Introduction
The Act to modernize legislative provisions as regards the protection of personal information[1] (“Bill 64”) received royal assent on September 22, 2021, introducing amendments to the privacy regime and the framework governing the use and collection of personal information (“PI”) by public and private sector privacy laws in Quebec. Meanwhile, on June 16, 2022, the federal government introduced three new acts under Bill C-27, An Act to enact the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Act and to make consequential and related amendments to other Acts (or Digital Charter Implementation Act, 2022) (“Bill C-27”).[2] Part 1 of Bill C-27 enacts the Consumer Privacy Protection Act (“CPPA”),[3] which is the federal government’s latest attempt to modernize the current federal private sector privacy law and a federal equivalent to Bill 64. Bill C-27’s CPPA is the second attempt at reforming federal privacy law in Canada. It shares much of its substance with the Liberal government’s first attempt, Bill C-11, which was introduced in Parliament in November 2020. Bill C-11 died on the order paper when the 2021 general election was called. We compared C-11 to C-27 in a previous post, which can be viewed here.
The federal CPPA shares many similarities with the amendments introduced by Quebec’s Bill 64 (We refer to the as amended Quebec private-sector privacy law as Bill 64 throughout this article for simplicity). Both laws look to overhaul and modernize privacy laws to strengthen protections for consumers and create steep penalties for the misuse of PI by businesses. However, there are also significant differences in the scope of each regime and the type of activities covered.
In this high-level overview, we discuss some of the key similarities and differences between the two laws. We note, however, that the CPPA is likely to undergo changes as it makes its way through the legislative process, including industry consultation.
Scope and application
Both Bill 64 and the CPPA have a broad scope and apply to businesses and other organizations that collect and use PI.
Bill 64 applies to PI that is collected, held, used or communicated to third parties within the context of an enterprise.[4] The CPPA has a similarly broad scope, with its provisions applying to virtually any private-sector organization that collects, uses, or discloses PI (but, because of the federal division of powers, only applies to employees and job applicants of a federal work, undertaking or business).[5] The CPPA has a provision that will allow the federal government to make an order that will exempt the legislation’s applicability to organizations that exist within provinces that have substantially similar legislation.[6]
Additionally, both regimes clearly exclude anonymized data.
Governance and Operations
Governance Framework
Bill 64 requires enterprises to implement governance policies and practices which ensure the protection of PI.[7] In particular, these policies and practices must:
- provide a framework for the retention and destruction of PI;
- define the roles and responsibilities of the members of its personnel throughout the life cycle of PI;
- provide a process for dealing with complaints regarding the protection of PI;
- be proportionate to the nature and scope of the enterprise’s activities; and be approved by the person in charge of the protection of PI.[8]
Bill 64 further requires enterprises to publish detailed information about those policies and practices on their website or by any other means.[9]
Similarly, the CPPA requires every organization to implement a privacy management program (“PMP”) to comply with its obligations.[10] In particular, the PMP must address and ensure:
- the protection of PI;
- how requests for information and complaints are received and dealt with;
- the training and information provided to the organization’s staff respecting its policies, practices and procedures; and
- the development of materials to explain the organization’s policies and procedures. [11]
The CPPA requires the organization to provide the Privacy Commissioner of Canada (“Commissioner”) access to the policies, practices and procedures that are included in its PMP,[12] and the Commissioner may provide guidance or corrective measures to the PMP after reviewing it.[13]