If you break the new legislation, you could be liable of a fine of up to $25 million
Last month, the Canadian government announced a new workplace legislation that stipulates what employers can and cannot do in regards to worker privacy. Bill C-27 - an Act to enact the Consumer Privacy Protection Act is the latest legislation to touch on Ontario employers’ workplace conduct – following the much-lauded Working for Workers Act.
This Bill is intended to update Canada's federal privacy law - which covers the Personal Information Protection and Electronic Documents Act as well. The intention of the Act, among other things, is to propose some new rules for artificial intelligence in terms of specific requirements or nuances and what it really means for employers.
“If the Bill is passed, it would replace Part 1 of PIPEDA with the new Consumer Privacy Protection Act, also known as the CPPA. It would also enact the Personal Information and Data Protection Tribunal Act (PIDPTA), which develops a new administrative tribunal to hear appeals of certain decisions made by the Privacy Commissioner. There would be new developments relating to artificial intelligence, as the Bill would enact the Artificial Intelligence and Data Act,” Nadia Zaman, Associate at Rudner Law, told HRD.
“At the end of the day, there are various new requirements that are being set out by this Bill. And it looks like there's growing efforts to consider data security, not just within Canada but also internationally, which indicates that employers should start to assess their own data policies and procedures,” noted Zaman.
One of the main areas of concern for employers right now is the requirement for consent. Employers need to complete a privacy impact assessment and to provide copies of the assessment to the Commissioner. Another factor that’s weighing on HR leaders’ minds is penalties – specifically the repercussions of either not following the Bill or breaking the law entirely.
“The Bill sets out factors that the Commissioner must take into account when recommending a penalty to the new Tribunal,” added Zaman. “The Tribunal would have the ability to impose an administrative monetary penalty up to $10 million or three percent of gross global revenue. That said, we will have to wait and see what penalties end up being imposed on organizations. Organizations that are guilty of an indictable offence would be liable to a fine of up to five percent of gross global revenue or $25 million, whichever is greater.”
Because of the novelty of the Bill, and the fact that employers still don't know what to expect, a lot of employers are concerned about what the implications are going to be. At the end of the day, this Bill follows a growing trend towards privacy – growing a more robust protection for everyone involved.
“This means that employers need to be proactive and strategic in making sure they are addressing any gaps in their policies from now onwards, as opposed to waiting until the last minute,” explained Zaman. “I would really recommend employers to start looking into their internal policies and procedures and ensure any existing or potential gaps are addressed. If you’re unsure, always seek legal advice.”