Insights Header image
Insights Header image
Insights Header image

Happy Privacy Week, Canada! 2nd Edition

Jan 23, 2024 Publications 3 minute read

As we continue to celebrate Data Privacy Week, it is a great time to review the most recent, significant privacy and data protection developments in Canada.

McMillan’s Top 5 List of Privacy Developments for Businesses in 2023 & 2024

  1. Adequacy Maintained. On January 15, 2024, the European Commission released its Report from the Commission to the European Parliament and the Council on the first review of the functioning of the adequacy decisions adopted pursuant to Article 25(6) of Directive 95/46/EC. The Commission concluded that Canada (along with 10 other countries) continues to provide an adequate level of protection for personal data transferred from the European Union (EU) to recipients in Canada that are subject to the Personal Information Protection and Electronic Documents Act (PIPEDA). This is an important decision, as it allows commercial organizations to continue transferring personal information from the EU to Canada without additional, burdensome transfer mechanisms such as standard contractual clauses or binding corporate rules. Read McMillan’s bulletin on this important development here.
  2. New Quebec Requirements. Most of the amendments to Québec’s Act respecting the protection of personal information in the private sector came into force on September 22, 2023, including a number of new governance requirements and materially stronger enforcement mechanisms. Over the course of the last year, the Commission d’accès à l’information du Québec (CAI) published a number of guidance documents, including a Companion Guide for privacy impact assessments (PIA) and a sample PIA, a general framework for the application of administrative monetary penalties, consent guidelines and validity criteria, and an explanatory guide for companies on writing a privacy policy (see McMillan bulletin here). Draft Regulations for anonymization of personal information were also released in December 2023.
  3. Federal Reform Took a Step Forward. Bill C-27, An Act to enact the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Act and to make consequential and related amendments to other Acts, progressed past second reading to the committee stage and is now being considered by the Standing Committee on Industry and Technology. If passed, Bill C-27 will create three new statutes that will significantly change the privacy law landscape in Canada, including by creating new Federal privacy legislation applicable to commercial activities (with robust enforcement mechanisms), and Canada’s first statute regulating artificial intelligence (AI).
  4. AI Guidance Skyrocketed. With the advent of ChatGPT and other generative AI products, there has been a significant increase in regulatory attention directed at AI. For example, Innovation, Science and Economic Development Canada announced a Voluntary Code of Conduct on the Responsible Development and Management of Advanced Generative AI Systems, the Office of the Privacy Commissioner of Canada (“OPC”) released a joint statement with its G7 counterparts on generative AI, and the Canadian privacy regulators published Principles for responsible, trustworthy and privacy-protective generative AI technologies. Read McMillan’s recent bulletins on AI developments here and here.
  5. Crack-Down on Biometrics. Use cases for biometrics have grown exponentially in recent years, and many organizations have begun leveraging these technologies. Both the CAI and the OPC released guidance on biometrics in 2023, which may slow down adoption rates for such technologies in Canada, including the CAI’s guidance on biometric timeclocks (see McMillan bulletin here), and the OPC’s “Draft Guidance for processing biometrics – for organizations” (released October 11, 2023; open for consultation until February 16, 2024).  In particular, the regulators have cautioned against collecting biometrics for purposes of convenience, and emphasized that such sensitive information should only be collected where there is a pressing, substantial, important, legitimate and/or real need to do so. The new guidance documents supplement earlier publications such as the CAI’s Companion Guide for the use of biometrics and the OPC’s findings on voice authentication in PIPEDA Findings # 2022-003.

Celebrate Data Privacy Week by reaching out to McMillan’s Privacy and Data Protection team to discuss how you should update your privacy program to address evolving legal requirements!

Insights (5 Posts)View More

Featured Insight

Capital Gains Confusion: Navigating the Options for Reporting Employee Stock Option Benefits

This bulletin discusses proposed tax changes that will increase certain source withholding obligations for stock option benefits.

Read More
Jan 21, 2025
Featured Insight

Bill 68 and Medical Certificates: Important New Provisions for Employers

Certain provisions of Bill 68 affect employers and the circumstances under which they may ask their employees to provide a medical certificate.

Read More
Jan 21, 2025
Featured Insight

Class Actions in Quebec: A Surge in Environmental Law Private Actions Lays Additional Pressure on the Retail Sector

This bulletin discusses the rationale as well as the implications of recent environmental class action judgments in Québec for businesses and consumers.

Read More
Jan 21, 2025
Featured Insight

Clear as Mud: Analyzing Voluntary Property Control Removals So Far

The Competition Bureau's recent announcement about a grocer agreeing to remove a exclusive/restrictive covenant raises more questions than answers.

Read More
Jan 20, 2025
Featured Insight

Patent Term Adjustments in Canada Are Here

On January 1, 2025, provisions related to Canada’s new patent term adjustment framework came into force. This bulletin provides an overview of these changes.

Read More
Jan 20, 2025