October 20, 2021

Volume XI, Number 293

Advertisement
Advertisement

October 19, 2021

Subscribe to Latest Legal News and Analysis

October 18, 2021

Subscribe to Latest Legal News and Analysis

Canada Update: Québec Proposes Privacy Bill With Teeth, Ontario Ponders Requirements for Data Collection by Private Bodies

On June 12, 2020, Québec’s then minister of justice, Sonia LeBel, tabled in the National Assembly Bill 64An Act to modernize legislative provisions as regards the protection of personal information.

Bill 64’s purpose is to modernize Québec’s privacy laws for both the public and private sectors. This new bill would impose more onerous obligations on employers in the province and provide the Commission d’accès à l’information (privacy commission) with increased powers.

One component of the privacy commission’s duties involves enforcing the Act respecting the protection of personal information in the private sector (Private Sector Act). As it currently stands, the privacy commission is capable only of conducting investigations or inspections and ordering the corrective measures it deems necessary. Put simply, the privacy commission cannot impose monetary penalties for noncompliance. It should be noted that although the privacy commission cannot impose penalties, under the current Private Sector Act, the director of criminal and penal prosecutions can institute penal proceedings against Private Sector Act offenders. However, these situations are extremely rare.

Under Bill 64, the privacy commission would have new prosecution powers that would enable it to institute penal proceedings against any employer that failed to comply with the Private Sector Act. These new powers come with new penal fines that go up to $25 million, or if greater, an amount corresponding to 4 percent of the company’s worldwide turnover for the preceding fiscal year.

This means that an employer with $1 billion in turnover for the preceding fiscal year could be fined up to $40 million for breaching the Private Sector Act.

In addition, Bill 64 provides for a new monetary administrative penalty regime. These types of regimes already exist under other forms of legislation, particularly under environmental law, and they allow regulators to impose penalties without having to respect all fundamental rights that an accused entity would have under the Canadian Charter of Human Rights and Freedoms. As Bill 64 currently stands, under the monetary administrative penalty regime, a Private Sector Act offender could be liable for up to $10 million in penalties or, if greater, an amount corresponding to 2 percent of the company’s worldwide turnover.

Bill 64 would also create new obligations for employers such as:

  • the duty to destroy or anonymize personal information once the purpose for which it was collected has been completed;

  • the duty to erase personally identifiable data upon an individual’s request; and

  • the obligation to appoint a person who will be responsible for protecting personal information.

Employers in Québec may want to remain vigilant and up to date with Bill 64 as it makes its way through the legislature as the new changes proposed are broad and the implications are significant.

Ontario

On August 13, 2020, Ontario’s Ministry of Government and Consumer Services released a discussion paper titled “Ontario Private Sector Privacy Reform.”

The discussion paper recognizes the absence of provincial legislation regulating data collection by private bodies. Specifically, it addresses how the collection of “employee related personal information” is free from any type of privacy regulation and oversight. The province indicated that it wants to construct its own legislative response that allows Ontarians to exercise more control over their data when engaging with private organizations.

The discussion paper outlines the following key areas for reform

Changes to consent and transparency requirements

Currently, private organizations obtain an individual’s consent for use, collection, and disclosure of personal information through service policies and privacy statements. However, the discussion paper recognizes that these policies are saturated with “dense legal jargon” that can leave individuals uncertain of what they just consented to. Furthermore, the discussion letter expresses the opinion that the consent model is unrealistic and inefficient given how frequently personal information is collected, used, or disclosed.

The discussion paper proposes scrapping the traditional dense privacy policy. Instead, organizations would be required to outline in plain and clear language what personal information is collected, how it is collected, and with whom it is shared. Organizations would also be required to identify situations in which consent is not required. For collection, use, and disclosure of personal information that falls outside an organization’s described practices, “opt-in” consent would be required. This “opt-in” system would prevent organizations from continuing to collect information indefinitely.

Data erasure and data portability

Ontario also examines the introduction of two new rights: the right to data erasure and the right to data portability. Data erasure rights would allow individuals to request that their employers permanently delete or “de-index” any collected personal information. Data portability rights would require employers to provide individuals with their personal information in an open and accessible format upon request.

Oversight, enforcement, and fines

The discussion paper considers empowering the information and privacy commissioner to issue binding orders and fines on organizations that do not follow the privacy regulations.

De-identified and derived data

The discussion paper proposes defining and regulating “de-identified” and “derived” data.

“De-identified” personal information is data that has been collected and edited to remove a person’s identifiable information. Ontario is considering offering incentives and supports to private institutions to use this type of data preservation since it reduces the harmful effects of any privacy leaks.

“Derived” data is information that private institutions indirectly acquire (e.g., web browsing habits). Ontario is considering developing guidelines for how companies use this type of information.

Data sharing

The Ontario government is examining how data governance can be revised so that information can be shared among organizations to promote economic and societal development.

© 2021, Ogletree, Deakins, Nash, Smoak & Stewart, P.C., All Rights Reserved.National Law Review, Volume X, Number 310
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Michael Comartin, Ogletree Deakins Law Firm, Labor and Employment Attorney
Partner

Michael is a partner in Ogletree Deakins’ Toronto office. His diverse practice spans all areas of employment law, labour law, privacy, wage and hours issues, human rights, accessibility, and employee benefits and executive compensation. Michael also has experience with class actions, appellate litigation, M&A/restructuring, and general litigation. He regularly represents employers in judicial review proceedings

Michael has appeared before the Court of Appeal for Ontario, the Divisional Court, the Superior Court of Justice, the Federal Court of Appeal, the Federal Court, the...

416-637-9057
Advertisement
Advertisement
Advertisement