2023 Data Privacy in North America – Year in Review

Data Privacy | Jan 8, 2023

North America's Privacy Landscape in 2023 - Key Developments and Their Impact on Businesses and Consumers

The year 2023 marked a significant turning point in the landscape of privacy and data security in North America. In Canada, groundbreaking legislative changes and investigations reshaped the privacy framework, as detailed in Roland Hung's "Top Five Privacy Developments in Canada: A Year in Review 2023" at Torkin Manes. Meanwhile, the United States saw a continued expansion of privacy rights and data security legislation, as highlighted in Kramer Levin's "Privacy and Data Security Law 2023 Year in Review". This article explores these pivotal developments in both countries, offering a comprehensive overview of the evolving privacy and data security terrain.

Key Privacy Developments in Canada

1. Québec’s Law 25 - A New Era of Compliance: The second phase of Québec’s “Act to modernize legislative provisions as regards the protection of personal information” (Law 25) came into effect on September 22, 2023. This phase introduced stringent administrative penalties for non-compliance, including hefty fines and a private right of action for punitive damages. The law mandates Quebec businesses to establish robust privacy policies, conduct privacy impact assessments, and ensure the highest level of security for personal information. These developments signify a shift towards greater accountability and transparency in the handling of personal data.

2. Bill C-27: Overhauling Federal Privacy Legislation -> Bill C-27, also known as the Digital Charter Implementation Act, proposes significant amendments to Canada’s federal privacy legislation. The bill introduces the Consumer Privacy Protection Act (CPPA), the Personal Information and Data Protection Tribunal Act (PIDPTA), and the Artificial Intelligence and Data Act (AIDA). These amendments aim to establish privacy as a fundamental right, reinforce the protection of children’s privacy, and introduce a regulatory framework for artificial intelligence. The bill's progression through the legislative process underscores the government's commitment to modernizing privacy protections in the digital age.

3. The Artificial Intelligence and Data Act (AIDA) Debate -> AIDA, a component of Bill C-27, represents Canada’s first legislative framework for AI. However, it has faced scrutiny for potentially focusing too narrowly on individual harms and lacking applicability to the public sector. The debate around AIDA highlights the complexities of regulating AI technologies, balancing innovation with ethical considerations and data protection.

See:  AI and Children’s Privacy and Consent

4. Privacy Commissioner’s Investigation into ChatGPT -> In a move reflecting global concerns about AI and data privacy, Canada’s Privacy Commissioner launched an investigation into OpenAI’s ChatGPT in April 2023. The investigation focuses on the software’s data collection practices and its implications for user privacy. This investigation is a critical step in addressing the privacy challenges posed by advanced AI technologies and sets a precedent for future regulatory actions.

5. British Columbia’s Privacy Breach Requirements -> British Columbia implemented new mandatory privacy breach requirements, effective February 1, 2023. These requirements compel public bodies to develop comprehensive privacy management programs and report significant privacy breaches. This development emphasizes the importance of proactive privacy breach management and the need for transparency in handling personal data.

Key Privacy Developments in the U.S.

1. Expansion of State Privacy Laws -> In 2023, comprehensive privacy laws took effect in five states, with 12 more states enacting similar laws set to take effect in 2024 or 2025. Florida and Washington also passed privacy laws, with Florida's law applying to companies with over $1 billion in annual revenue and Washington's law focusing on health-related data.

2. SEC Cybersecurity Reporting Requirements -> The Securities and Exchange Commission (SEC) finalized new cybersecurity reporting and disclosure requirements, effective December 2023. These requirements include disclosure of material cybersecurity incidents and annual disclosures describing a company's cybersecurity risk management and strategy.

3. New York Department of Financial Services (NY-DFS) Cybersecurity Rules -> NY-DFS adopted major changes to its cybersecurity rules, including heightened requirements for "Class A Companies" and comprehensive amendments to its cybersecurity regulations.

4. California's Delete Act -> California passed the Delete Act, which simplifies the process for consumers to instruct data brokers to delete their personal information or refrain from selling or sharing it.

5. EU-U.S. Data Privacy Framework -> The European Union and the United States finalized the EU-U.S. Data Privacy Framework (DPF), allowing for the transfer of personal data from EU residents to certified companies in the U.S. without additional agreements.

6. Biometric Laws in New York City -> New York City introduced bills to regulate the collection and storage of biometric data by businesses and residential building owners.

7. Comparing Comprehensive State Privacy Laws -> Iowa became the sixth state to enact a comprehensive privacy law, joining California, Virginia, Colorado, Utah, and Connecticut. These laws protect personal data and establish a general right to privacy.

See:  Financial Privacy: SEC Launches Enormous Database Compiling All Stock Trades

8. SEC Penalty for Misleading Cybersecurity Incident Disclosures -> The SEC issued a $3 million penalty against Blackbaud for misleading disclosures related to a 2020 data breach.

9. Cybersecurity in the Boardroom -> The importance of board oversight of cybersecurity risks was highlighted, with the Delaware Court of Chancery dismissing Caremark claims against directors following major cybersecurity incidents.

Conclusion

The year 2023 was a watershed moment for privacy and data security in North America. In Canada, the focus was on enhancing privacy protections and regulating AI technologies, while the U.S. saw a proliferation of state-level privacy laws and heightened regulatory requirements.  These developments indicate a continued expansion of public interest in privacy rights and data security, with an increasing focus on state-level legislation and enhanced regulatory requirements at both state and federal levels.  The National Crowdfunding & Fintech Association of Canada (NCFA Canada) recognizes the significance of these developments and encourages its members and the broader fintech community to embrace these changes, fostering a culture of privacy and trust in the digital economy.

---

The National Crowdfunding & Fintech Association (NCFA Canada) is a financial innovation ecosystem that provides education, market intelligence, industry stewardship, networking and funding opportunities and services to thousands of community members and works closely with industry, government, partners and affiliates to create a vibrant and innovative fintech and funding industry in Canada. Decentralized and distributed, NCFA is engaged with global stakeholders and helps incubate projects and investment in fintech, alternative finance, crowdfunding, peer-to-peer finance, payments, digital assets and tokens, artificial intelligence, blockchain, cryptocurrency, regtech, and insurtech sectors. Join Canada's Fintech & Funding Community today FREE! Or become a contributing member and get perks. For more information, please visit: www.ncfacanada.org

• SEO Powered Content & PR Distribution. Get Amplified Today.
• PlatoData.Network Vertical Generative Ai. Empower Yourself. Access Here.
• PlatoAiStream. Web3 Intelligence. Knowledge Amplified. Access Here.
• PlatoESG. Carbon, CleanTech, Energy, Environment, Solar, Waste Management. Access Here.
• PlatoHealth. Biotech and Clinical Trials Intelligence. Access Here.
• Source: https://ncfacanada.org/2023-data-privacy-in-canada-a-pivotal-year-in-review/