In this Edition of the Round-Up:

Legislative Updates

Regulatory Authority Updates

Case Law Updates

Latest AccessPrivacy Offerings

 

Legislative Updates

• The Federal Government's privacy legislative reform agenda continues to advance. On March 7, Parliament resumed its consideration of Bill C-27, the Digital Charter Implementation Act, 2022, which is currently at second reading. It is expected that Parliament will refer the Bill to either the Standing Committee on Industry and Technology (INDU) or the Standing Committee on Access to Information, Privacy and Ethics (ETHI) for consideration. 

  • As discussed in volume 19 of the Round-Up, the Speaker ruled on November 28 to separate the vote on Part 3 of the Bill (the Artificial Intelligence and Data Act) from Parts 1 and 2 (the Consumer Privacy Protection Act and the Personal Information and Data Protection Tribunal Act). However, all three parts of the Bill will be considered together if referred to committee;

 

• The Federal Government has published a companion document to the proposed Artificial Intelligence and Data Act (AIDA), setting out a summary of AI-related industries in Canada and providing commentary on to the proposed statute's framework, including (i) examples of high-impact systems; (ii) inclusionary definitions of "harm" and "biased output"; and (iii) principles upon which the AIDA regulatory requirements are based, such as transparency, accountability, and validity and robustness of high-impact systems. The Government concludes the document by stating its intention to conduct “a broad and inclusive consultation of industry, academia, civil society, and Canadian communities” following Royal Assent of Bill C-27, which would result in the pre-publication of draft regulations and an accompanying, additional, 60-day consultation;

 

• The province of British Columbia has introduced the Intimate Images Protection Act, intended to “better protect people from the harmful effects of having their intimate images shared without their consent and improve access to justice for survivors of sexualized violence”. The legislation is intended to streamline the process for requiring intimate images to be taken off the internet, and to provide an avenue for individuals to claim compensation from people who shared their photos without permission;

 

Regulatory Authority Updates

• An investigation report regarding a number of intentional privacy breaches by Nova Scotia health employees, which took place after the province saw a mass casualty event in April 2020, has been released by the Information and Privacy Commissioner of Nova Scotia. The report emphasizes the ease with which intentional breaches can occur when electronic health records are available across multiple electronic health systems. While noting that the health authority took many reasonable steps to respond to privacy incidents, the report also noted certain weaknesses in the organization's information practices and recommended steps to better safeguard patient information and prevent further intentional breaches;

 

• A Privacy Act bulletin outlining key privacy considerations regarding federal public sector entities’ use of third-party staffing platforms has been published by the Office of the Privacy Commissioner of Canada (OPC). The bulletin is relevant to entities using the human resource services of virtual staffing platforms for job interviews and other candidate assessments, which increased during the COVID-19 pandemic;

 

• The OPC’s advice on faxing personal information has been updated, contributing to the broader regulatory authority discussion about the risks of using fax machines in the healthcare context and other environments in which personal information is transmitted. Recent regulatory authority calls to eliminate fax machines from use in healthcare institutions were considered in volume 20 of the Round-Up;

 

• A Coroner’s inquest into the tragic deaths of Carol Culleton, Anastasia Kuzyk and Nathalie Warmerdam in 2015 resulted in a recommendation that the Office of the Information and Privacy Commissioner of Ontario (IPC) assist in the development of a “plain language tool to empower intimate partner violence professionals to make informed decisions about privacy, confidentiality, and public safety”. The IPC has published a letter discussing progress to date in implementing the recommendation, and inviting further consultation regarding updates to provincial programs, policies and legislation for the purpose of preventing intimate partner violence;

 

• The Information and Privacy Commissioner for British Columbia Michael McEvoy discussed the expected impact of key BC public sector privacy law requirements that took effect on February 1, particularly mandatory breach notification obligations, in a speech to the Select Standing Committee on Finance & Government Services. Commissioner McEvoy’s speech, echoing his Office's Supplementary budget submission published in January, also outlined some of the challenges his office will face in operationalizing the new amendments. Summary details of these changes to BC’s Freedom of Information and Protection of Privacy Act can be found in volume 20 of the Round-Up. 

 

Case Law Updates

• In Setoguchi v. Uber BV, Alberta’s Court of Appeal dismissed an appeal from a denial of certification in a proposed data breach class action. The proposed action had arisen from a 2016 data breach involving the theft of personal information that Uber had gathered from its drivers and users. The class had sought certification on the basis that Uber had insufficient safeguards to prevent hackers from accessing their personal information, and that Uber’s failure to notify its users of the data breach was in violation of an implied term of their contractual relationships with Uber.

  • The appellate court found no error in the certification judge’s finding that a class proceeding was not the preferable procedure for the fair and efficient resolution of the common issues, given that no compensable loss was alleged, and it would not serve the purposes of judicial economy or behaviour modification to certify a class action for nominal damages.         

  • Recent trends and developments in class action jurisprudence were highlighted in volume 19 of the Round-Up and in the Osler privacy litigation team’s Legal Year in Review article.

 

Latest AccessPrivacy Offerings

• AccessPrivacy is proud to announce that our 11^th Annual Conference will be held on Wednesday, June 7, 2023. Registration is now open via the AccessPrivacy Event Page!

  As with past years, our in-person conference in our Toronto offices will bring together leading privacy professionals and thought leaders from across Canada for a day of insightful panel discussions about a wide range of topics, including: 

  • Reflections on Canadian Privacy Legislative Reform and the Proposed Regulation of Artificial Intelligence Systems 
  • Facilitating Data Ethics and Responsible Personal Information Processing
  • Civil Society and Academic Perspectives on Emerging Developments in the Canadian Privacy and Data Arena
  • Treatment of Anonymized and De-identified Data in Proposed Legislative Schemes: A Canadian Anonymization Network Panel
  • Privacy Commissioners Roundtable 
  • Complex Data Sharing Arrangements and Emerging Data Governance Models: Lessons Learned from the Health Sector 
  • Osler Data Litigation Thought Leadership Roundtable 
  • And more!

• At this early planning stage, confirmed guest panelists include: 

  • Bojana Bellamy, President of Hunton Andrews Kurth LLP’s Centre for Information Policy Leadership (CIPL)
  • Rosario Cartagena, Chief Privacy and Legal Officer at the Institute for Clinical Evaluative Sciences (ICES)
  • Abigail Carter-Langford, Vice President, Governance, Risk and Compliance & Chief Privacy Officer at Canada Health Infoway
  • Dr. Khaled El Emam, Canada Research Chair in Medical AI, University of Ottawa; Co-founder and CEO of Replica Analytics
  • Keren Groll, Senior Special Counsel, Privacy & Data Innovation at TD Bank
  • Patricia Kosseim, Information and Privacy Commissioner of Ontario
  • Nadine Letson, Head of Corporate, External and Legal Affairs at Microsoft
  • Brenda McPhail, Director, Privacy, Technology & Surveillance Program at the Canadian Civil Liberties Association (CCLA)
  • Dr. Eric Meslin, President and CEO of the Council of Canadian Academies
  • Suzanne Morin, VP Enterprise Conduct, Data Ethics and Chief Privacy Officer at Sun Life
  • Dr. Teresa Scassa, Canada Research Chair in Information Law and Policy, University of Ottawa 
  • Pamela Snively, Chief Data and Trust Officer at TELUS Communications
  • Jeannette Van Den Bulk, Deputy Commissioner at the Office of the Information and Privacy Commissioner for British Columbia 

 

• The AccessPrivacy team continues to update our clause-by-clause annotated version of the proposed Consumer Privacy Protection Act; most recently, we have added substantive comments on the proposed definition of "anonymize"; 

 

• We continue to update our various Private Sector Topic Hubs to thematically incorporate upcoming Quebec obligations introduced by Law 25 (formerly Bill 64) in force September 2023 and September 2024. This is in addition to our many key documents regarding Quebec legislative reform more broadly, which can be found in our comprehensive Legislative Reform Portal.

***

Sign up for AccessPrivacy's complimentary e-news updates to receive each edition of the Round-Up by email. The archive of past editions of the Privacy Round-Up is available to AccessPrivacy Knowledge Portal subscribers. 

Please note: if you are having issues opening links to publicly available materials, please try clearing your browser cache (including cookies and files) before clicking the link again.