Doing Business in Canada (11th edition)

CHAPTER 10 E-Commerce, Data Protection and Privacy

– Requirement for a Privacy Officer. By default, the role of privacy officer is given to the organization’s CEO unless it has been delegated to another person. – Privacy Impact Assessments. Organizations will be required to conduct a privacy impact assessment (PIA) with respect to any project to acquire, develop or redesign an information system or electronic service delivery system involving the collection, use, disclosure, retention or destruction of personal information. – Cross-Border Transfers. Prior to communicating personal information outside Québec, enterprises must undertake a PIA that confirms that the information will receive an adequate level of protection according to “generally accepted data principles.” – New Individual Rights. Individuals whose information has been used to make a decision based solely on the automated processing of such information must be informed by the organization accordingly, no later than at the time the organization informs them of the decision itself, and such individuals also have rights to request additional information and submit observations. Individuals will also have a “right to be forgotten” – that is, the right to be de-indexed and to demand that personal information cease to be disseminated in certain circumstances. Organizations should consult with counsel to understand the impact of these changes on their operations in Canada. ANTICIPATED FEDERAL LAW CHANGES In June 2022, the Canadian federal government introduced the Digital Charter Implementation Act (Bill C-27) for consideration by Parliament, which if enacted would significantly modernize the Canadian federal private sector privacy and data protection legislative framework. Bill C-27 would replace those sections of PIPEDA concerned with privacy and data protection with the Consumer Privacy Protection Act

may be able to reduce the risk of harm emanating from the breach. Regulations set out the requirements for the content of the notice of breach. In addition, organizations are required to maintain internal records of all breaches, whether or not they create risks of significant harm. PIPEDA requires that organizations keep these records for 24 months after the day on which the organization determines the breach happened. The substantially similar provincial laws of Alberta and Québec provide for similar reporting, notification and record-keeping obligations, but each differs somewhat in the analysis of when an incident is reportable, the specific obligations relating to notice, and the length of time for which records of breaches must be maintained. CHANGES IN QUÉBEC LAW Amendments to the privacy laws of Québec, enacted in September 2021 and coming into force over 2022–2024, create significant new obligations for private sector organizations carrying on business in that province. Many of the amendments are inspired by, and aim to align with, the European Union’s General Data Protection Regulation (GDPR). Some of the most salient changes that will be in force as of September 22, 2023, are the following: – Fines and Penalties. The Québec privacy regulator, the Commission d’accès à l’information (CAI), has been granted expanded powers of enforcement that allow it to impose administrative monetary penalties for a wide range of violations of the provincial private sector privacy law. For organizations, these penalties can reach as high as the greater of $10 million and 2% of worldwide turnover for the preceding fiscal year. The changes also provide the CAI with the power to institute penal proceedings before the courts for violations of the statute. For organizations, fines upon conviction can reach the greater of $25 million and 4% of worldwide turnover for the preceding fiscal year.

105

Davies | dwpv.com