Privacy and data-related law reform to continue in 2025

Over the past several years, there has been significant focus on privacy legislative reform at the federal and provincial levels in Canada. This legislative reform has been focused on the introduction of significantly enhanced enforcement regimes, including potentially severe financial penalties for contraventions of privacy requirements. These initiatives also introduce new requirements for documented internal governance mechanisms, requirements for enhanced transparency regarding personal information practices and provisions that facilitate individuals’ control over their data.

More broadly, a growing array of privacy and data obligations are being introduced in sector-specific and other legislative proposals.

Given the significant compliance costs and the threat of severe monetary fines for violations of privacy obligations, it is more important than ever for companies doing business across Canada to have a thorough understanding of their personal information and data practices. Equally important is the implementation of documented internal governance mechanisms and other compliance tools that may be required to meet their obligations under these updated and pending laws.

Québec’s private sector privacy regime continues to evolve

As we have previously written, Québec’s private sector privacy legislation introduced potentially severe penalties for non-compliance. Failure to comply with the Act respecting the protection of personal information in the private sector (Québec Privacy Act) exposes organizations to fines of up to the greater of $25 million and the amount corresponding to 4% of worldwide turnover for the preceding fiscal year. Non-compliance can also expose organizations to administrative monetary penalties of up to the greater of $10 million and the amount corresponding to 2% of worldwide turnover for the preceding fiscal year.

To date, the Québec privacy regulatory authority, the Commission d’accès à l’information du Québec (CAI), has not imposed any fines or penalties on a company. However, the CAI is currently involved in multiple regulatory investigations that are expected to conclude in 2025. The highly anticipated decisions in these investigations will provide early indications of the CAI’s enforcement approach, especially with respect to the quantum of monetary penalties that may be awarded.

This past year, there were two significant changes to the Québec privacy regime.  

First, in May 2024, the Québec Regulation respecting the anonymization of personal information [PDF] introduced prescriptive requirements for organizations when anonymizing records containing personal information. Organizations must carry out anonymization under the supervision of a “qualified” person, assess the risks of re-identification, implement appropriate anonymization techniques and other measures to reduce these risks and periodically re-assess the risks of re-identification to ensure that data remains anonymized.

Second, in September 2024, the final amendments to the Québec Privacy Act came into effect and introduced the first “data portability” right under Canadian privacy laws. We have previously written about this new right in our Osler Update.

It is more important than ever for companies doing business across Canada to have a thorough understanding of their personal information and data practices.

Based on the experience of companies under the European Union’s General Data Protection Regulation (GDPR), the process of responding to data portability requests may prove operationally challenging and costly. Companies will have to ensure that personal information subject to portability requests is both readily accessible and in a “structured, commonly used and technological format”. The Québec Privacy Act does not specify acceptable formats, but recent guidance issued by the Québec government indicates that a PDF would not be acceptable. To respond effectively to data portability requests in 2025 and beyond, companies may have to engage in a time-consuming, technically complex and resource-intensive process of standardizing data across systems that may use proprietary and incompatible data or file formats.

As of January 1, 2025, organizations will also have to maintain a register with detailed information about the information that was anonymized, the purposes for which this information will be used, the anonymization techniques and the dates of the original, as well as any subsequent re-identification risk analyses.

New health privacy law introduced in Québec

In July 2024, Québec also introduced onerous health privacy legislation. Québec was previously one of the only provinces without dedicated provincial health privacy legislation. The Act respecting health and social services information sets out a comprehensive set of rules governing the collection, use and communication of “health and social services information” by “health and social services bodies”. This term broadly captures various organizations involved in delivering health and social services, such as public health and social services institutions, private health facilities, laboratories, specialized medical centres, health communication centres and centres for assisted reproduction.

Complying with this new health privacy law may be expensive and resource-intensive. Organizations will need to address a series of requirements regarding the protection of personal health information similar to those mandated by the Québec Privacy Act. The legislation also imposes certain unique obligations, such as a requirement for health and social services bodies to use “certified” technological products and services in certain circumstances. The certification procedure and the circumstances in which certified products and services must be used will be set out in regulation, which has not yet been published.

Organizations that operate in the health sector, including service providers, will need to review this new legislation carefully to determine whether the legislation applies. If so, it will be necessary to conduct a thorough review of their personal health information practices to ensure compliance with these new prescriptive obligations.

Federal and provincial privacy legislative reform

During 2024, Bill C-27, which would replace existing federal privacy legislation (PIPEDA) and create the first AI law in Canada, continued to be before the Standing Committee on Industry and Technology. When and if the bill comes into force remains uncertain due to the minority status of the federal government. As discussed in our 2023 article, if enacted, Bill C-27 would impose significant penalties for breach. Fines may be up to the greater of $25 million and the amount corresponding to 5% of gross global revenue for the preceding fiscal year. Administrative monetary penalties may be up to the greater of $10 million and the amount corresponding to 3% of gross global revenue for the preceding fiscal year.

In 2025, legislative amendments in other provinces are likely to follow, starting with Alberta. The review of the Personal Information Protection Act (Alberta) (PIPA) commenced on January 22, 2024. The Office of the Information and Privacy Commissioner of Alberta (OIPC) submitted a detailed review [PDF] of PIPA to the reviewing committee in May 2024. The reviewing committee’s report must be concluded within 18 months. Consistent with trends elsewhere, the OIPC’s recommendations include significantly stronger enforcement powers, including potentially severe financial penalties for contraventions of the statute. Other recommendations include requirements for enhanced transparency, a data portability and data mobility right, regulation of automated decision-making and AI, de-identification and anonymization standards and the introduction of protections for children’s privacy.

Privacy-related reforms in sector-specific regulatory regimes

In 2025, we can also expect further privacy, security and other data-related requirements to be embedded within a growing array of new sector-specific legislative proposals.

Cybersecurity requirements for critical infrastructure

By way of example, in 2025, it is widely expected that the federal government will enact its proposal for bolstering the cybersecurity framework for the country’s critical infrastructure. As we have previously written, Bill C-26, the Critical Cyber Systems Protection Act, would create new powers for the federal government to respond swiftly to national security threats affecting federal critical infrastructure systems. New requirements relating to the implementation of robust cybersecurity programs, incident reporting and record-keeping will apply to vital services and systems. Those identified as vital currently include telecommunications services, interprovincial or international pipeline and power line systems, nuclear energy systems, transportation systems within federal legislative authority, banking systems and clearing and settlement systems.

The Act provides for administrative monetary penalties of up to $15 million for each violation.

Protection of children from online harm

Consistent with legislative initiatives in the E.U., the United Kingdom, Australia and the Asia-Pacific region, the Canadian federal government will likely continue its push to enact Bill C-63, the Online Harms Act (OHA).

As we have previoulsy written, the OHA would impose duties on social media services, adult content services and live streaming services, including an obligation to protect children through an obligation to integrate design features respecting the protection of children. The OHA would also introduce significant penalties for non-compliance, subject to a due-diligence defence.

Open banking

As discussed in our Osler Legal Outlook article on the financial services sector, in 2024, the federal government enacted a legislative scheme for “open banking” in the form of the Consumer-Driven Banking Act (CDBA). The CDBA is not yet in force and its status remains uncertain, but the federal government’s stated goal is to implement the governance framework needed for this legislation by 2025.

The CDBA is an “open banking” initiative designed to enhance consumer access and control over their financial data and to facilitate innovative financial services. The proposed open banking framework in the CDBA is, in effect, a consent-based data portability regime. 

Pace of reform will likely continue into 2025

Significant privacy and data-related legislative reform in Canada will continue in 2025 and beyond. These legislative initiatives will enhance the legal, financial and reputational risks for companies, with potentially severe financial penalties for non-compliance. To mitigate these risks, organizations across all sectors must develop or bolster their data governance practices. Organizations must focus on ensuring they have a thorough understanding of their personal information holdings and practices to address the expanding array of data obligations.