ILN: Establishing A Business Entity: An International Guide

[ESTABLISHING A BUSINESS ENTITY IN CANADA] 81

Documents Act (PIPEDA). PIPEDA applies to private sector organizations that collect, use, and disclose personal data (called “personal information” (PI) in Canada) in the course of a commercial activity that takes place within a Canadian province or territory, unless the province has enacted “substantially similar” legislation. Such legislation is in force in three provinces: Alberta’s Personal Information Protection Act (PIPA AB), British Columbia’s Personal Information Protection Act (PIPA BC) and Québec’s Act Respecting the Protection of Personal Information in the Private Sector (Québec’s Privacy Act). Québec’s Privacy Act was very recently overhauled by the adoption of the Act to modernize legislative provisions relating to the protection of personal information (Québec), also known as Law 25 (formerly Bill 64), which implements a major reform over the next 3 years, at the end of which the Québec rules will very closely resemble those of the European Union’s General Data Protection Regulation (GDPR). Notably, PIPEDA also applies to the inter- provincial and international collection, use and disclosure of PI. PIPA AB, PIPA BC and the Québec Privacy Act apply to the privacy and data protection practices of organizations within the provinces of Alberta, British Columbia and Québec respectively, which are not otherwise governed by PIPEDA. In Ontario, PIPEDA is the only privacy and data protection law applicable to private sector organizations that do not collect personal health information. Canada also has privacy and data protection laws specific to the health sector and to the public sector. It is important to note that there are potentially major reforms coming with respect to privacy legislation in Canada. If enacted, Bill C-27, a bill currently having passed first and second

reading and under consideration by the Standing Committee on Industry and Technology), would repeal Part 1 of PIPEDA (the part which sets out the legislation dealing with the protection of information in the private sector, as discussed above) and would enact in its place, the Consumer Privacy Protection Act ("CPPA"), which strives to align Canada with the European Union's General Data Protection Regulation ("GDPR"), the California Privacy Rights Act and Quebec's recent legislation. Like PIPEDA, the CPPA would provide principle-based rules which apply across sectors and are grounded in a primacy- of-consent framework. Unlike PIPEDA, the CPPA would include more stringent consent requirements, as well as new exceptions to those requirements (including, but not limited to, "business activity", "legitimate interest" and "public interest" exceptions). The CPPA would also significantly increase penalties for non-compliance. The CPPA will also include right of disposal language which will require organizations to dispose of personal information upon an individual's request, subject to certain exceptions, as well as the requirement that every organization implement and maintain a privacy management program. It should also be noted that in June 2021, the Ontario government released a white paper in which it raised concerns with several "points of weakness" it identified with the Digital Charter Implementation Act, 2020 (former Bill C-11). These "points of weakness" included: a consent framework which could allow organizations to collect and use citizens' data for commercial purposes without their knowledge, lack of protections for children and youth, and digital rights protections which "did not go far

ILN Corporate Group – Establishing a Business Entity Series

Made with FlippingBook Ebook Creator