing to extend the tort of intrusion upon seclusion to a third-party hack does not leave plaintiffs whose information has been accessed in a data breach without a remedy.

For more information on this case and relevant tips for businesses, see our related blog entry, Tort of Intrusion Upon Seclusion Does Not Extend to Hacked Companies.

Bonus: OPC Releases First Finding of the Year

On June 1, 2022, the OPC released findings from an investigation against the Tim Hortons app. It was discovered that the app extensively tracked the exact locations of its users, revealing up to 2,700 collections for one user over a five-month period. The granular location data that Tim Hortons collected through the app was not used for the intended purpose of targeted marketing and was found to be unacceptable due to the frequency and amount of sensitive data collected. The consents from Tim Hortons gathered from users of the app were found to have been obtained without proper disclosure, as users were unaware that the app tracked data even when not being used. Further, the OPC’s findings addressed inadequate contractual protections between Tim Hortons and a third-party service provider that assisted the coffee giant with collecting the sensitive personal information.

For more information on the findings of this investigation and related recommendations for businesses, see our related blog entry, No Coffee Breaks from Privacy Compliance – A Cautionary Tale for App Developers.

Conclusion

This year has brought a number of new developments to the privacy and cybersecurity space, making this a rapidly evolving area that businesses can no longer afford to ignore. In light of significant new enforcement mechanisms and heightened penalties for privacy violations, it is becoming increasingly important to ensure that organizations have up-to-date privacy management procedures and processes to remain in compliance with newly-introduced regulations (or soon-to-be introduced regulations). Businesses are encouraged to reach out to the Technology, Privacy & Data Management Group at Torkin Manes with questions and to receive business-specific recommendations. 

With appreciation, the author acknowledges the contribution of Articling Student, Charlotte Butler, who assisted in drafting this article.