Image for article type insight
Insight

Canada: Organisational accountability under the CPPA and Québec's Law 25

December 9, 2022
Summary

Canada's Consumer Privacy Protection Act ('CPPA') and Québec's Law 25 both seek to update privacy laws, introducing significant penalties for non-compliance. Law 25, effective since September 22, 2021, mandates that the highest authority in an organization, or a designated privacy officer, ensures compliance with privacy obligations, including privacy impact assessments (PIAs). The CPPA, proposed in Bill C-27, would replace Part 1 of the Personal Information Protection and Electronic Documents Act 2000 ('PIPEDA') and does not specify a default responsible privacy officer or include PIA references. Both laws require organizations to establish privacy management programs, with Law 25 emphasizing confidentiality by default, akin to the GDPR's Privacy by Default. Law 25's provisions are being phased in, with full implementation by September 2024, while the CPPA is still under parliamentary debate.

With the international modernisation of privacy law, Québec has lead the pursuit of a privacy reform in Canada with its Law 251, which received royal assent on 22 September 2021. It seems fitting that Québec is the first Canadian jurisdiction to update its privacy laws as it was also the first in North America to adopt private sector privacy law some 30 years ago. Law 25 introduces amendments to both the public and private sector privacy laws in Québec. At the federal level, Parliament is making its second attempt to modernise Canada's current federal private sector privacy law with the introduction of Bill C-27 for the Digital Charter Implementation Act 2022 on 16 June 20222. Bill C-11 for

Insight

Gain access to unlimited articles with 7 day access to all features, no credit card required.

or

Other options: