Personal information protection: a busy summer
Summer generally means fine weather, festivals, and vacations. This year more than any before, it also means protecting personal information. Some of the reasons for this are outlined below.
1. In Quebec
i. A number of requirements in the Act to modernize legislative provisions as regards the protection of personal information (“Act 25”) come into force on September 22, 2022. These include the following:
- public bodies and businesses are responsible for the personal information they hold;
- businesses are now required to appoint a privacy officer;
- all public bodies must create a committee on access to information and personal information protection, unless they are exempted by government regulation;
- any confidentiality incident involving personal information that presents a risk of serious injury to the persons concerned must be promptly reported to the Commission d’accès à l’information and the persons concerned;
- a privacy impact assessment must be conducted where personal information has been communicated, without the consent of the persons concerned, for study or research purposes or for the production of statistics;
- a business may communicate personal information without the consent of the persons concerned where doing so is necessary for concluding a commercial transaction;
- the creation of a database of biometric characteristics or measurements must be disclosed to the Commission d’accès à l’information no later than 60 days before it is brought into service.
ii. A draft regulation respecting confidentiality incidents was tabled on June 29, 2022 (Gazette officielle du Québec, Part 2, pp. 2093 et seq.). Any person who wishes to submit comments has 45 days from the date of publication of the draft regulation to do so. The purpose of the draft regulation is to inform public bodies, businesses, professional orders and political parties of what must be included in the notice to the Commission and the persons concerned, as well as in the register of confidentiality incidents that must be kept by those organizations.
iii. Order in Council No. 1011-2022 amending the Regulation respecting the distribution of information and the protection of personal information was published on the same date (Gazette officielle du Québec, Part 2, pp. 2035 et seq.).
2. At the federal level
i. Bill C‑27, An Act to enact the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Act and to make consequential and related amendments to other Acts, was tabled in the Parliament of Canada, in the House of Commons on June 16, 2022.
That bill echoes Bill C‑11, which died on the Order Paper in the previous session of Parliament, and also amends the first two parts and adds a third part relating to artificial intelligence.
Part 1 enacts the Consumer Privacy Protection Act. If that part is passed, it will repeal and replace Part 1 of the Personal Information Protection and Electronic Documents Act relating to the protection of personal information in the private sector.
As well as adding new definitions (anonymize, de-identify), this part expands organizations’ responsibility for personal information, including the requirement for implementing a privacy management program. It also specifies certain elements, including those relating to:
- acceptable purposes for which personal information may be collected, used, or disclosed;
- consent and exceptions to consent;
- the public interest;
- retention and disposal of personal information;
- security safeguards and breaches;
- the right to access and right to amend provided to persons concerned, including the use of an automated decision system;
- the use of de-identified information, with the provision that in this case, the organization must ensure that the technical and administrative measures used are proportionate to the purpose for which the information is de‑identified and the sensitivity of the information.
It also specifies the powers, duties and functions of the Privacy Commissioner (the “Commissioner”), including the power to make orders and recommend administrative monetary penalties, and it opens the door to a private right of action.
Part 2 enacts the Personal Information and Data Protection Tribunal Act.
The Tribunal will have jurisdiction in respect of all appeals that may be made by a complainant or organization affected by a decision of the Commissioner and in respect of the imposition of penalties provided by the Act. It will consist of three to six members, at least three of whom will have experience in the field of information and privacy law.
The Tribunal will not be bound by any legal or technical rules of evidence in conducting hearings. It will have to deal with matters as informally and expeditiously as the circumstances and considerations of fairness and natural justice permit. As a general rule, hearings before the Tribunal and the Tribunal’s decisions will be public.
Part 3 enacts the Artificial Intelligence and Data Act, whose purpose is to regulate international and interprovincial trade and commerce in artificial intelligence systems by establishing common requirements, applicable across Canada, for the design, development and use of those systems. Its purpose is also to prohibit certain conduct in relation to artificial intelligence systems that may result in serious harm to individuals or harm to their interests.
ii. Bill C‑26, An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts, was tabled in the House of Commons on June 14, 2022.
Part 2 enacts the Critical Cyber Systems Protection Act, the purpose of which
… is to help to protect critical cyber systems in order to support the continuity and security of vital services and vital systems by ensuring that, among other things:
(a) any cyber security risks in respect of critical cyber systems are identified and managed, including risks associated with supply chains and the use of third-party products and services;
(b) critical cyber systems are protected from being compromised;
(c) any cyber security incidents affecting, or having the potential to affect, critical cyber systems are detected; and
(d) the impacts of cyber security incidents affecting critical cyber systems are minimized. (s. 5).
We will be following with interest the discussions about the draft regulation on confidentiality incidents and about Bills C‑26 and C‑27 over the next few months, and we will be publishing further articles about the action that is taken on them.