Canada One Step Closer to Adopting C-27 and IA-specific Legislation

The Canadian government reiterated last week that we’re collectively moving forward with the revamp of the country’s federal privacy legislation, including an offshoot meant to curb (better control, some would say) rampant and unrestricted adoption of artificial intelligence (“AI”) throughout. At the same time, the bill at issue (named C-27) moved to the second reading stage, bringing us one step closer to a formal adoption of this piece of legislation.

Bill C-27 will reinforce personal information protection throughout Canada but updating a law that is now more than 20 years old and, many would say, quite outdated. The new version of the personal information protection statute at issue will include provisions meant to generally empower individuals in a way that allows them to exercise control over their data, something the current version of the legislation has largely failed to do. Though it’s not quite GDPR, many see this new version of the Canadian privacy legislation as a much needed shot in the arm for our federal privacy regime.

At the same time, this project will likely also include Canada adopting a whole new statute meant to better control the use of AI (e.,g. by businesses), including new rules to try and minimize scenarios where AI is implemented in a way that is incompatible with personal rights and freedoms as well as Canadian values.

The Canadian government clearly says it intends to move forward with all of these. Now, it’s mostly a question of going through the rest of the legislative process, but there’s little doubt that this thing will become law before long. Stay tuned.

Your Typical Canadian Employees May Not Care All that Much About Cybersecurity or Privacy at Work, it Seems

The media reported recently disconcerting results from a recent survey of Canadian employees about the protection of personal information and cybersecurity.

The report at issue indicates about 1/3 of Canadian employees do not think data theft is really in an issue they should be concerned with, or that they are likely to be targeted by cybercriminals when at work. Even with everything happening in the past couple of years, including almost daily announcements of computer intrusions and ransomware attacks (including in Canada), your typical employee does not seem all that worried.

In Québec, 3/4 of employees who answered the survey indicated they did not think the protection of personal information had anything to do with them, rather thinking this is an issue that IT is responsible for. Heck, the same proportion of respondents even admitted they had received NO training whatsoever at work about cybersecurity. None. Yikes.

Yeah, it seems, even today, with everything being published and privacy laws being adopted, your typical Canadian business may not be all that concerned about protecting data, whether it be personal or otherwise. Given that even some SME officers and business owners often still basically choose to ignore the issue, it is not all that surprising that a lot of employees do too. The Vietnamese have a good saying that may apply here: A house leaks from the roof on down.

Our job educating businesses and employees about this may not be quite done, it seems.

Businesses within the Province of Quebec Have Homework to Do as to their Employees and their Data

As you may already know, Quebec’s Bill 64 was passed into law a couple of months back, setting in motion a substantial revamp of the province’s main privacy statute. Much like what’s been going on in Europe and, more recently, at Federal level, the province finally decided it was time to update its antiquated statute governing the protection of personal information within Quebec.

The law’s coming into force of an Act to modernize legislative provisions as regards the protection of personal information (the “Act”) will stretch until 2024. In the meantime, the first provisions of the new law came into force last week, including numerous new obligations for Quebec businesses and organizations about their employees.

In practice, until now, little attention was generally paid in Quebec as to rules that may govern and apply to the personal information of employees, an issue that was often swept under the rug. Well, now that the Act is here things have to change -fast.

Indeed, the Act provides for a whole slew of obligations that apply to employers within the province of Quebec. For example, as is the case elsewhere, Quebec organizations should draft and make generally available their data handling policy, including as to how you handle employee information. This is but an example of what the new regime requires.

The first thing quite a few Quebec businesses and organization should do, including relatively small ones, is come to terms with the fact that the world has indeed changed and that Quebec business may no longer look at privacy as this theoretical issue that no SMB really bothers with. With the advent of the Act, all businesses and organization should (quickly) make the transition, from apathy as to privacy, to being highly involved. If you need motivation to do so, the staggering amount of potential penalties provided by the Act should help: 25 MILLION dollars or, and here’s the kicker, 4% of annual revenues. Yup, that’s right, just like Europe did a while back, we’re now realizing that dollar amounts may not be enough, but percentage of revenues, now THAT scares the bejesus out of ANY business.

As to employees, without going into details, to start, you should probably simply understand that personal information is now treated as such, whether it relates to a customer or an employee. Both are individuals, right? So, from now on, the Act basically assumes that organizations should have processes, policies and protocols in place to deal with personal information, wherever it comes in or from -employee-related information including. One should also note as to these, that the Act now requires making these policies generally available, including to employees, so that individuals can know how you are handling their information. Though this may seem a no brainer, in actuality, quite a few Quebec organizations still do not comply with this.

The Act also provides constraints as to how an organization may use automated processing of data to make or reach decisions as to individuals. If your company has AI sorting CVs, for example, individual may have to be made aware of this fact, etc.

One should also make note of the fact that, no only must employees be made aware what information of theirs is collected and used (and how), but employees can now lodge complaints with the Quebec privacy watchdog called the Commission d’accès à l’information (the “CAI”), should they want to question the employer’s data-handling practices, for example, if they suspect their employer’s practices are not in-line with the Act.

As is the case in numerous other jurisdictions, the Act also now provides for a mandatory notification in case of hacking incidents (and similar incidents where personal information may have been compromised), including when it comes to employee information.

Another change mandates that employers (and all organizations in fact) appoint a privacy officer, who will handle personal information-related matters on behalf of the entity, moving forward. This will have to include issues relating to employee information. Such a person may, for example, be a an officer of the company and should, generally, be selected based on his/her ability to deal with eventual issues relating to the types of data that the organization at issue normally handles. In other words, though the Act presumes the president of the company may be the person in charge, he/she may or may not be the best person for the job. All in all, if you are located in the province of Quebec and have employees, you may very well now be subject to the new Act. The time to educate yourself, seek advice and act is… now.