Canadian privacy laws: New rules for a new era

Skip to Overview content

More than 20 years after PIPEDA, Canadian privacy laws are entering a bold new era. Is your organization ready?

Following in the uncompromising spirit of Europe's General Data Protection Regulation (GDPR), Canadian jurisdictions are looking to modernize - and give real teeth to - the way consumer data and personal information are protected in the digital era. Indeed, a slate of new and proposed legislation is shaping public discourse around privacy in Canada, while promising to change the playing field for public and private organizations from coast to coast.

Digital Charter Implementation Act (Bill C-27)

In June 2022, the Government of Canada introduced Bill C-27, the Digital Charter Implementation Act 2022. Targeting the private sector, the Bill proposes to expand the powers of the Privacy Commissioner of Canada, increase monetary penalties for serious violations, establish a new administrative tribunal, and introduce new rules regulating artificial intelligence (AI) systems.

Bill C-27 is currently at second reading in the House of Commons, and is likely to be debated and amended further in the coming months.

Read Bill C-27 in full here

Protecting Canada's critical infrastructure (Bill C-26)

Bill C-26, An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts, proposes two important measures:

  • Amending portions of the federal Telecommunications Act to authorize the government to impose obligations on telecommunications service providers to "secure the Canadian telecommunications system" and;
  • Implementing the Critical Cyber Systems Protection Act (CCSPA), which would empower the government to designate services or systems as vital and to impose data protection obligations on their operators, require mandatory reporting of cyber security incidents, and facilitate threat information exchange "between relevant parties."

Bill C-26 had its second reading in Parliament on Dec. 1 2022.

Quebec's Law 25

A forerunner to the type of reform being contemplated at the federal level, Quebec's Law 25 (aka Bill 64), An Act to modernize legislative provisions as regards the protection of personal information, represents the most significant privacy legislation development in Canada in many years. It puts into force sweeping changes regulating the collection, use, and communication of personal information, and significantly increases penalties for non-compliance.

The first phase of Law 25 came into effect on September 22, 2022.

Learn more about Law 25

Modernizing privacy in Ontario

In June 2021, Ontario's Ministry of Government and Consumer Services published a white paper titled Modernizing Privacy in Ontario and invited feedback from public and private stakeholders. Part of Ontario's Digital and Data Strategy, the white paper proposes a provincial privacy framework designed to remedy what it alleges are fundamental flaws in Federal Bill C-11 (a precursor to C-27 that died on the order paper in 2021).

It remains to be seen whether Ontario will still elect to pursue its own legislative path, or if Bill C-27 can go further in satisfying the province's privacy agenda.

Read the full white paper, Modernizing Privacy in Ontario

Changes coming to British Columbia

On April 13, 2021, the Legislative Assembly of British Columbia agreed that a Special Committee be appointed to review the Personal Information Protection Act (S.B.C. 2003, c. 63) pursuant to section 59 of that Act.

The Special Committee presented its report to the Legislative Assembly on December 6, 2021. The Report made 34 recommendations for significant changes to PIPA, concluding that: "PIPA must be modernized to safeguard rights for individuals and provide up-to-date provisions to ensure competitiveness for British Columbia's businesses."

With respect to the public sphere, amendments to BC's Freedom of Information and Protection of Privacy Act – passed in 2021 under Bill 22 -- are slated to come into force on February 1, 2023. The updated legislation requires public bodies to have in place a privacy management program and to comply with new privacy breach notification obligations by this date.

Read the Report of the Special Committee to Review the Personal Information Protection Act

Get prepared

Do your organization's privacy policies and protocols comply with existing laws? Will they satisfy the requirements of future legislation?

Let us help you stay one step ahead in this evolving landscape. Explore our resources below, or contact a member of our team below to begin a conversation.