A 'new era of privacy law,' emerging as provincial and federal reforms take effect, says lawyer

Hashim Ghazi detailed health and privacy initiatives at a recent webinar

A 'new era of privacy law,' emerging as provincial and federal reforms take effect, says lawyer

Quebec’s Bill 64 and the federal government’s Bill C-27 mark a “new era of privacy law,” in Canada, and the recent evolution of provincial health-privacy regimes are following suit, said Hashim Ghazi at a recent Fasken webinar on privacy and cybersecurity.

In March 2020, Bill 188, the Economic and Fiscal Update Act, 2020, received Royal Assent in Ontario. The legislation contained amendments to the province’s Personal Health Information Protection Act, 2004 (PHIPA). The legislation gave the Information and Privacy Commissioner of Ontario new authority to impose administrative penalties on violators of PHIPA or its regulations.

In the recently proposed regulations, the maximum penalties may not exceed $50,000 for individuals and $500,000 for organizations. But that amount may rise to equal the economic benefit acquired by the offender due to the contravention. The proposed regulations also lay out the criteria the Information and Privacy Commissioner of Ontario may use to determine the penalty amount. The proposed regulations have been published in Ontario's regulatory registry, and the Ministry of Health is accepting public comments on them until the end of July, said Ghazi, who is a technology, privacy, and cybersecurity lawyer in Fasken's emerging technology group.

In February, the Ontario government introduced Bill 60, Your Health Act. The legislation received Royal Assent on May 18 but is not yet in force. The Act amends the Freedom of Information and Protection of Privacy Act (FIPPA) to “operationalize a consistent enterprise approach to data integration,” to ensure internal and external data integration units are subject to similar requirements concerning privacy, transparency and accountability, said Ghazi.

“Probably the most important and the most monumental has been the introduction of Bill 3, Quebec’s first comprehensive health privacy legislation,” he said. “The bill is modelled on the personal-health-information laws of other Canadian provinces but contains several unique requirements directly inspired by Bill 64, Quebec’s privacy reform legislation that came into effect last year.”

The law regulates the access and use of Quebeckers’ personal health and social services information. Ghazi said that the legislation defines “health information” broadly. Information related to a person’s physical or mental health, material obtained during assessment or treatment, and health and social services provided to a person will all count as health information. “Most notably,” he said, the law provides that no one may process health information without a person’s express consent unless legally authorized.

Bill 3 introduces new legal obligations, including mandatory breach notification, the appointment of a data-protection officer, and privacy impact assessments in certain situations. It also includes restrictions related to an individual’s access to health information, the transfer of health information outside of Quebec, and the use of certain technologies, including AI.

“Bill 3 also puts an importance on the quality of services offered to the population by enabling easier access to health data for research purposes,” said Ghazi. While the province has not set a date for the law to come in force, he expects it will be sometime within the next 12-to-18 months.

With Bill 22, British Columbia also recently made significant amendments to privacy law in the province. The law, which came into force in February, amends BC’s Freedom of Information and Protection of Privacy Act.

Related stories