Support Centre

Canada

Insights

On July 1, 2024, the Quebec Commission on Access to Information (CAI) announced that the Act Respecting Health and Social Services Information (LRSSS) entered into effect on the same date. The LRSSS aims to ensure that health and social services information is protected while optimizing such use to improve the quality of services offered to individuals. In this Insight, OneTrust DataGuidance Research provides an overview of the key provisions of the LRSSS.

Dustin Moores, Counsel at nNovation LLP, explores the updated Third-Party Risk Management Guideline (the Guideline) for Canadian financial institutions. The Guideline addresses increasing supply chain vulnerabilities and sets out best practices for Federally Regulated Financial Institutions (FRFIs) to manage third-party risks effectively.

If passed into law, Bill C-26, An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts (Bill C-26), would enact the Critical Cyber Systems Protection Act (CCSPA), amend the Telecommunications Act, and make consequential amendments to several other laws. Dustin Moores, Counsel at nNovation LLP, discusses these amendments and its enforcement.

On October 31, 2023, the Commission on Access to Information (CAI) published the final version of its guidelines on obtaining valid consent (the Guidelines), only available in French here. These Guidelines apply to companies doing business in Quebec that are subject to the Act Respecting the Protection of Personal Information in the Private Sector, CQLR P-39.1 (the Private Sector Act). These Guidelines also apply to Quebec public sector organizations subject to the Act Respecting Access to Documents Held by Public Bodies and the Protection of Personal Information, CQLR c. A-2.1 (the Public Sector Act), where consent is required for the use or disclosure of personal information (under Section 14 of the Private Sector Act and Section 53.1 of the Public Sector Act).  

These Guidelines intend to help explain the criteria needed to obtain valid consent within the scope of the law, clarify an organization's obligations when obtaining consent, and identify best practices with regard to consent. Both Canadian and foreign companies offering goods or services in Quebec should therefore be familiar with these Guidelines, as they will form the basic framework in an analysis if there is ever a complaint or incident brought to the CAI involving the use or communication of personal information of a person located in Quebec. Tara D'Aigle-Curley, of ROBIC L.L.P, delves into these guidelines, analyzing each criterion of consent and how companies can ensure compliance.  

On September 27, 2023, Innovation, Science and Economic Development Canada (ISED) published a Voluntary Code of Conduct on the Responsible Development and Management of Advanced Generative AI Systems (the Code). In this Insight article, Christopher Ferguson and Anagha Nandakumaran, from Fasken, discuss the different measures of the Code and what this would mean for organizations. 

Artificial intelligence (AI) is transforming the way we work, learn, and communicate. The rapid development and adoption of new AI-based technologies have prompted regulators around the world to create policies and regulations governing its use, in an effort to ensure that AI is used in a responsible and ethical manner. Canada and the EU are among the many jurisdictions that have recently recognized the need for AI-specific regulation.

In April 2021, the European Commission published its proposed Artificial Intelligence Act (AI Act) as a framework for a coordinated European approach to addressing the challenges and concerns raised by the increasing use of AI. The following year, in June 2022, the Canadian government introduced Bill C-27 for the Digital Charter Implementation Act 2022 (Bill C-27), which aims to update existing federal private-sector privacy laws. In addition to privacy law reform, Bill C-27 also includes the Artificial Intelligence and Data Act (AIDA), Canada's first attempt to regulate AI through standalone legislation.

Both AIDA and the AI Act seek to encourage the responsible development and use of AI systems through a single regulatory framework. In this Insight article, Heather Whiteside, from Fasken, examines the similarities and differences between these legislative proposals, as currently drafted, in Canada and the EU.

In this Insight article, Sarah Nasrullah, from Norton Rose Fulbright LLP, delves into Canada's AI regulatory landscape, examining key aspects of the AI Act, enforcement mechanisms, penalties, and implications for organizations and individuals. It provides valuable insights into the evolving governance of AI technologies in the Canadian context.

In the field of cybersecurity and privacy regulations, Quebec has witnessed significant legislative changes in recent years. In this Insight article, Catherine Labasi-Sammartino and Anthony Hémond, from Borden Ladner Gervais LLP, provide valuable insights into these developments.

On 16 June 2022, the Government of Canada introduced in the House of Commons the Artificial Intelligence and Data Act ('AIDA') as part of Bill C-27, for An Act to enact the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Act and to make consequential and related amendments to other Acts, also known as the Digital Charter Implementation Act 2022 ('DCIA 2022').

In this Insight article, OneTrust DataGuidance Research provides an overview of the AIDA, which is currently undergoing second reading in the House of Commons, and the wider perceptions of artificial intelligence ('AI') at a federal level in Canada. For an analysis of the DCIA 2022, you may read our Insight article Canada: Digital Charter Implementation Act 2022 - What you need to know.

Canada has an existing comprehensive federal private-sector privacy legislation, the Personal Information Protection and Electronic Documents Act 2000 ('PIPEDA'), which became law in 2000. Recently, changes to PIPEDA have been proposed via the draft language of Bill C-27 for the Digital Charter Implementation Act 20221 ('Bill C-27'). Kirsten Thompson, Partner at Dentons, takes a look into the proposed changes, and what impact Bill C-27 would have in areas such as penalties, artificial intelligence ('AI'), and data portability.

Both the Consumer Privacy Protection Act ('CPPA') and Québec's Act to modernize legislative provisions as regard the protection of personal information, 2021, Chapter 25 ('Law 25') aim to modernise privacy laws and introduce significant penalties and fines for non-compliance. Jasmine Samra and Antoine Guilmain, from Gowling WLG, focus on the accountability of organisations under both privacy regimes.

On 22 September 2022, various provisions of the Act to modernize legislative provisions as regard the protection of personal information, 2021, Chapter 25 ('Law 25') (formerly known as Bill 64) entered into force. Law 25's legal effect is staggered, with separate provisions entering into force in September 2022, September 2023, and September 2024. OneTrust DataGuidance provides an overview of the provisions which affect private bodies entering into force in September 2023 and September 2024