Happy Privacy Week, Canada! 2nd Edition

Happy Privacy Week, Canada! 2nd Edition

As we continue to celebrate Data Privacy Week, it is a great time to review the most recent, significant privacy and data protection developments in Canada.

McMillan’s Top 5 List of Privacy Developments for Businesses in 2023 & 2024

1. Adequacy Maintained. On January 15, 2024, the European Commission released its Report from the Commission to the European Parliament and the Council on the first review of the functioning of the adequacy decisions adopted pursuant to Article 25(6) of Directive 95/46/EC. The Commission concluded that Canada (along with 10 other countries) continues to provide an adequate level of protection for personal data transferred from the European Union (EU) to recipients in Canada that are subject to the Personal Information Protection and Electronic Documents Act (PIPEDA). This is an important decision, as it allows commercial organizations to continue transferring personal information from the EU to Canada without additional, burdensome transfer mechanisms such as standard contractual clauses or binding corporate rules. Read McMillan’s bulletin on this important development here.
2. New Quebec Requirements. Most of the amendments to Québec’s Act respecting the protection of personal information in the private sector came into force on September 22, 2023, including a number of new governance requirements and materially stronger enforcement mechanisms. Over the course of the last year, the Commission d’accès à l’information du Québec (CAI) published a number of guidance documents, including a Companion Guide for privacy impact assessments (PIA) and a sample PIA, a general framework for the application of administrative monetary penalties, consent guidelines and validity criteria, and an explanatory guide for companies on writing a privacy policy (see McMillan bulletin here). Draft Regulations for anonymization of personal information were also released in December 2023.
3. Federal Reform Took a Step Forward. Bill C-27, An Act to enact the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Act and to make consequential and related amendments to other Acts, progressed past second reading to the committee stage and is now being considered by the Standing Committee on Industry and Technology. If passed, Bill C-27 will create three new statutes that will significantly change the privacy law landscape in Canada, including by creating new Federal privacy legislation applicable to commercial activities (with robust enforcement mechanisms), and Canada’s first statute regulating artificial intelligence (AI).
4. AI Guidance Skyrocketed. With the advent of ChatGPT and other generative AI products, there has been a significant increase in regulatory attention directed at AI. For example, Innovation, Science and Economic Development Canada announced a Voluntary Code of Conduct on the Responsible Development and Management of Advanced Generative AI Systems, the Office of the Privacy Commissioner of Canada (“OPC”) released a joint statement with its G7 counterparts on generative AI, and the Canadian privacy regulators published Principles for responsible, trustworthy and privacy-protective generative AI technologies. Read McMillan’s recent bulletins on AI developments here and here.
5. Crack-Down on Biometrics. Use cases for biometrics have grown exponentially in recent years, and many organizations have begun leveraging these technologies. Both the CAI and the OPC released guidance on biometrics in 2023, which may slow down adoption rates for such technologies in Canada, including the CAI’s guidance on biometric timeclocks (see McMillan bulletin here), and the OPC’s “Draft Guidance for processing biometrics – for organizations” (released October 11, 2023; open for consultation until February 16, 2024).  In particular, the regulators have cautioned against collecting biometrics for purposes of convenience, and emphasized that such sensitive information should only be collected where there is a pressing, substantial, important, legitimate and/or real need to do so. The new guidance documents supplement earlier publications such as the CAI’s Companion Guide for the use of biometrics and the OPC’s findings on voice authentication in PIPEDA Findings # 2022-003.

Celebrate Data Privacy Week by reaching out to McMillan’s Privacy and Data Protection team to discuss how you should update your privacy program to address evolving legal requirements!