As another year has come to an end and we have already embarked on a new year, we take this opportunity to reflect on a number of significant changes to Canadian privacy law. From promising developments to proposed legislation to a groundbreaking investigation, there is much to review as we head into 2024. Let’s take a look at the top five recent developments we encountered this year.
1. The Second Phase of Québec’s Law 25 Came Into Force
On September 22, 2023, the second part of Québec’s “Act to modernize legislative provisions as regards the protection of personal information”, also known as “Law 25”, came into effect.
Along with the second set of requirements discussed below, the administrative penalties for non-compliance came into effect this year. Law 25 introduced three different enforcement mechanisms to ensure compliance with the new law: (1) administrative monetary penalties (“AMP”), (2) penal offences, and (3) a private right of action. Under the AMP regime, companies that contravene certain provisions of the amended Act may be liable for up to $10 million or two percent of worldwide turnover from the previous year, whichever is greater. For more severe violations, Law 25 introduced several new penal offences with fines of up to $25 million or four percent of worldwide turnover from the previous year, whichever is greater. Meanwhile, the private right of action recognizes the possibility for individuals to claim punitive damages when their privacy rights are violated.
Given the seriousness of the enforcement mechanisms, businesses must ensure compliance with the new requirements brought by Law 25. The new requirements set out under Law 25 are scheduled to come into force in three increments. The first set of these privacy requirements (which include the appointment of a privacy officer and mandatory breach reporting) came into force on September 22, 2022. The second set of the requirements came into force on September 22, 2023, and the remaining requirements will come into force in September 2024.
The second set of requirements require Québec businesses to establish their own privacy policies, including a formal complaints process and proper practices on the use or destruction of personal information. It also requires privacy impact assessments. The changes also reflect a greater emphasis on transparency and the requirement for organizations to have the highest level of security for personal information as a default, subject to certain exceptions. Other notable requirements include:
- Consent requirements for minors
- Destroying and anonymizing data
- The right to be forgotten
- Ensuring individuals know that their personal information will be used for automated decision-making
Please log in to read the full article.