In this Edition of the Round-Up:

Legislative Updates 

Regulatory Authority Updates

Case Law Updates

New AccessPrivacy Offerings

Legislative Updates

• The Federal Government's privacy legislative reform agenda continues to advance, as Bill C-27 (the Digital Charter Implementation Act, 2022), which would replace PIPEDA with new federal private sector privacy legislation, has moved to second reading in the House of Commons. Whether the proposed regime for the regulation of AI will continue at the same pace remains unclear, as on November 28, the Speaker ruled to separate the vote on Bill C-27. Members of Parliament will vote on Part 3 of the Bill (the Artificial Intelligence and Data Act) separately from Parts 1 and 2 (the Consumer Privacy Protection Act and the Personal Information and Data Protection Tribunal Act).

  • Further information on Bill C-27 was reported in volume 16 of the Round-Up, and the AccessPrivacy team is continuously updating the suite of tools available to Knowledge Portal subscribers in the Legislative Reform Portal, including our detailed clause-by-clause annotation of the Consumer Privacy Protection Act;

 

• A Working Group of the Canadian Anonymization Network (CANON) has submitted to Innovation, Science and Economic Development Canada (ISED) proposed amendments to the de-identification and anonymization provisions in Bill C-27. One of CANON’s core objectives is to advocate for balanced legislative and policy standards for anonymization that enable innovative and beneficial uses of data, while reasonably protecting against foreseeable privacy risks. CANON's recent Legislative Reform Roundtable webinar, focusing on these proposed amendments, is also available on-demand; 

 

• Amendments to British Columbia's Freedom of Information and Protection of Privacy Act, regarding (1) the obligation for public bodies to develop a privacy management program, and (2) the obligation for public bodies to notify the regulatory authority and affected individuals following privacy breaches, will come into effect on February 1, 2023. The BC Government's Order in Council also enacts regulations setting out the content of such notifications.

  • Further information on breach notification requirements across Canada can be found in our Breach Notification topic hub, and background on Bill 22's amendments to BC's public sector privacy legislation can be found in our Legislative Reform Portal;  

 

• A legal framework specific to health and social services information has been proposed by the Government of Quebec in Bill 3, An Act respecting health and social services information and amending various legislative provisions;

 

• A study of “on device investigative tools” used by the Royal Canadian Mounted Police is the focus of a report released by the House of Commons' Standing Committee on Access to Information, Privacy and Ethics (ETHI). The Office of the Privacy Commissioner of Canada (OPC) issued a statement summarizing key recommendations within the report. As reported in Volume 17 of the Round-Up, Commissioner Dufresne recently appeared before the ETHI Committee to discuss the RCMP’s use of investigative tools and implications under the Privacy Act.

 

Regulatory Authority Updates

• Canada’s Privacy Commissioners have focused on challenges arising from the emerging “digital identity ecosystem” in Canada. In a joint resolution, Commissioners and other regulatory authorities stressed the need for governments and stakeholders to respect privacy and transparency rights in the design and operation of systems managing the exchange and verification of digital identity information. The resolution includes a non-exhaustive list of conditions and properties to be integrated into a legislative framework applicable to the creation and management of digital identities;

 

• A resolution on the appropriate use of personal information in facial recognition technology has been adopted by the OPC, along with over 120 data protection authorities from Canada, Europe, and elsewhere. The resolution outlines the following principles and expectations for organizations seeking to use facial recognition technology: (i) lawful basis; (ii) reasonableness, necessity and proportionality; (iii) protection of human rights; (iv) transparency; (v) accountability; (vi) data protection principles;

 

• Processing times for requests to access administrative documents, personal information and other information in the public sector are the subject of a study carried out by the Commission d’accès à l’information du Québec (CAI). The CAI has summarized best practices for reducing delays in response times, discussing the impact of the COVID-19 pandemic in this area and setting out recommendations for public sector bodies for processing such requests;

 

• A regulation on the right to access personal health information records in electronic format is the subject of staff-level comments from the Office of the Information and Privacy Commissioner of Ontario. The proposed regulation was created under the Personal Health Information Protection Act, 2004 (PHIPA), as amended by the Pandemic and Emergency Preparedness Act. This new regulation-making authority was previously discussed in volume 14 of the Round-Up;

 

• Noting that web-connected cameras can “easily [be] hijacked to allow random strangers to watch intimate moments” the OPC has published new tips for protecting web-connected cameras;

 

• With “gaming gear topping the [holiday] wish lists of kids and adults alike”, the OPC has published a blog post outlining tips to help gamers better protect their personal information while playing video games online; 

 

• To support greater international collaboration in disrupting scam communications, the Canadian Television and Telecommunications Commission (CRTC) hosted the “Combating Scam Communications Meeting” with regulators from Canada, Australia, Ireland, Hong Kong and the United States. The meeting builds on existing regulatory collaboration through the Unsolicited Communications Enforcement Network (UCENet);

 

• The OPC joined other member authorities at the 58th Asia Pacific Privacy Authorities (APPA) forum to discuss “key issues ranging from children’s online privacy and cross-border data transfers to artificial intelligence and privacy enhancing technologies”;

 

• The CAI has released its 2021-2022 Annual Report, focusing in large part on the Bill 64 reform of Quebec's public- and private-sector privacy and access laws. The CAI stressed that although it has launched a series of workstreams to assist organizations with meeting their new compliance obligations (in particular, the launch of its Espace évolutif resource and guidance hub), it requires additional funding from the Legislative Assembly in order to effectively administer the amended legislation; 

 

• The Information and Privacy Commissioner of Nova Scotia and the Yukon Information and Privacy Commissioner have also released their 2021-2022 Annual Reports. Annual reports released this year by other privacy watchdogs were highlighted in volume 16, volume 17, and volume 18 of the Round-Up.

 

Case Law Updates

• Companies collecting and storing personal information cannot be found liable for the tort of intrusion upon seclusion when they suffer a cyberattack by a third-party hacker. The Court of Appeal for Ontario has confirmed in a trilogy of decisions that the tort is meant to apply to those who actually invaded or intruded upon a plaintiff’s privacy by accessing that plaintiff’s private information. 

  • For more detail, see this analysis by the Osler litigation team, which successfully represented the "database defendant" in the Trans Union appeal. The decisions were also discussed by a team of experts in the November 30 AccessPrivacy Data Litigation Roundtable, the recording of which is available on the event page;

 

• A recent Federal Court decision considered procedural fairness issues in the context of evidence derived from artificial intelligence tools. The case involved two applicants who raised issues of procedural fairness surrounding possible reliance by the Refugee Protection Division (RPD) on facial recognition technology in their decision-making process. The applicants sought judicial review of the RPD decision revoking their refugee status. The court found that the decision was unreasonable, in part because the Minister had not disclosed the methodology used in procuring the photo comparison evidence in question. As Dr. Teresa Scassa explains in a recent blog post, "[t]he decision is important for setting some basic standards to meet when it comes to reviewing evidence that may have been derived using AI".

 

New AccessPrivacy Offerings:

• The AccessPrivacy team authored an article in Osler's annual Legal Year in Review publication: "The freight train of privacy legislative reform keeps rolling". Osler's specialized privacy litigation team also contributed a piece on recent trends and developments in privacy class action jurisprudence; 

 

• Our Quebec Demonstrable Accountability Checklist and the Breach Notification Topic Hub have been updated to reflect Quebec's newly finalized confidentiality incident regulations.

***

Sign up for AccessPrivacy's complimentary e-news updates to receive each edition of the Round-Up by email. The archive of past editions of the Privacy Round-Up is available to AccessPrivacy Knowledge Portal subscribers. 

Please note: if you are having issues opening links to publicly available materials, please try clearing your browser cache (including cookies and files) before clicking the link again.