Analysis Reviews Recent Canadian Health Privacy Law Changes
A recent legal analysis reviews key developments in Canadian health privacy law since 2025. The updates include new requirements for data minimization, consent management, and cross-border data transfers. For technology teams at multinational healthcare organizations, these changes necessitate platform-level controls for data localization and redaction to ensure compliance.
- The legislative landscape is shaped by Bill C-27, also known as the Digital Charter Implementation Act, 2022. This bill includes three distinct acts: the Consumer Privacy Protection Act (CPPA), the Personal Information and Data Protection Tribunal Act, and the Artificial Intelligence and Data Act (AIDA). - A key piece of this legislation, the Artificial Intelligence and Data Act (AIDA), establishes a risk-based framework for AI systems, with stricter rules for those deemed "high-impact," which can include systems used in healthcare diagnostics and essential service access. As of late 2025, AIDA is anticipated to pass in late 2025 or early 2026, prompting organizations to begin preparations for compliance. - For non-compliance, the Consumer Privacy Protection Act (CPPA) introduces significant fines of up to 5% of global revenue or $25 million, whichever is greater, for the most serious offenses. This aligns Canada's penalty structure more closely with international standards like the GDPR. - The legislation also introduces the role of an AI and Data Commissioner to support the Minister of Innovation, Science and Industry by monitoring compliance and ordering third-party audits. - In a move to improve healthcare delivery, Bill S-5, the Connected Care for Canadians Act, was introduced in early 2026 to mandate the adoption of common technical standards for health information technology companies, aiming to enable interoperability and prohibit "data blocking". - Some provinces, including British Columbia and Nova Scotia, have specific public sector laws that mandate personal information, including health data, be stored and accessed only within Canada. These data localization laws are a response to concerns about foreign government access to Canadian data. - A 2025 court ruling in the SickKids vs. IPC case set a precedent that ransomware attacks resulting in the encryption of patient data constitute a "use" of that data, triggering mandatory notification requirements, even if the data was not viewed or downloaded by the attackers. - Ontario's Enhancing Digital Security and Trust Act, which came into force in July 2025, requires healthcare organizations using AI to publish information about its use, establish an accountability framework, manage risks, and ensure human oversight.
